Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 0e1cf26b1cd98e0ec069e6187434fcabf1e9c200 / . / redfish-core / lib / account_service.hpp
blob: 9f066e3c425f2f9af5907d2625f57adadd5b2699 [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17#include "node.hpp"
18
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]19#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]20#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]21#include <openbmc_dbus_rest.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]22#include <utils/json_utils.hpp>
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]23#include <variant>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]24
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]25namespace redfish
26{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]27
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]28constexpr const char* ldapConfigObject =
29 "/xyz/openbmc_project/user/ldap/openldap";
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]30constexpr const char* ADConfigObject =
31 "/xyz/openbmc_project/user/ldap/active_directory";
32
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]33constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
34constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
35constexpr const char* ldapConfigInterface =
36 "xyz.openbmc_project.User.Ldap.Config";
37constexpr const char* ldapCreateInterface =
38 "xyz.openbmc_project.User.Ldap.Create";
39constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]40constexpr const char* ldapPrivMapperInterface =
41 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]42constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
43constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
44constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
45constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
46constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
47
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]48struct LDAPRoleMapData
49{
50 std::string groupName;
51 std::string privilege;
52};
53
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]54struct LDAPConfigData
55{
56 std::string uri{};
57 std::string bindDN{};
58 std::string baseDN{};
59 std::string searchScope{};
60 std::string serverType{};
61 bool serviceEnabled = false;
62 std::string userNameAttribute{};
63 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]64 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]65};
66
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]67using ManagedObjectType = std::vector<std::pair<
68 sdbusplus::message::object_path,
69 boost::container::flat_map<
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]70 std::string, boost::container::flat_map<
71 std::string, std::variant<bool, std::string>>>>>;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]72using GetObjectType =
73 std::vector<std::pair<std::string, std::vector<std::string>>>;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]74
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]75inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]76{
77 if (role == "priv-admin")
78 {
79 return "Administrator";
80 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]81 else if (role == "priv-user")
82 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]83 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]84 }
85 else if (role == "priv-operator")
86 {
87 return "Operator";
88 }
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]89 else if ((role == "") || (role == "priv-noaccess"))
90 {
91 return "NoAccess";
92 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]93 return "";
94}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]95inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]96{
97 if (role == "Administrator")
98 {
99 return "priv-admin";
100 }
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]101 else if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]102 {
103 return "priv-user";
104 }
105 else if (role == "Operator")
106 {
107 return "priv-operator";
108 }
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]109 else if (role == "NoAccess")
110 {
111 return "priv-noaccess";
112 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]113 return "";
114}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]115
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]116void userErrorMessageHandler(const sd_bus_error* e,
117 std::shared_ptr<AsyncResp> asyncResp,
118 const std::string& newUser,
119 const std::string& username)
120{
121 const char* errorMessage = e->name;
122 if (e == nullptr)
123 {
124 messages::internalError(asyncResp->res);
125 return;
126 }
127
128 if (strcmp(errorMessage,
129 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
130 {
131 messages::resourceAlreadyExists(asyncResp->res,
132 "#ManagerAccount.v1_0_3.ManagerAccount",
133 "UserName", newUser);
134 }
135 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
136 "UserNameDoesNotExist") == 0)
137 {
138 messages::resourceNotFound(
139 asyncResp->res, "#ManagerAccount.v1_0_3.ManagerAccount", username);
140 }
141 else if (strcmp(errorMessage,
142 "xyz.openbmc_project.Common.Error.InvalidArgument") == 0)
143 {
144 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
145 }
146 else if (strcmp(errorMessage,
147 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
148 {
149 messages::createLimitReachedForResource(asyncResp->res);
150 }
151 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
152 "UserNameGroupFail") == 0)
153 {
154 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
155 }
156 else
157 {
158 messages::internalError(asyncResp->res);
159 }
160
161 return;
162}
163
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]164void parseLDAPConfigData(nlohmann::json& json_response,
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]165 const LDAPConfigData& confData,
166 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]167{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]168 std::string service =
169 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]170 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]171 {"AccountProviderType", service},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]172 {"ServiceEnabled", confData.serviceEnabled},
173 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
174 {"Authentication",
175 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]176 {"Username", confData.bindDN},
177 {"Password", nullptr}}},
178 {"LDAPService",
179 {{"SearchSettings",
180 {{"BaseDistinguishedNames",
181 nlohmann::json::array({confData.baseDN})},
182 {"UsernameAttribute", confData.userNameAttribute},
183 {"GroupsAttribute", confData.groupAttribute}}}}},
184 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]185
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]186 json_response[ldapType].update(std::move(ldap));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]187
188 nlohmann::json& roleMapArray = json_response[ldapType]["RemoteRoleMapping"];
189 roleMapArray = nlohmann::json::array();
190 for (auto& obj : confData.groupRoleList)
191 {
192 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
193 << obj.second.groupName << "\n";
194 roleMapArray.push_back(
195 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
196 nlohmann::json::array(
197 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
198 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]199}
200
201/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]202 * @brief validates given JSON input and then calls appropriate method to
203 * create, to delete or to set Rolemapping object based on the given input.
204 *
205 */
206static void handleRoleMapPatch(
207 const std::shared_ptr<AsyncResp>& asyncResp,
208 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
209 const std::string& serverType, std::vector<nlohmann::json>& input)
210{
211 for (size_t index = 0; index < input.size(); index++)
212 {
213 nlohmann::json& thisJson = input[index];
214
215 if (thisJson.is_null())
216 {
217 // delete the existing object
218 if (index < roleMapObjData.size())
219 {
220 crow::connections::systemBus->async_method_call(
221 [asyncResp, roleMapObjData, serverType,
222 index](const boost::system::error_code ec) {
223 if (ec)
224 {
225 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
226 messages::internalError(asyncResp->res);
227 return;
228 }
229 asyncResp->res
230 .jsonValue[serverType]["RemoteRoleMapping"][index] =
231 nullptr;
232 },
233 ldapDbusService, roleMapObjData[index].first,
234 "xyz.openbmc_project.Object.Delete", "Delete");
235 }
236 else
237 {
238 BMCWEB_LOG_ERROR << "Can't delete the object";
239 messages::propertyValueTypeError(
240 asyncResp->res, thisJson.dump(),
241 "RemoteRoleMapping/" + std::to_string(index));
242 return;
243 }
244 }
245 else if (thisJson.empty())
246 {
247 // Don't do anything for the empty objects,parse next json
248 // eg {"RemoteRoleMapping",[{}]}
249 }
250 else
251 {
252 // update/create the object
253 std::optional<std::string> remoteGroup;
254 std::optional<std::string> localRole;
255
256 if (!json_util::readJson(thisJson, asyncResp->res, "RemoteGroup",
257 remoteGroup, "LocalRole", localRole))
258 {
259 continue;
260 }
261
262 // Update existing RoleMapping Object
263 if (index < roleMapObjData.size())
264 {
265 BMCWEB_LOG_DEBUG << "Update Role Map Object";
266 // If "RemoteGroup" info is provided
267 if (remoteGroup)
268 {
269 crow::connections::systemBus->async_method_call(
270 [asyncResp, roleMapObjData, serverType, index,
271 remoteGroup](const boost::system::error_code ec) {
272 if (ec)
273 {
274 BMCWEB_LOG_ERROR << "DBUS response error: "
275 << ec;
276 messages::internalError(asyncResp->res);
277 return;
278 }
279 asyncResp->res
280 .jsonValue[serverType]["RemoteRoleMapping"]
281 [index]["RemoteGroup"] = *remoteGroup;
282 },
283 ldapDbusService, roleMapObjData[index].first,
284 propertyInterface, "Set",
285 "xyz.openbmc_project.User.PrivilegeMapperEntry",
286 "GroupName",
287 std::variant<std::string>(std::move(*remoteGroup)));
288 }
289
290 // If "LocalRole" info is provided
291 if (localRole)
292 {
293 crow::connections::systemBus->async_method_call(
294 [asyncResp, roleMapObjData, serverType, index,
295 localRole](const boost::system::error_code ec) {
296 if (ec)
297 {
298 BMCWEB_LOG_ERROR << "DBUS response error: "
299 << ec;
300 messages::internalError(asyncResp->res);
301 return;
302 }
303 asyncResp->res
304 .jsonValue[serverType]["RemoteRoleMapping"]
305 [index]["LocalRole"] = *localRole;
306 },
307 ldapDbusService, roleMapObjData[index].first,
308 propertyInterface, "Set",
309 "xyz.openbmc_project.User.PrivilegeMapperEntry",
310 "Privilege",
311 std::variant<std::string>(
312 getPrivilegeFromRoleId(std::move(*localRole))));
313 }
314 }
315 // Create a new RoleMapping Object.
316 else
317 {
318 BMCWEB_LOG_DEBUG
319 << "setRoleMappingProperties: Creating new Object";
320 std::string pathString =
321 "RemoteRoleMapping/" + std::to_string(index);
322
323 if (!localRole)
324 {
325 messages::propertyMissing(asyncResp->res,
326 pathString + "/LocalRole");
327 continue;
328 }
329 if (!remoteGroup)
330 {
331 messages::propertyMissing(asyncResp->res,
332 pathString + "/RemoteGroup");
333 continue;
334 }
335
336 std::string dbusObjectPath;
337 if (serverType == "ActiveDirectory")
338 {
339 dbusObjectPath = ADConfigObject;
340 }
341 else if (serverType == "LDAP")
342 {
343 dbusObjectPath = ldapConfigObject;
344 }
345
346 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
347 << ",LocalRole=" << *localRole;
348
349 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]350 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]351 remoteGroup](const boost::system::error_code ec) {
352 if (ec)
353 {
354 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
355 messages::internalError(asyncResp->res);
356 return;
357 }
358 nlohmann::json& remoteRoleJson =
359 asyncResp->res
360 .jsonValue[serverType]["RemoteRoleMapping"];
361 remoteRoleJson.push_back(
362 {{"LocalRole", *localRole},
363 {"RemoteGroup", *remoteGroup}});
364 },
365 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
366 "Create", std::move(*remoteGroup),
367 getPrivilegeFromRoleId(std::move(*localRole)));
368 }
369 }
370 }
371}
372
373/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]374 * Function that retrieves all properties for LDAP config object
375 * into JSON
376 */
377template <typename CallbackFunc>
378inline void getLDAPConfigData(const std::string& ldapType,
379 CallbackFunc&& callback)
380{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]381
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]382 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]383 ldapConfigInterface};
384
385 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]386 [callback, ldapType](const boost::system::error_code ec,
387 const GetObjectType& resp) {
388 LDAPConfigData confData{};
389 if (ec || resp.empty())
390 {
391 BMCWEB_LOG_ERROR << "DBUS response error during getting of "
392 "service name: "
393 << ec;
394 callback(false, confData, ldapType);
395 return;
396 }
397 std::string service = resp.begin()->first;
398 crow::connections::systemBus->async_method_call(
399 [callback, ldapType](const boost::system::error_code error_code,
400 const ManagedObjectType& ldapObjects) {
401 LDAPConfigData confData{};
402 if (error_code)
403 {
404 callback(false, confData, ldapType);
405 BMCWEB_LOG_ERROR << "D-Bus responses error: "
406 << error_code;
407 return;
408 }
409
410 std::string ldapDbusType;
411 std::string searchString;
412
413 if (ldapType == "LDAP")
414 {
415 ldapDbusType = "xyz.openbmc_project.User.Ldap.Config."
416 "Type.OpenLdap";
417 searchString = "openldap";
418 }
419 else if (ldapType == "ActiveDirectory")
420 {
421 ldapDbusType =
422 "xyz.openbmc_project.User.Ldap.Config.Type."
423 "ActiveDirectory";
424 searchString = "active_directory";
425 }
426 else
427 {
428 BMCWEB_LOG_ERROR
429 << "Can't get the DbusType for the given type="
430 << ldapType;
431 callback(false, confData, ldapType);
432 return;
433 }
434
435 std::string ldapEnableInterfaceStr = ldapEnableInterface;
436 std::string ldapConfigInterfaceStr = ldapConfigInterface;
437
438 for (const auto& object : ldapObjects)
439 {
440 // let's find the object whose ldap type is equal to the
441 // given type
442 if (object.first.str.find(searchString) ==
443 std::string::npos)
444 {
445 continue;
446 }
447
448 for (const auto& interface : object.second)
449 {
450 if (interface.first == ldapEnableInterfaceStr)
451 {
452 // rest of the properties are string.
453 for (const auto& property : interface.second)
454 {
455 if (property.first == "Enabled")
456 {
457 const bool* value =
458 std::get_if<bool>(&property.second);
459 if (value == nullptr)
460 {
461 continue;
462 }
463 confData.serviceEnabled = *value;
464 break;
465 }
466 }
467 }
468 else if (interface.first == ldapConfigInterfaceStr)
469 {
470
471 for (const auto& property : interface.second)
472 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]473 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]474 std::get_if<std::string>(
475 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]476 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]477 {
478 continue;
479 }
480 if (property.first == "LDAPServerURI")
481 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]482 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]483 }
484 else if (property.first == "LDAPBindDN")
485 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]486 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]487 }
488 else if (property.first == "LDAPBaseDN")
489 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]490 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]491 }
492 else if (property.first ==
493 "LDAPSearchScope")
494 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]495 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]496 }
497 else if (property.first ==
498 "GroupNameAttribute")
499 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]500 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]501 }
502 else if (property.first ==
503 "UserNameAttribute")
504 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]505 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]506 }
507 else if (property.first == "LDAPType")
508 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]509 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]510 }
511 }
512 }
513 else if (interface.first ==
514 "xyz.openbmc_project.User."
515 "PrivilegeMapperEntry")
516 {
517 LDAPRoleMapData roleMapData{};
518 for (const auto& property : interface.second)
519 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]520 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]521 std::get_if<std::string>(
522 &property.second);
523
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]524 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]525 {
526 continue;
527 }
528
529 if (property.first == "GroupName")
530 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]531 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]532 }
533 else if (property.first == "Privilege")
534 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]535 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]536 }
537 }
538
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]539 confData.groupRoleList.emplace_back(
540 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]541 }
542 }
543 }
544 callback(true, confData, ldapType);
545 },
546 service, ldapRootObject, dbusObjManagerIntf,
547 "GetManagedObjects");
548 },
549 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
550 ldapConfigObject, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]551}
552
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]553class AccountService : public Node
554{
555 public:
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]556 AccountService(CrowApp& app) :
557 Node(app, "/redfish/v1/AccountService/"), app(app)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]558 {
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]559 entityPrivileges = {
560 {boost::beast::http::verb::get,
561 {{"ConfigureUsers"}, {"ConfigureManager"}}},
562 {boost::beast::http::verb::head, {{"Login"}}},
563 {boost::beast::http::verb::patch, {{"ConfigureUsers"}}},
564 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
565 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
566 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
567 }
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]568
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]569 private:
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]570 /**
571 * @brief parses the authentication section under the LDAP
572 * @param input JSON data
573 * @param asyncResp pointer to the JSON response
574 * @param userName userName to be filled from the given JSON.
575 * @param password password to be filled from the given JSON.
576 */
577 void
578 parseLDAPAuthenticationJson(nlohmann::json input,
579 const std::shared_ptr<AsyncResp>& asyncResp,
580 std::optional<std::string>& username,
581 std::optional<std::string>& password)
582 {
583 std::optional<std::string> authType;
584
585 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
586 authType, "Username", username, "Password",
587 password))
588 {
589 return;
590 }
591 if (!authType)
592 {
593 return;
594 }
595 if (*authType != "UsernameAndPassword")
596 {
597 messages::propertyValueNotInList(asyncResp->res, *authType,
598 "AuthenticationType");
599 return;
600 }
601 }
602 /**
603 * @brief parses the LDAPService section under the LDAP
604 * @param input JSON data
605 * @param asyncResp pointer to the JSON response
606 * @param baseDNList baseDN to be filled from the given JSON.
607 * @param userNameAttribute userName to be filled from the given JSON.
608 * @param groupaAttribute password to be filled from the given JSON.
609 */
610
611 void parseLDAPServiceJson(
612 nlohmann::json input, const std::shared_ptr<AsyncResp>& asyncResp,
613 std::optional<std::vector<std::string>>& baseDNList,
614 std::optional<std::string>& userNameAttribute,
615 std::optional<std::string>& groupsAttribute)
616 {
617 std::optional<nlohmann::json> searchSettings;
618
619 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
620 searchSettings))
621 {
622 return;
623 }
624 if (!searchSettings)
625 {
626 return;
627 }
628 if (!json_util::readJson(*searchSettings, asyncResp->res,
629 "BaseDistinguishedNames", baseDNList,
630 "UsernameAttribute", userNameAttribute,
631 "GroupsAttribute", groupsAttribute))
632 {
633 return;
634 }
635 }
636 /**
637 * @brief updates the LDAP server address and updates the
638 json response with the new value.
639 * @param serviceAddressList address to be updated.
640 * @param asyncResp pointer to the JSON response
641 * @param ldapServerElementName Type of LDAP
642 server(openLDAP/ActiveDirectory)
643 */
644
645 void handleServiceAddressPatch(
646 const std::vector<std::string>& serviceAddressList,
647 const std::shared_ptr<AsyncResp>& asyncResp,
648 const std::string& ldapServerElementName,
649 const std::string& ldapConfigObject)
650 {
651 crow::connections::systemBus->async_method_call(
652 [asyncResp, ldapServerElementName,
653 serviceAddressList](const boost::system::error_code ec) {
654 if (ec)
655 {
656 BMCWEB_LOG_DEBUG
657 << "Error Occured in updating the service address";
658 messages::internalError(asyncResp->res);
659 return;
660 }
661 std::vector<std::string> modifiedserviceAddressList = {
662 serviceAddressList.front()};
663 asyncResp->res
664 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
665 modifiedserviceAddressList;
666 if ((serviceAddressList).size() > 1)
667 {
668 messages::propertyValueModified(asyncResp->res,
669 "ServiceAddresses",
670 serviceAddressList.front());
671 }
672 BMCWEB_LOG_DEBUG << "Updated the service address";
673 },
674 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
675 ldapConfigInterface, "LDAPServerURI",
676 std::variant<std::string>(serviceAddressList.front()));
677 }
678 /**
679 * @brief updates the LDAP Bind DN and updates the
680 json response with the new value.
681 * @param username name of the user which needs to be updated.
682 * @param asyncResp pointer to the JSON response
683 * @param ldapServerElementName Type of LDAP
684 server(openLDAP/ActiveDirectory)
685 */
686
687 void handleUserNamePatch(const std::string& username,
688 const std::shared_ptr<AsyncResp>& asyncResp,
689 const std::string& ldapServerElementName,
690 const std::string& ldapConfigObject)
691 {
692 crow::connections::systemBus->async_method_call(
693 [asyncResp, username,
694 ldapServerElementName](const boost::system::error_code ec) {
695 if (ec)
696 {
697 BMCWEB_LOG_DEBUG
698 << "Error occured in updating the username";
699 messages::internalError(asyncResp->res);
700 return;
701 }
702 asyncResp->res.jsonValue[ldapServerElementName]
703 ["Authentication"]["Username"] =
704 username;
705 BMCWEB_LOG_DEBUG << "Updated the username";
706 },
707 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
708 ldapConfigInterface, "LDAPBindDN",
709 std::variant<std::string>(username));
710 }
711
712 /**
713 * @brief updates the LDAP password
714 * @param password : ldap password which needs to be updated.
715 * @param asyncResp pointer to the JSON response
716 * @param ldapServerElementName Type of LDAP
717 * server(openLDAP/ActiveDirectory)
718 */
719
720 void handlePasswordPatch(const std::string& password,
721 const std::shared_ptr<AsyncResp>& asyncResp,
722 const std::string& ldapServerElementName,
723 const std::string& ldapConfigObject)
724 {
725 crow::connections::systemBus->async_method_call(
726 [asyncResp, password,
727 ldapServerElementName](const boost::system::error_code ec) {
728 if (ec)
729 {
730 BMCWEB_LOG_DEBUG
731 << "Error occured in updating the password";
732 messages::internalError(asyncResp->res);
733 return;
734 }
735 asyncResp->res.jsonValue[ldapServerElementName]
736 ["Authentication"]["Password"] = "";
737 BMCWEB_LOG_DEBUG << "Updated the password";
738 },
739 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
740 ldapConfigInterface, "LDAPBindDNPassword",
741 std::variant<std::string>(password));
742 }
743
744 /**
745 * @brief updates the LDAP BaseDN and updates the
746 json response with the new value.
747 * @param baseDNList baseDN list which needs to be updated.
748 * @param asyncResp pointer to the JSON response
749 * @param ldapServerElementName Type of LDAP
750 server(openLDAP/ActiveDirectory)
751 */
752
753 void handleBaseDNPatch(const std::vector<std::string>& baseDNList,
754 const std::shared_ptr<AsyncResp>& asyncResp,
755 const std::string& ldapServerElementName,
756 const std::string& ldapConfigObject)
757 {
758 crow::connections::systemBus->async_method_call(
759 [asyncResp, baseDNList,
760 ldapServerElementName](const boost::system::error_code ec) {
761 if (ec)
762 {
763 BMCWEB_LOG_DEBUG << "Error Occured in Updating the base DN";
764 messages::internalError(asyncResp->res);
765 return;
766 }
767 auto& serverTypeJson =
768 asyncResp->res.jsonValue[ldapServerElementName];
769 auto& searchSettingsJson =
770 serverTypeJson["LDAPService"]["SearchSettings"];
771 std::vector<std::string> modifiedBaseDNList = {
772 baseDNList.front()};
773 searchSettingsJson["BaseDistinguishedNames"] =
774 modifiedBaseDNList;
775 if (baseDNList.size() > 1)
776 {
777 messages::propertyValueModified(asyncResp->res,
778 "BaseDistinguishedNames",
779 baseDNList.front());
780 }
781 BMCWEB_LOG_DEBUG << "Updated the base DN";
782 },
783 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
784 ldapConfigInterface, "LDAPBaseDN",
785 std::variant<std::string>(baseDNList.front()));
786 }
787 /**
788 * @brief updates the LDAP user name attribute and updates the
789 json response with the new value.
790 * @param userNameAttribute attribute to be updated.
791 * @param asyncResp pointer to the JSON response
792 * @param ldapServerElementName Type of LDAP
793 server(openLDAP/ActiveDirectory)
794 */
795
796 void handleUserNameAttrPatch(const std::string& userNameAttribute,
797 const std::shared_ptr<AsyncResp>& asyncResp,
798 const std::string& ldapServerElementName,
799 const std::string& ldapConfigObject)
800 {
801 crow::connections::systemBus->async_method_call(
802 [asyncResp, userNameAttribute,
803 ldapServerElementName](const boost::system::error_code ec) {
804 if (ec)
805 {
806 BMCWEB_LOG_DEBUG << "Error Occured in Updating the "
807 "username attribute";
808 messages::internalError(asyncResp->res);
809 return;
810 }
811 auto& serverTypeJson =
812 asyncResp->res.jsonValue[ldapServerElementName];
813 auto& searchSettingsJson =
814 serverTypeJson["LDAPService"]["SearchSettings"];
815 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
816 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
817 },
818 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
819 ldapConfigInterface, "UserNameAttribute",
820 std::variant<std::string>(userNameAttribute));
821 }
822 /**
823 * @brief updates the LDAP group attribute and updates the
824 json response with the new value.
825 * @param groupsAttribute attribute to be updated.
826 * @param asyncResp pointer to the JSON response
827 * @param ldapServerElementName Type of LDAP
828 server(openLDAP/ActiveDirectory)
829 */
830
831 void handleGroupNameAttrPatch(const std::string& groupsAttribute,
832 const std::shared_ptr<AsyncResp>& asyncResp,
833 const std::string& ldapServerElementName,
834 const std::string& ldapConfigObject)
835 {
836 crow::connections::systemBus->async_method_call(
837 [asyncResp, groupsAttribute,
838 ldapServerElementName](const boost::system::error_code ec) {
839 if (ec)
840 {
841 BMCWEB_LOG_DEBUG << "Error Occured in Updating the "
842 "groupname attribute";
843 messages::internalError(asyncResp->res);
844 return;
845 }
846 auto& serverTypeJson =
847 asyncResp->res.jsonValue[ldapServerElementName];
848 auto& searchSettingsJson =
849 serverTypeJson["LDAPService"]["SearchSettings"];
850 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
851 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
852 },
853 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
854 ldapConfigInterface, "GroupNameAttribute",
855 std::variant<std::string>(groupsAttribute));
856 }
857 /**
858 * @brief updates the LDAP service enable and updates the
859 json response with the new value.
860 * @param input JSON data.
861 * @param asyncResp pointer to the JSON response
862 * @param ldapServerElementName Type of LDAP
863 server(openLDAP/ActiveDirectory)
864 */
865
866 void handleServiceEnablePatch(bool serviceEnabled,
867 const std::shared_ptr<AsyncResp>& asyncResp,
868 const std::string& ldapServerElementName,
869 const std::string& ldapConfigObject)
870 {
871 crow::connections::systemBus->async_method_call(
872 [asyncResp, serviceEnabled,
873 ldapServerElementName](const boost::system::error_code ec) {
874 if (ec)
875 {
876 BMCWEB_LOG_DEBUG
877 << "Error Occured in Updating the service enable";
878 messages::internalError(asyncResp->res);
879 return;
880 }
881 asyncResp->res
882 .jsonValue[ldapServerElementName]["ServiceEnabled"] =
883 serviceEnabled;
884 BMCWEB_LOG_DEBUG << "Updated Service enable = "
885 << serviceEnabled;
886 },
887 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
888 ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
889 }
890
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]891 void handleAuthMethodsPatch(nlohmann::json& input,
892 const std::shared_ptr<AsyncResp>& asyncResp)
893 {
894 std::optional<bool> basicAuth;
895 std::optional<bool> cookie;
896 std::optional<bool> sessionToken;
897 std::optional<bool> xToken;
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]898 std::optional<bool> tls;
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]899
900 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
901 "Cookie", cookie, "SessionToken", sessionToken,
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]902 "XToken", xToken, "TLS", tls))
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]903 {
904 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
905 return;
906 }
907
908 // Make a copy of methods configuration
909 crow::persistent_data::AuthConfigMethods authMethodsConfig =
910 crow::persistent_data::SessionStore::getInstance()
911 .getAuthMethodsConfig();
912
913 if (basicAuth)
914 {
915 authMethodsConfig.basic = *basicAuth;
916 }
917
918 if (cookie)
919 {
920 authMethodsConfig.cookie = *cookie;
921 }
922
923 if (sessionToken)
924 {
925 authMethodsConfig.sessionToken = *sessionToken;
926 }
927
928 if (xToken)
929 {
930 authMethodsConfig.xtoken = *xToken;
931 }
932
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]933 if (tls)
934 {
935 authMethodsConfig.tls = *tls;
936 }
937
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]938 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]939 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
940 !authMethodsConfig.tls)
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]941 {
942 // Do not allow user to disable everything
943 messages::actionNotSupported(asyncResp->res,
944 "of disabling all available methods");
945 return;
946 }
947
948 crow::persistent_data::SessionStore::getInstance()
949 .updateAuthMethodsConfig(authMethodsConfig);
950 // Save configuration immediately
951 app.template getMiddleware<crow::persistent_data::Middleware>()
952 .writeData();
953
954 messages::success(asyncResp->res);
955 }
956
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]957 /**
958 * @brief Get the required values from the given JSON, validates the
959 * value and create the LDAP config object.
960 * @param input JSON data
961 * @param asyncResp pointer to the JSON response
962 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
963 */
964
965 void handleLDAPPatch(nlohmann::json& input,
966 const std::shared_ptr<AsyncResp>& asyncResp,
967 const crow::Request& req,
968 const std::vector<std::string>& params,
969 const std::string& serverType)
970 {
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]971 std::string dbusObjectPath;
972 if (serverType == "ActiveDirectory")
973 {
974 dbusObjectPath = ADConfigObject;
975 }
976 else if (serverType == "LDAP")
977 {
978 dbusObjectPath = ldapConfigObject;
979 }
980
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]981 std::optional<nlohmann::json> authentication;
982 std::optional<nlohmann::json> ldapService;
983 std::optional<std::string> accountProviderType;
984 std::optional<std::vector<std::string>> serviceAddressList;
985 std::optional<bool> serviceEnabled;
986 std::optional<std::vector<std::string>> baseDNList;
987 std::optional<std::string> userNameAttribute;
988 std::optional<std::string> groupsAttribute;
989 std::optional<std::string> userName;
990 std::optional<std::string> password;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]991 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]992
993 if (!json_util::readJson(input, asyncResp->res, "Authentication",
994 authentication, "LDAPService", ldapService,
995 "ServiceAddresses", serviceAddressList,
996 "AccountProviderType", accountProviderType,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]997 "ServiceEnabled", serviceEnabled,
998 "RemoteRoleMapping", remoteRoleMapData))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]999 {
1000 return;
1001 }
1002
1003 if (authentication)
1004 {
1005 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1006 password);
1007 }
1008 if (ldapService)
1009 {
1010 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1011 userNameAttribute, groupsAttribute);
1012 }
1013 if (accountProviderType)
1014 {
1015 messages::propertyNotWritable(asyncResp->res,
1016 "AccountProviderType");
1017 }
1018 if (serviceAddressList)
1019 {
1020 if ((*serviceAddressList).size() == 0)
1021 {
1022 messages::propertyValueNotInList(asyncResp->res, "[]",
1023 "ServiceAddress");
1024 return;
1025 }
1026 }
1027 if (baseDNList)
1028 {
1029 if ((*baseDNList).size() == 0)
1030 {
1031 messages::propertyValueNotInList(asyncResp->res, "[]",
1032 "BaseDistinguishedNames");
1033 return;
1034 }
1035 }
1036
1037 // nothing to update, then return
1038 if (!userName && !password && !serviceAddressList && !baseDNList &&
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1039 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1040 !remoteRoleMapData)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1041 {
1042 return;
1043 }
1044
1045 // Get the existing resource first then keep modifying
1046 // whenever any property gets updated.
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1047 getLDAPConfigData(serverType, [this, asyncResp, userName, password,
1048 baseDNList, userNameAttribute,
1049 groupsAttribute, accountProviderType,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1050 serviceAddressList, serviceEnabled,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1051 dbusObjectPath, remoteRoleMapData](
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1052 bool success, LDAPConfigData confData,
1053 const std::string& serverType) {
1054 if (!success)
1055 {
1056 messages::internalError(asyncResp->res);
1057 return;
1058 }
1059 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverType);
1060 if (confData.serviceEnabled)
1061 {
1062 // Disable the service first and update the rest of
1063 // the properties.
1064 handleServiceEnablePatch(false, asyncResp, serverType,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1065 dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1066 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1067
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1068 if (serviceAddressList)
1069 {
1070 handleServiceAddressPatch(*serviceAddressList, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1071 serverType, dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1072 }
1073 if (userName)
1074 {
1075 handleUserNamePatch(*userName, asyncResp, serverType,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1076 dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1077 }
1078 if (password)
1079 {
1080 handlePasswordPatch(*password, asyncResp, serverType,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1081 dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1082 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1083
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1084 if (baseDNList)
1085 {
1086 handleBaseDNPatch(*baseDNList, asyncResp, serverType,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1087 dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1088 }
1089 if (userNameAttribute)
1090 {
1091 handleUserNameAttrPatch(*userNameAttribute, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1092 serverType, dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1093 }
1094 if (groupsAttribute)
1095 {
1096 handleGroupNameAttrPatch(*groupsAttribute, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1097 serverType, dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1098 }
1099 if (serviceEnabled)
1100 {
1101 // if user has given the value as true then enable
1102 // the service. if user has given false then no-op
1103 // as service is already stopped.
1104 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1105 {
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1106 handleServiceEnablePatch(*serviceEnabled, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1107 serverType, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1108 }
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1109 }
1110 else
1111 {
1112 // if user has not given the service enabled value
1113 // then revert it to the same state as it was
1114 // before.
1115 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1116 serverType, dbusObjectPath);
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1117 }
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1118
1119 if (remoteRoleMapData)
1120 {
1121 std::vector<nlohmann::json> remoteRoleMap =
1122 std::move(*remoteRoleMapData);
1123
1124 handleRoleMapPatch(asyncResp, confData.groupRoleList,
1125 serverType, remoteRoleMap);
1126 }
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1127 });
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1128 }
Ed Tanousd4b54432019-07-17 22:51:55 +0000[diff] [blame]1129
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1130 void doGet(crow::Response& res, const crow::Request& req,
1131 const std::vector<std::string>& params) override
1132 {
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1133 const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
1134 crow::persistent_data::SessionStore::getInstance()
1135 .getAuthMethodsConfig();
1136
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1137 auto asyncResp = std::make_shared<AsyncResp>(res);
1138 res.jsonValue = {
1139 {"@odata.context", "/redfish/v1/"
1140 "$metadata#AccountService.AccountService"},
1141 {"@odata.id", "/redfish/v1/AccountService"},
1142 {"@odata.type", "#AccountService."
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1143 "v1_4_0.AccountService"},
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1144 {"Id", "AccountService"},
1145 {"Name", "Account Service"},
1146 {"Description", "Account Service"},
1147 {"ServiceEnabled", true},
AppaRao Puli343ff2e2019-03-24 00:42:13 +0530[diff] [blame]1148 {"MaxPasswordLength", 20},
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1149 {"Accounts",
1150 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1151 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1152 {"Oem",
1153 {{"OpenBMC",
1154 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
1155 {"AuthMethods",
1156 {
1157 {"BasicAuth", authMethodsConfig.basic},
1158 {"SessionToken", authMethodsConfig.sessionToken},
1159 {"XToken", authMethodsConfig.xtoken},
1160 {"Cookie", authMethodsConfig.cookie},
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]1161 {"TLS", authMethodsConfig.tls},
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1162 }}}}}},
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1163 {"LDAP",
1164 {{"Certificates",
1165 {{"@odata.id",
1166 "/redfish/v1/AccountService/LDAP/Certificates"}}}}}};
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1167 crow::connections::systemBus->async_method_call(
1168 [asyncResp](
1169 const boost::system::error_code ec,
1170 const std::vector<std::pair<
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1171 std::string, std::variant<uint32_t, uint16_t, uint8_t>>>&
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1172 propertiesList) {
1173 if (ec)
1174 {
1175 messages::internalError(asyncResp->res);
1176 return;
1177 }
1178 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1179 << "properties for AccountService";
1180 for (const std::pair<std::string,
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1181 std::variant<uint32_t, uint16_t, uint8_t>>&
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1182 property : propertiesList)
1183 {
1184 if (property.first == "MinPasswordLength")
1185 {
1186 const uint8_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1187 std::get_if<uint8_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1188 if (value != nullptr)
1189 {
1190 asyncResp->res.jsonValue["MinPasswordLength"] =
1191 *value;
1192 }
1193 }
1194 if (property.first == "AccountUnlockTimeout")
1195 {
1196 const uint32_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1197 std::get_if<uint32_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1198 if (value != nullptr)
1199 {
1200 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1201 *value;
1202 }
1203 }
1204 if (property.first == "MaxLoginAttemptBeforeLockout")
1205 {
1206 const uint16_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1207 std::get_if<uint16_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1208 if (value != nullptr)
1209 {
1210 asyncResp->res
1211 .jsonValue["AccountLockoutThreshold"] = *value;
1212 }
1213 }
1214 }
1215 },
1216 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1217 "org.freedesktop.DBus.Properties", "GetAll",
1218 "xyz.openbmc_project.User.AccountPolicy");
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]1219
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1220 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1221 const std::string& ldapType) {
1222 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1223 };
1224
1225 getLDAPConfigData("LDAP", callback);
1226 getLDAPConfigData("ActiveDirectory", callback);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1227 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]1228
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1229 void doPatch(crow::Response& res, const crow::Request& req,
1230 const std::vector<std::string>& params) override
1231 {
1232 auto asyncResp = std::make_shared<AsyncResp>(res);
1233
1234 std::optional<uint32_t> unlockTimeout;
1235 std::optional<uint16_t> lockoutThreshold;
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1236 std::optional<uint16_t> minPasswordLength;
1237 std::optional<uint16_t> maxPasswordLength;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1238 std::optional<nlohmann::json> ldapObject;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1239 std::optional<nlohmann::json> activeDirectoryObject;
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1240 std::optional<nlohmann::json> oemObject;
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1241
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1242 if (!json_util::readJson(
1243 req, res, "AccountLockoutDuration", unlockTimeout,
1244 "AccountLockoutThreshold", lockoutThreshold,
1245 "MaxPasswordLength", maxPasswordLength, "MinPasswordLength",
1246 minPasswordLength, "LDAP", ldapObject, "ActiveDirectory",
1247 activeDirectoryObject, "Oem", oemObject))
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1248 {
1249 return;
1250 }
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1251
1252 if (minPasswordLength)
1253 {
1254 messages::propertyNotWritable(asyncResp->res, "MinPasswordLength");
1255 }
1256
1257 if (maxPasswordLength)
1258 {
1259 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1260 }
1261
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1262 if (ldapObject)
1263 {
1264 handleLDAPPatch(*ldapObject, asyncResp, req, params, "LDAP");
1265 }
1266
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1267 if (std::optional<nlohmann::json> oemOpenBMCObject;
1268 oemObject &&
1269 json_util::readJson(*oemObject, res, "OpenBMC", oemOpenBMCObject))
1270 {
1271 if (std::optional<nlohmann::json> authMethodsObject;
1272 oemOpenBMCObject &&
1273 json_util::readJson(*oemOpenBMCObject, res, "AuthMethods",
1274 authMethodsObject))
1275 {
1276 if (authMethodsObject)
1277 {
1278 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1279 }
1280 }
1281 }
1282
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1283 if (activeDirectoryObject)
1284 {
1285 handleLDAPPatch(*activeDirectoryObject, asyncResp, req, params,
1286 "ActiveDirectory");
1287 }
1288
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1289 if (unlockTimeout)
1290 {
1291 crow::connections::systemBus->async_method_call(
1292 [asyncResp](const boost::system::error_code ec) {
1293 if (ec)
1294 {
1295 messages::internalError(asyncResp->res);
1296 return;
1297 }
Ratan Guptaadd61332019-02-13 20:49:16 +0530[diff] [blame]1298 messages::success(asyncResp->res);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1299 },
1300 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1301 "org.freedesktop.DBus.Properties", "Set",
1302 "xyz.openbmc_project.User.AccountPolicy",
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1303 "AccountUnlockTimeout", std::variant<uint32_t>(*unlockTimeout));
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1304 }
1305 if (lockoutThreshold)
1306 {
1307 crow::connections::systemBus->async_method_call(
1308 [asyncResp](const boost::system::error_code ec) {
1309 if (ec)
1310 {
1311 messages::internalError(asyncResp->res);
1312 return;
1313 }
Ratan Guptaadd61332019-02-13 20:49:16 +0530[diff] [blame]1314 messages::success(asyncResp->res);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1315 },
1316 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1317 "org.freedesktop.DBus.Properties", "Set",
1318 "xyz.openbmc_project.User.AccountPolicy",
1319 "MaxLoginAttemptBeforeLockout",
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1320 std::variant<uint16_t>(*lockoutThreshold));
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1321 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1322 }
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1323
1324 CrowApp& app;
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1325};
Tanousf00032d2018-11-05 01:18:10 -0300[diff] [blame]1326
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1327class AccountsCollection : public Node
1328{
1329 public:
1330 AccountsCollection(CrowApp& app) :
1331 Node(app, "/redfish/v1/AccountService/Accounts/")
1332 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1333 entityPrivileges = {
1334 {boost::beast::http::verb::get,
1335 {{"ConfigureUsers"}, {"ConfigureManager"}}},
1336 {boost::beast::http::verb::head, {{"Login"}}},
1337 {boost::beast::http::verb::patch, {{"ConfigureUsers"}}},
1338 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
1339 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
1340 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
1341 }
1342
1343 private:
1344 void doGet(crow::Response& res, const crow::Request& req,
1345 const std::vector<std::string>& params) override
1346 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1347 auto asyncResp = std::make_shared<AsyncResp>(res);
Ed Tanous0f74e642018-11-12 15:17:05 -0800[diff] [blame]1348 res.jsonValue = {{"@odata.context",
1349 "/redfish/v1/"
1350 "$metadata#ManagerAccountCollection."
1351 "ManagerAccountCollection"},
1352 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1353 {"@odata.type", "#ManagerAccountCollection."
1354 "ManagerAccountCollection"},
1355 {"Name", "Accounts Collection"},
1356 {"Description", "BMC User Accounts"}};
1357
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1358 crow::connections::systemBus->async_method_call(
1359 [asyncResp](const boost::system::error_code ec,
1360 const ManagedObjectType& users) {
1361 if (ec)
1362 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1363 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1364 return;
1365 }
1366
1367 nlohmann::json& memberArray =
1368 asyncResp->res.jsonValue["Members"];
1369 memberArray = nlohmann::json::array();
1370
1371 asyncResp->res.jsonValue["Members@odata.count"] = users.size();
1372 for (auto& user : users)
1373 {
1374 const std::string& path =
1375 static_cast<const std::string&>(user.first);
1376 std::size_t lastIndex = path.rfind("/");
1377 if (lastIndex == std::string::npos)
1378 {
1379 lastIndex = 0;
1380 }
1381 else
1382 {
1383 lastIndex += 1;
1384 }
1385 memberArray.push_back(
1386 {{"@odata.id", "/redfish/v1/AccountService/Accounts/" +
1387 path.substr(lastIndex)}});
1388 }
1389 },
1390 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1391 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1392 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1393 void doPost(crow::Response& res, const crow::Request& req,
1394 const std::vector<std::string>& params) override
1395 {
1396 auto asyncResp = std::make_shared<AsyncResp>(res);
1397
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1398 std::string username;
1399 std::string password;
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1400 std::optional<std::string> roleId("User");
1401 std::optional<bool> enabled = true;
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1402 if (!json_util::readJson(req, res, "UserName", username, "Password",
1403 password, "RoleId", roleId, "Enabled",
1404 enabled))
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1405 {
1406 return;
1407 }
1408
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1409 std::string priv = getPrivilegeFromRoleId(*roleId);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1410 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1411 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1412 messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1413 return;
1414 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1415 roleId = priv;
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1416
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1417 // Reading AllGroups property
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1418 crow::connections::systemBus->async_method_call(
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1419 [asyncResp, username, password{std::move(password)}, roleId,
1420 enabled](const boost::system::error_code ec,
1421 const std::variant<std::vector<std::string>>& allGroups) {
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1422 if (ec)
1423 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1424 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1425 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1426 return;
1427 }
1428
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1429 const std::vector<std::string>* allGroupsList =
1430 std::get_if<std::vector<std::string>>(&allGroups);
1431
1432 if (allGroupsList == nullptr || allGroupsList->empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1433 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1434 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1435 return;
1436 }
1437
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1438 crow::connections::systemBus->async_method_call(
1439 [asyncResp, username, password{std::move(password)}](
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1440 const boost::system::error_code ec,
1441 sdbusplus::message::message& m) {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1442 if (ec)
1443 {
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1444 userErrorMessageHandler(m.get_error(), asyncResp,
1445 username, "");
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1446 return;
1447 }
1448
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1449 if (pamUpdatePassword(username, password) !=
1450 PAM_SUCCESS)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1451 {
1452 // At this point we have a user that's been created,
1453 // but the password set failed.Something is wrong,
1454 // so delete the user that we've already created
1455 crow::connections::systemBus->async_method_call(
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1456 [asyncResp,
1457 password](const boost::system::error_code ec) {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1458 if (ec)
1459 {
1460 messages::internalError(asyncResp->res);
1461 return;
1462 }
1463
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1464 // If password is invalid
1465 messages::propertyValueFormatError(
1466 asyncResp->res, password, "Password");
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1467 },
1468 "xyz.openbmc_project.User.Manager",
1469 "/xyz/openbmc_project/user/" + username,
1470 "xyz.openbmc_project.Object.Delete", "Delete");
1471
1472 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1473 return;
1474 }
1475
1476 messages::created(asyncResp->res);
1477 asyncResp->res.addHeader(
1478 "Location",
1479 "/redfish/v1/AccountService/Accounts/" + username);
1480 },
1481 "xyz.openbmc_project.User.Manager",
1482 "/xyz/openbmc_project/user",
1483 "xyz.openbmc_project.User.Manager", "CreateUser", username,
1484 *allGroupsList, *roleId, *enabled);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1485 },
1486 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1487 "org.freedesktop.DBus.Properties", "Get",
1488 "xyz.openbmc_project.User.Manager", "AllGroups");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1489 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1490};
1491
1492class ManagerAccount : public Node
1493{
1494 public:
1495 ManagerAccount(CrowApp& app) :
1496 Node(app, "/redfish/v1/AccountService/Accounts/<str>/", std::string())
1497 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1498 entityPrivileges = {
1499 {boost::beast::http::verb::get,
1500 {{"ConfigureUsers"}, {"ConfigureManager"}, {"ConfigureSelf"}}},
1501 {boost::beast::http::verb::head, {{"Login"}}},
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1502 {boost::beast::http::verb::patch,
1503 {{"ConfigureUsers"}, {"ConfigureSelf"}}},
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1504 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
1505 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
1506 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
1507 }
1508
1509 private:
1510 void doGet(crow::Response& res, const crow::Request& req,
1511 const std::vector<std::string>& params) override
1512 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1513 auto asyncResp = std::make_shared<AsyncResp>(res);
1514
1515 if (params.size() != 1)
1516 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1517 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1518 return;
1519 }
1520
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1521 // Perform a proper ConfigureSelf authority check. If the
1522 // user is operating on an account not their own, then their
1523 // ConfigureSelf privilege does not apply. In this case,
1524 // perform the authority check again without the user's
1525 // ConfigureSelf privilege.
1526 if (req.session->username != params[0])
1527 {
1528 if (!isAllowedWithoutConfigureSelf(req))
1529 {
1530 BMCWEB_LOG_DEBUG << "GET Account denied access";
1531 messages::insufficientPrivilege(asyncResp->res);
1532 return;
1533 }
1534 }
1535
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1536 crow::connections::systemBus->async_method_call(
1537 [asyncResp, accountName{std::string(params[0])}](
1538 const boost::system::error_code ec,
1539 const ManagedObjectType& users) {
1540 if (ec)
1541 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1542 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1543 return;
1544 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1545 auto userIt = users.begin();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1546
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1547 for (; userIt != users.end(); userIt++)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1548 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1549 if (boost::ends_with(userIt->first.str, "/" + accountName))
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1550 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1551 break;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1552 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1553 }
1554 if (userIt == users.end())
1555 {
1556 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1557 accountName);
1558 return;
1559 }
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1560
1561 asyncResp->res.jsonValue = {
1562 {"@odata.context",
1563 "/redfish/v1/$metadata#ManagerAccount.ManagerAccount"},
1564 {"@odata.type", "#ManagerAccount.v1_0_3.ManagerAccount"},
1565 {"Name", "User Account"},
1566 {"Description", "User Account"},
1567 {"Password", nullptr}};
1568
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1569 for (const auto& interface : userIt->second)
1570 {
1571 if (interface.first ==
1572 "xyz.openbmc_project.User.Attributes")
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1573 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1574 for (const auto& property : interface.second)
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1575 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1576 if (property.first == "UserEnabled")
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1577 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1578 const bool* userEnabled =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1579 std::get_if<bool>(&property.second);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1580 if (userEnabled == nullptr)
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1581 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1582 BMCWEB_LOG_ERROR
1583 << "UserEnabled wasn't a bool";
1584 messages::internalError(asyncResp->res);
1585 return;
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1586 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1587 asyncResp->res.jsonValue["Enabled"] =
1588 *userEnabled;
1589 }
1590 else if (property.first ==
1591 "UserLockedForFailedAttempt")
1592 {
1593 const bool* userLocked =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1594 std::get_if<bool>(&property.second);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1595 if (userLocked == nullptr)
1596 {
1597 BMCWEB_LOG_ERROR << "UserLockedForF"
1598 "ailedAttempt "
1599 "wasn't a bool";
1600 messages::internalError(asyncResp->res);
1601 return;
1602 }
1603 asyncResp->res.jsonValue["Locked"] =
1604 *userLocked;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1605 asyncResp->res.jsonValue
1606 ["Locked@Redfish.AllowableValues"] = {
Gunnar Mills4d64ce32019-03-29 16:34:56 -0500[diff] [blame]1607 "false"};
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1608 }
1609 else if (property.first == "UserPrivilege")
1610 {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1611 const std::string* userPrivPtr =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1612 std::get_if<std::string>(&property.second);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1613 if (userPrivPtr == nullptr)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1614 {
1615 BMCWEB_LOG_ERROR
1616 << "UserPrivilege wasn't a "
1617 "string";
1618 messages::internalError(asyncResp->res);
1619 return;
1620 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1621 std::string role =
1622 getRoleIdFromPrivilege(*userPrivPtr);
1623 if (role.empty())
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1624 {
1625 BMCWEB_LOG_ERROR << "Invalid user role";
1626 messages::internalError(asyncResp->res);
1627 return;
1628 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1629 asyncResp->res.jsonValue["RoleId"] = role;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1630
1631 asyncResp->res.jsonValue["Links"]["Role"] = {
1632 {"@odata.id", "/redfish/v1/AccountService/"
1633 "Roles/" +
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1634 role}};
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1635 }
1636 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1637 }
1638 }
1639
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1640 asyncResp->res.jsonValue["@odata.id"] =
1641 "/redfish/v1/AccountService/Accounts/" + accountName;
1642 asyncResp->res.jsonValue["Id"] = accountName;
1643 asyncResp->res.jsonValue["UserName"] = accountName;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1644 },
1645 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1646 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1647 }
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1648
1649 void doPatch(crow::Response& res, const crow::Request& req,
1650 const std::vector<std::string>& params) override
1651 {
1652 auto asyncResp = std::make_shared<AsyncResp>(res);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1653 if (params.size() != 1)
1654 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1655 messages::internalError(asyncResp->res);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1656 return;
1657 }
1658
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1659 std::optional<std::string> newUserName;
1660 std::optional<std::string> password;
1661 std::optional<bool> enabled;
1662 std::optional<std::string> roleId;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1663 std::optional<bool> locked;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1664 if (!json_util::readJson(req, res, "UserName", newUserName, "Password",
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1665 password, "RoleId", roleId, "Enabled", enabled,
1666 "Locked", locked))
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1667 {
1668 return;
1669 }
1670
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1671 const std::string& username = params[0];
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1672
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1673 // Perform a proper ConfigureSelf authority check. If the
1674 // session is being used to PATCH a property other than
1675 // Password, then the ConfigureSelf privilege does not apply.
1676 // If the user is operating on an account not their own, then
1677 // their ConfigureSelf privilege does not apply. In either
1678 // case, perform the authority check again without the user's
1679 // ConfigureSelf privilege.
1680 if ((username != req.session->username) ||
1681 (newUserName || enabled || roleId || locked))
1682 {
1683 if (!isAllowedWithoutConfigureSelf(req))
1684 {
1685 BMCWEB_LOG_WARNING << "PATCH Password denied access";
1686 asyncResp->res.clear();
1687 messages::insufficientPrivilege(asyncResp->res);
1688 return;
1689 }
1690 }
1691
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1692 // if user name is not provided in the patch method or if it
1693 // matches the user name in the URI, then we are treating it as updating
1694 // user properties other then username. If username provided doesn't
1695 // match the URI, then we are treating this as user rename request.
1696 if (!newUserName || (newUserName.value() == username))
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1697 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1698 updateUserProperties(asyncResp, username, password, enabled, roleId,
1699 locked);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1700 return;
1701 }
1702 else
1703 {
1704 crow::connections::systemBus->async_method_call(
1705 [this, asyncResp, username, password(std::move(password)),
1706 roleId(std::move(roleId)), enabled(std::move(enabled)),
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1707 newUser{std::string(*newUserName)},
1708 locked(std::move(locked))](const boost::system::error_code ec,
1709 sdbusplus::message::message& m) {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1710 if (ec)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1711 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1712 userErrorMessageHandler(m.get_error(), asyncResp,
1713 newUser, username);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1714 return;
1715 }
1716
1717 updateUserProperties(asyncResp, newUser, password, enabled,
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1718 roleId, locked);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1719 },
1720 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1721 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1722 *newUserName);
1723 }
1724 }
1725
1726 void updateUserProperties(std::shared_ptr<AsyncResp> asyncResp,
1727 const std::string& username,
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1728 std::optional<std::string> password,
1729 std::optional<bool> enabled,
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1730 std::optional<std::string> roleId,
1731 std::optional<bool> locked)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1732 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1733 std::string dbusObjectPath = "/xyz/openbmc_project/user/" + username;
1734 dbus::utility::escapePathForDbus(dbusObjectPath);
1735
Ratan Gupta22c33712019-05-03 21:50:28 +0530[diff] [blame]1736 dbus::utility::checkDbusPathExists(
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1737 dbusObjectPath,
1738 [dbusObjectPath(std::move(dbusObjectPath)), username,
1739 password(std::move(password)), roleId(std::move(roleId)),
1740 enabled(std::move(enabled)), locked(std::move(locked)),
1741 asyncResp{std::move(asyncResp)}](int rc) {
1742 if (!rc)
1743 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1744 messages::resourceNotFound(
1745 asyncResp->res, "#ManagerAccount.v1_0_3.ManagerAccount",
1746 username);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1747 return;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1748 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1749
1750 if (password)
1751 {
1752 int retval = pamUpdatePassword(username, *password);
1753
1754 if (retval == PAM_USER_UNKNOWN)
1755 {
1756 messages::resourceNotFound(
1757 asyncResp->res,
1758 "#ManagerAccount.v1_0_3.ManagerAccount", username);
1759 }
1760 else if (retval == PAM_AUTHTOK_ERR)
1761 {
1762 // If password is invalid
1763 messages::propertyValueFormatError(
1764 asyncResp->res, *password, "Password");
1765 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1766 }
1767 else if (retval != PAM_SUCCESS)
1768 {
1769 messages::internalError(asyncResp->res);
1770 return;
1771 }
1772 }
1773
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1774 if (enabled)
1775 {
1776 crow::connections::systemBus->async_method_call(
1777 [asyncResp](const boost::system::error_code ec) {
1778 if (ec)
1779 {
1780 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1781 << ec;
1782 messages::internalError(asyncResp->res);
1783 return;
1784 }
1785 messages::success(asyncResp->res);
1786 return;
1787 },
1788 "xyz.openbmc_project.User.Manager",
1789 dbusObjectPath.c_str(),
1790 "org.freedesktop.DBus.Properties", "Set",
1791 "xyz.openbmc_project.User.Attributes", "UserEnabled",
1792 std::variant<bool>{*enabled});
1793 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1794
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1795 if (roleId)
1796 {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1797 std::string priv = getPrivilegeFromRoleId(*roleId);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1798 if (priv.empty())
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1799 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1800 messages::propertyValueNotInList(asyncResp->res,
1801 *roleId, "RoleId");
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1802 return;
1803 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1804
1805 crow::connections::systemBus->async_method_call(
1806 [asyncResp](const boost::system::error_code ec) {
1807 if (ec)
1808 {
1809 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1810 << ec;
1811 messages::internalError(asyncResp->res);
1812 return;
1813 }
1814 messages::success(asyncResp->res);
1815 },
1816 "xyz.openbmc_project.User.Manager",
1817 dbusObjectPath.c_str(),
1818 "org.freedesktop.DBus.Properties", "Set",
1819 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
1820 std::variant<std::string>{priv});
1821 }
1822
1823 if (locked)
1824 {
1825 // admin can unlock the account which is locked by
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1826 // successive authentication failures but admin should
1827 // not be allowed to lock an account.
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1828 if (*locked)
1829 {
1830 messages::propertyValueNotInList(asyncResp->res, "true",
1831 "Locked");
1832 return;
1833 }
1834
1835 crow::connections::systemBus->async_method_call(
1836 [asyncResp](const boost::system::error_code ec) {
1837 if (ec)
1838 {
1839 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1840 << ec;
1841 messages::internalError(asyncResp->res);
1842 return;
1843 }
1844 messages::success(asyncResp->res);
1845 return;
1846 },
1847 "xyz.openbmc_project.User.Manager",
1848 dbusObjectPath.c_str(),
1849 "org.freedesktop.DBus.Properties", "Set",
1850 "xyz.openbmc_project.User.Attributes",
1851 "UserLockedForFailedAttempt",
1852 sdbusplus::message::variant<bool>{*locked});
1853 }
1854 });
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1855 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1856
1857 void doDelete(crow::Response& res, const crow::Request& req,
1858 const std::vector<std::string>& params) override
1859 {
1860 auto asyncResp = std::make_shared<AsyncResp>(res);
1861
1862 if (params.size() != 1)
1863 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1864 messages::internalError(asyncResp->res);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1865 return;
1866 }
1867
1868 const std::string userPath = "/xyz/openbmc_project/user/" + params[0];
1869
1870 crow::connections::systemBus->async_method_call(
1871 [asyncResp, username{std::move(params[0])}](
1872 const boost::system::error_code ec) {
1873 if (ec)
1874 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1875 messages::resourceNotFound(
1876 asyncResp->res, "#ManagerAccount.v1_0_3.ManagerAccount",
1877 username);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1878 return;
1879 }
1880
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1881 messages::accountRemoved(asyncResp->res);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1882 },
1883 "xyz.openbmc_project.User.Manager", userPath,
1884 "xyz.openbmc_project.Object.Delete", "Delete");
1885 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1886};
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1887
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1888} // namespace redfish