Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 1e04f3b2b55cd441bcabbb1d31b08bb2060034ea / . / redfish-core / lib / account_service.hpp
blob: 4fcd540057606e26910e871bf567204aa23d0d30 [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17
John Edward Broadbent7e860f12021-04-08 15:57:16 -0700[diff] [blame]18#include <app.hpp>
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]19#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]20#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]21#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]22#include <persistent_data.hpp>
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]23#include <registries/privilege_registry.hpp>
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]24#include <sdbusplus/asio/property.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]25#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]26
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]27namespace redfish
28{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]29
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]30constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]31 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]32constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]33 "/xyz/openbmc_project/user/ldap/active_directory";
34
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]35constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]36constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
37constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
38constexpr const char* ldapConfigInterface =
39 "xyz.openbmc_project.User.Ldap.Config";
40constexpr const char* ldapCreateInterface =
41 "xyz.openbmc_project.User.Ldap.Create";
42constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]43constexpr const char* ldapPrivMapperInterface =
44 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]45constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
46constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
47constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
48constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
49constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
50
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]51struct LDAPRoleMapData
52{
53 std::string groupName;
54 std::string privilege;
55};
56
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]57struct LDAPConfigData
58{
59 std::string uri{};
60 std::string bindDN{};
61 std::string baseDN{};
62 std::string searchScope{};
63 std::string serverType{};
64 bool serviceEnabled = false;
65 std::string userNameAttribute{};
66 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]67 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]68};
69
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]70inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]71{
72 if (role == "priv-admin")
73 {
74 return "Administrator";
75 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]76 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]77 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]78 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]79 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]80 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]81 {
82 return "Operator";
83 }
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]84 if (role.empty() || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]85 {
86 return "NoAccess";
87 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]88 return "";
89}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]90inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]91{
92 if (role == "Administrator")
93 {
94 return "priv-admin";
95 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]96 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]97 {
98 return "priv-user";
99 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]100 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]101 {
102 return "priv-operator";
103 }
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]104 if ((role == "NoAccess") || (role.empty()))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]105 {
106 return "priv-noaccess";
107 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]108 return "";
109}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]110
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]111inline void userErrorMessageHandler(
112 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
113 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]114{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]115 if (e == nullptr)
116 {
117 messages::internalError(asyncResp->res);
118 return;
119 }
120
Manojkiran Eda055806b2020-11-03 09:36:28 +0530[diff] [blame]121 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]122 if (strcmp(errorMessage,
123 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
124 {
125 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]126 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]127 "UserName", newUser);
128 }
129 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
130 "UserNameDoesNotExist") == 0)
131 {
132 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]133 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]134 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]135 else if ((strcmp(errorMessage,
136 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
137 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]138 (strcmp(
139 errorMessage,
140 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
141 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]142 {
143 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
144 }
145 else if (strcmp(errorMessage,
146 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
147 {
148 messages::createLimitReachedForResource(asyncResp->res);
149 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]150 else
151 {
152 messages::internalError(asyncResp->res);
153 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]154}
155
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]156inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]157 const LDAPConfigData& confData,
158 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]159{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]160 std::string service =
161 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]162 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]163 {"ServiceEnabled", confData.serviceEnabled},
164 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
165 {"Authentication",
166 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]167 {"Username", confData.bindDN},
168 {"Password", nullptr}}},
169 {"LDAPService",
170 {{"SearchSettings",
171 {{"BaseDistinguishedNames",
172 nlohmann::json::array({confData.baseDN})},
173 {"UsernameAttribute", confData.userNameAttribute},
174 {"GroupsAttribute", confData.groupAttribute}}}}},
175 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]176
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]177 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]178
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]179 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]180 roleMapArray = nlohmann::json::array();
Ed Tanous9eb808c2022-01-25 10:19:23 -0800[diff] [blame]181 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]182 {
183 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
184 << obj.second.groupName << "\n";
185 roleMapArray.push_back(
186 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
187 nlohmann::json::array(
188 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
189 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]190}
191
192/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]193 * @brief validates given JSON input and then calls appropriate method to
194 * create, to delete or to set Rolemapping object based on the given input.
195 *
196 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]197inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]198 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]199 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]200 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]201{
202 for (size_t index = 0; index < input.size(); index++)
203 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]204 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]205
206 if (thisJson.is_null())
207 {
208 // delete the existing object
209 if (index < roleMapObjData.size())
210 {
211 crow::connections::systemBus->async_method_call(
212 [asyncResp, roleMapObjData, serverType,
213 index](const boost::system::error_code ec) {
214 if (ec)
215 {
216 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
217 messages::internalError(asyncResp->res);
218 return;
219 }
220 asyncResp->res
221 .jsonValue[serverType]["RemoteRoleMapping"][index] =
222 nullptr;
223 },
224 ldapDbusService, roleMapObjData[index].first,
225 "xyz.openbmc_project.Object.Delete", "Delete");
226 }
227 else
228 {
229 BMCWEB_LOG_ERROR << "Can't delete the object";
230 messages::propertyValueTypeError(
Ed Tanous71f52d92021-02-19 08:51:17 -0800[diff] [blame]231 asyncResp->res,
232 thisJson.dump(2, ' ', true,
233 nlohmann::json::error_handler_t::replace),
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]234 "RemoteRoleMapping/" + std::to_string(index));
235 return;
236 }
237 }
238 else if (thisJson.empty())
239 {
240 // Don't do anything for the empty objects,parse next json
241 // eg {"RemoteRoleMapping",[{}]}
242 }
243 else
244 {
245 // update/create the object
246 std::optional<std::string> remoteGroup;
247 std::optional<std::string> localRole;
248
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]249 // This is a copy, but it's required in this case because of how
250 // readJson is structured
251 nlohmann::json thisJsonCopy = thisJson;
252 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
253 "RemoteGroup", remoteGroup, "LocalRole",
254 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]255 {
256 continue;
257 }
258
259 // Update existing RoleMapping Object
260 if (index < roleMapObjData.size())
261 {
262 BMCWEB_LOG_DEBUG << "Update Role Map Object";
263 // If "RemoteGroup" info is provided
264 if (remoteGroup)
265 {
266 crow::connections::systemBus->async_method_call(
267 [asyncResp, roleMapObjData, serverType, index,
268 remoteGroup](const boost::system::error_code ec) {
269 if (ec)
270 {
271 BMCWEB_LOG_ERROR << "DBUS response error: "
272 << ec;
273 messages::internalError(asyncResp->res);
274 return;
275 }
276 asyncResp->res
277 .jsonValue[serverType]["RemoteRoleMapping"]
278 [index]["RemoteGroup"] = *remoteGroup;
279 },
280 ldapDbusService, roleMapObjData[index].first,
281 propertyInterface, "Set",
282 "xyz.openbmc_project.User.PrivilegeMapperEntry",
283 "GroupName",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]284 dbus::utility::DbusVariantType(
285 std::move(*remoteGroup)));
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]286 }
287
288 // If "LocalRole" info is provided
289 if (localRole)
290 {
291 crow::connections::systemBus->async_method_call(
292 [asyncResp, roleMapObjData, serverType, index,
293 localRole](const boost::system::error_code ec) {
294 if (ec)
295 {
296 BMCWEB_LOG_ERROR << "DBUS response error: "
297 << ec;
298 messages::internalError(asyncResp->res);
299 return;
300 }
301 asyncResp->res
302 .jsonValue[serverType]["RemoteRoleMapping"]
303 [index]["LocalRole"] = *localRole;
304 },
305 ldapDbusService, roleMapObjData[index].first,
306 propertyInterface, "Set",
307 "xyz.openbmc_project.User.PrivilegeMapperEntry",
308 "Privilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]309 dbus::utility::DbusVariantType(
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]310 getPrivilegeFromRoleId(std::move(*localRole))));
311 }
312 }
313 // Create a new RoleMapping Object.
314 else
315 {
316 BMCWEB_LOG_DEBUG
317 << "setRoleMappingProperties: Creating new Object";
318 std::string pathString =
319 "RemoteRoleMapping/" + std::to_string(index);
320
321 if (!localRole)
322 {
323 messages::propertyMissing(asyncResp->res,
324 pathString + "/LocalRole");
325 continue;
326 }
327 if (!remoteGroup)
328 {
329 messages::propertyMissing(asyncResp->res,
330 pathString + "/RemoteGroup");
331 continue;
332 }
333
334 std::string dbusObjectPath;
335 if (serverType == "ActiveDirectory")
336 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]337 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]338 }
339 else if (serverType == "LDAP")
340 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]341 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]342 }
343
344 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
345 << ",LocalRole=" << *localRole;
346
347 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]348 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]349 remoteGroup](const boost::system::error_code ec) {
350 if (ec)
351 {
352 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
353 messages::internalError(asyncResp->res);
354 return;
355 }
356 nlohmann::json& remoteRoleJson =
357 asyncResp->res
358 .jsonValue[serverType]["RemoteRoleMapping"];
359 remoteRoleJson.push_back(
360 {{"LocalRole", *localRole},
361 {"RemoteGroup", *remoteGroup}});
362 },
363 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]364 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]365 getPrivilegeFromRoleId(std::move(*localRole)));
366 }
367 }
368 }
369}
370
371/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]372 * Function that retrieves all properties for LDAP config object
373 * into JSON
374 */
375template <typename CallbackFunc>
376inline void getLDAPConfigData(const std::string& ldapType,
377 CallbackFunc&& callback)
378{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]379
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]380 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]381 ldapConfigInterface};
382
383 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]384 [callback, ldapType](const boost::system::error_code ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800[diff] [blame]385 const dbus::utility::MapperGetObject& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]386 if (ec || resp.empty())
387 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]388 BMCWEB_LOG_ERROR
389 << "DBUS response error during getting of service name: "
390 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]391 LDAPConfigData empty{};
392 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]393 return;
394 }
395 std::string service = resp.begin()->first;
396 crow::connections::systemBus->async_method_call(
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]397 [callback, ldapType](
398 const boost::system::error_code errorCode,
399 const dbus::utility::ManagedObjectType& ldapObjects) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]400 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]401 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]402 {
403 callback(false, confData, ldapType);
404 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]405 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]406 return;
407 }
408
409 std::string ldapDbusType;
410 std::string searchString;
411
412 if (ldapType == "LDAP")
413 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]414 ldapDbusType =
415 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]416 searchString = "openldap";
417 }
418 else if (ldapType == "ActiveDirectory")
419 {
420 ldapDbusType =
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]421 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]422 searchString = "active_directory";
423 }
424 else
425 {
426 BMCWEB_LOG_ERROR
427 << "Can't get the DbusType for the given type="
428 << ldapType;
429 callback(false, confData, ldapType);
430 return;
431 }
432
433 std::string ldapEnableInterfaceStr = ldapEnableInterface;
434 std::string ldapConfigInterfaceStr = ldapConfigInterface;
435
436 for (const auto& object : ldapObjects)
437 {
438 // let's find the object whose ldap type is equal to the
439 // given type
440 if (object.first.str.find(searchString) ==
441 std::string::npos)
442 {
443 continue;
444 }
445
446 for (const auto& interface : object.second)
447 {
448 if (interface.first == ldapEnableInterfaceStr)
449 {
450 // rest of the properties are string.
451 for (const auto& property : interface.second)
452 {
453 if (property.first == "Enabled")
454 {
455 const bool* value =
456 std::get_if<bool>(&property.second);
457 if (value == nullptr)
458 {
459 continue;
460 }
461 confData.serviceEnabled = *value;
462 break;
463 }
464 }
465 }
466 else if (interface.first == ldapConfigInterfaceStr)
467 {
468
469 for (const auto& property : interface.second)
470 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]471 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]472 std::get_if<std::string>(
473 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]474 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]475 {
476 continue;
477 }
478 if (property.first == "LDAPServerURI")
479 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]480 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]481 }
482 else if (property.first == "LDAPBindDN")
483 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]484 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]485 }
486 else if (property.first == "LDAPBaseDN")
487 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]488 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]489 }
490 else if (property.first ==
491 "LDAPSearchScope")
492 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]493 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]494 }
495 else if (property.first ==
496 "GroupNameAttribute")
497 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]498 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]499 }
500 else if (property.first ==
501 "UserNameAttribute")
502 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]503 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]504 }
505 else if (property.first == "LDAPType")
506 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]507 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]508 }
509 }
510 }
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]511 else if (
512 interface.first ==
513 "xyz.openbmc_project.User.PrivilegeMapperEntry")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]514 {
515 LDAPRoleMapData roleMapData{};
516 for (const auto& property : interface.second)
517 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]518 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]519 std::get_if<std::string>(
520 &property.second);
521
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]522 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]523 {
524 continue;
525 }
526
527 if (property.first == "GroupName")
528 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]529 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]530 }
531 else if (property.first == "Privilege")
532 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]533 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]534 }
535 }
536
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]537 confData.groupRoleList.emplace_back(
538 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]539 }
540 }
541 }
542 callback(true, confData, ldapType);
543 },
544 service, ldapRootObject, dbusObjManagerIntf,
545 "GetManagedObjects");
546 },
547 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]548 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]549}
550
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]551/**
552 * @brief parses the authentication section under the LDAP
553 * @param input JSON data
554 * @param asyncResp pointer to the JSON response
555 * @param userName userName to be filled from the given JSON.
556 * @param password password to be filled from the given JSON.
557 */
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]558inline void parseLDAPAuthenticationJson(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]559 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
560 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]561{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]562 std::optional<std::string> authType;
563
564 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
565 authType, "Username", username, "Password",
566 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]567 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]568 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]569 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]570 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]571 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]572 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]573 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]574 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]575 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]576 messages::propertyValueNotInList(asyncResp->res, *authType,
577 "AuthenticationType");
578 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]579 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]580}
581/**
582 * @brief parses the LDAPService section under the LDAP
583 * @param input JSON data
584 * @param asyncResp pointer to the JSON response
585 * @param baseDNList baseDN to be filled from the given JSON.
586 * @param userNameAttribute userName to be filled from the given JSON.
587 * @param groupaAttribute password to be filled from the given JSON.
588 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]589
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]590inline void
591 parseLDAPServiceJson(nlohmann::json input,
592 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
593 std::optional<std::vector<std::string>>& baseDNList,
594 std::optional<std::string>& userNameAttribute,
595 std::optional<std::string>& groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]596{
597 std::optional<nlohmann::json> searchSettings;
598
599 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
600 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]601 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]602 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]603 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]604 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]605 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]606 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]607 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]608 if (!json_util::readJson(*searchSettings, asyncResp->res,
609 "BaseDistinguishedNames", baseDNList,
610 "UsernameAttribute", userNameAttribute,
611 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]612 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]613 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]614 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]615}
616/**
617 * @brief updates the LDAP server address and updates the
618 json response with the new value.
619 * @param serviceAddressList address to be updated.
620 * @param asyncResp pointer to the JSON response
621 * @param ldapServerElementName Type of LDAP
622 server(openLDAP/ActiveDirectory)
623 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]624
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]625inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]626 const std::vector<std::string>& serviceAddressList,
627 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
628 const std::string& ldapServerElementName,
629 const std::string& ldapConfigObject)
630{
631 crow::connections::systemBus->async_method_call(
632 [asyncResp, ldapServerElementName,
633 serviceAddressList](const boost::system::error_code ec) {
634 if (ec)
635 {
636 BMCWEB_LOG_DEBUG
637 << "Error Occurred in updating the service address";
638 messages::internalError(asyncResp->res);
639 return;
640 }
641 std::vector<std::string> modifiedserviceAddressList = {
642 serviceAddressList.front()};
643 asyncResp->res
644 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
645 modifiedserviceAddressList;
646 if ((serviceAddressList).size() > 1)
647 {
648 messages::propertyValueModified(asyncResp->res,
649 "ServiceAddresses",
650 serviceAddressList.front());
651 }
652 BMCWEB_LOG_DEBUG << "Updated the service address";
653 },
654 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
655 ldapConfigInterface, "LDAPServerURI",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]656 dbus::utility::DbusVariantType(serviceAddressList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]657}
658/**
659 * @brief updates the LDAP Bind DN and updates the
660 json response with the new value.
661 * @param username name of the user which needs to be updated.
662 * @param asyncResp pointer to the JSON response
663 * @param ldapServerElementName Type of LDAP
664 server(openLDAP/ActiveDirectory)
665 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]666
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]667inline void
668 handleUserNamePatch(const std::string& username,
669 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
670 const std::string& ldapServerElementName,
671 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]672{
673 crow::connections::systemBus->async_method_call(
674 [asyncResp, username,
675 ldapServerElementName](const boost::system::error_code ec) {
676 if (ec)
677 {
678 BMCWEB_LOG_DEBUG << "Error occurred in updating the username";
679 messages::internalError(asyncResp->res);
680 return;
681 }
682 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
683 ["Username"] = username;
684 BMCWEB_LOG_DEBUG << "Updated the username";
685 },
686 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]687 ldapConfigInterface, "LDAPBindDN",
688 dbus::utility::DbusVariantType(username));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]689}
690
691/**
692 * @brief updates the LDAP password
693 * @param password : ldap password which needs to be updated.
694 * @param asyncResp pointer to the JSON response
695 * @param ldapServerElementName Type of LDAP
696 * server(openLDAP/ActiveDirectory)
697 */
698
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]699inline void
700 handlePasswordPatch(const std::string& password,
701 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
702 const std::string& ldapServerElementName,
703 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]704{
705 crow::connections::systemBus->async_method_call(
706 [asyncResp, password,
707 ldapServerElementName](const boost::system::error_code ec) {
708 if (ec)
709 {
710 BMCWEB_LOG_DEBUG << "Error occurred in updating the password";
711 messages::internalError(asyncResp->res);
712 return;
713 }
714 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
715 ["Password"] = "";
716 BMCWEB_LOG_DEBUG << "Updated the password";
717 },
718 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
719 ldapConfigInterface, "LDAPBindDNPassword",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]720 dbus::utility::DbusVariantType(password));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]721}
722
723/**
724 * @brief updates the LDAP BaseDN and updates the
725 json response with the new value.
726 * @param baseDNList baseDN list which needs to be updated.
727 * @param asyncResp pointer to the JSON response
728 * @param ldapServerElementName Type of LDAP
729 server(openLDAP/ActiveDirectory)
730 */
731
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]732inline void
733 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
734 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
735 const std::string& ldapServerElementName,
736 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]737{
738 crow::connections::systemBus->async_method_call(
739 [asyncResp, baseDNList,
740 ldapServerElementName](const boost::system::error_code ec) {
741 if (ec)
742 {
743 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN";
744 messages::internalError(asyncResp->res);
745 return;
746 }
747 auto& serverTypeJson =
748 asyncResp->res.jsonValue[ldapServerElementName];
749 auto& searchSettingsJson =
750 serverTypeJson["LDAPService"]["SearchSettings"];
751 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
752 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
753 if (baseDNList.size() > 1)
754 {
755 messages::propertyValueModified(asyncResp->res,
756 "BaseDistinguishedNames",
757 baseDNList.front());
758 }
759 BMCWEB_LOG_DEBUG << "Updated the base DN";
760 },
761 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
762 ldapConfigInterface, "LDAPBaseDN",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]763 dbus::utility::DbusVariantType(baseDNList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]764}
765/**
766 * @brief updates the LDAP user name attribute and updates the
767 json response with the new value.
768 * @param userNameAttribute attribute to be updated.
769 * @param asyncResp pointer to the JSON response
770 * @param ldapServerElementName Type of LDAP
771 server(openLDAP/ActiveDirectory)
772 */
773
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]774inline void
775 handleUserNameAttrPatch(const std::string& userNameAttribute,
776 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
777 const std::string& ldapServerElementName,
778 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]779{
780 crow::connections::systemBus->async_method_call(
781 [asyncResp, userNameAttribute,
782 ldapServerElementName](const boost::system::error_code ec) {
783 if (ec)
784 {
785 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
786 "username attribute";
787 messages::internalError(asyncResp->res);
788 return;
789 }
790 auto& serverTypeJson =
791 asyncResp->res.jsonValue[ldapServerElementName];
792 auto& searchSettingsJson =
793 serverTypeJson["LDAPService"]["SearchSettings"];
794 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
795 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
796 },
797 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
798 ldapConfigInterface, "UserNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]799 dbus::utility::DbusVariantType(userNameAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]800}
801/**
802 * @brief updates the LDAP group attribute and updates the
803 json response with the new value.
804 * @param groupsAttribute attribute to be updated.
805 * @param asyncResp pointer to the JSON response
806 * @param ldapServerElementName Type of LDAP
807 server(openLDAP/ActiveDirectory)
808 */
809
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]810inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]811 const std::string& groupsAttribute,
812 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
813 const std::string& ldapServerElementName,
814 const std::string& ldapConfigObject)
815{
816 crow::connections::systemBus->async_method_call(
817 [asyncResp, groupsAttribute,
818 ldapServerElementName](const boost::system::error_code ec) {
819 if (ec)
820 {
821 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
822 "groupname attribute";
823 messages::internalError(asyncResp->res);
824 return;
825 }
826 auto& serverTypeJson =
827 asyncResp->res.jsonValue[ldapServerElementName];
828 auto& searchSettingsJson =
829 serverTypeJson["LDAPService"]["SearchSettings"];
830 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
831 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
832 },
833 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
834 ldapConfigInterface, "GroupNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]835 dbus::utility::DbusVariantType(groupsAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]836}
837/**
838 * @brief updates the LDAP service enable and updates the
839 json response with the new value.
840 * @param input JSON data.
841 * @param asyncResp pointer to the JSON response
842 * @param ldapServerElementName Type of LDAP
843 server(openLDAP/ActiveDirectory)
844 */
845
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]846inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]847 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
848 const std::string& ldapServerElementName,
849 const std::string& ldapConfigObject)
850{
851 crow::connections::systemBus->async_method_call(
852 [asyncResp, serviceEnabled,
853 ldapServerElementName](const boost::system::error_code ec) {
854 if (ec)
855 {
856 BMCWEB_LOG_DEBUG
857 << "Error Occurred in Updating the service enable";
858 messages::internalError(asyncResp->res);
859 return;
860 }
861 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
862 serviceEnabled;
863 BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled;
864 },
865 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]866 ldapEnableInterface, "Enabled",
867 dbus::utility::DbusVariantType(serviceEnabled));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]868}
869
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]870inline void
871 handleAuthMethodsPatch(nlohmann::json& input,
872 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]873{
874 std::optional<bool> basicAuth;
875 std::optional<bool> cookie;
876 std::optional<bool> sessionToken;
877 std::optional<bool> xToken;
878 std::optional<bool> tls;
879
880 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
881 "Cookie", cookie, "SessionToken", sessionToken,
882 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]883 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]884 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
885 return;
886 }
887
888 // Make a copy of methods configuration
889 persistent_data::AuthConfigMethods authMethodsConfig =
890 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
891
892 if (basicAuth)
893 {
894#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
895 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]896 asyncResp->res,
897 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]898 return;
899#endif
900 authMethodsConfig.basic = *basicAuth;
901 }
902
903 if (cookie)
904 {
905#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]906 messages::actionNotSupported(
907 asyncResp->res,
908 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]909 return;
910#endif
911 authMethodsConfig.cookie = *cookie;
912 }
913
914 if (sessionToken)
915 {
916#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
917 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]918 asyncResp->res,
919 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]920 return;
921#endif
922 authMethodsConfig.sessionToken = *sessionToken;
923 }
924
925 if (xToken)
926 {
927#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]928 messages::actionNotSupported(
929 asyncResp->res,
930 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]931 return;
932#endif
933 authMethodsConfig.xtoken = *xToken;
934 }
935
936 if (tls)
937 {
938#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]939 messages::actionNotSupported(
940 asyncResp->res,
941 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]942 return;
943#endif
944 authMethodsConfig.tls = *tls;
945 }
946
947 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
948 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
949 !authMethodsConfig.tls)
950 {
951 // Do not allow user to disable everything
952 messages::actionNotSupported(asyncResp->res,
953 "of disabling all available methods");
954 return;
955 }
956
957 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
958 authMethodsConfig);
959 // Save configuration immediately
960 persistent_data::getConfig().writeData();
961
962 messages::success(asyncResp->res);
963}
964
965/**
966 * @brief Get the required values from the given JSON, validates the
967 * value and create the LDAP config object.
968 * @param input JSON data
969 * @param asyncResp pointer to the JSON response
970 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
971 */
972
973inline void handleLDAPPatch(nlohmann::json& input,
974 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
975 const std::string& serverType)
976{
977 std::string dbusObjectPath;
978 if (serverType == "ActiveDirectory")
979 {
980 dbusObjectPath = adConfigObject;
981 }
982 else if (serverType == "LDAP")
983 {
984 dbusObjectPath = ldapConfigObjectName;
985 }
986 else
987 {
988 return;
989 }
990
991 std::optional<nlohmann::json> authentication;
992 std::optional<nlohmann::json> ldapService;
993 std::optional<std::vector<std::string>> serviceAddressList;
994 std::optional<bool> serviceEnabled;
995 std::optional<std::vector<std::string>> baseDNList;
996 std::optional<std::string> userNameAttribute;
997 std::optional<std::string> groupsAttribute;
998 std::optional<std::string> userName;
999 std::optional<std::string> password;
1000 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1001
1002 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1003 authentication, "LDAPService", ldapService,
1004 "ServiceAddresses", serviceAddressList,
1005 "ServiceEnabled", serviceEnabled,
1006 "RemoteRoleMapping", remoteRoleMapData))
1007 {
1008 return;
1009 }
1010
1011 if (authentication)
1012 {
1013 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1014 password);
1015 }
1016 if (ldapService)
1017 {
1018 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1019 userNameAttribute, groupsAttribute);
1020 }
1021 if (serviceAddressList)
1022 {
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]1023 if (serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1024 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1025 messages::propertyValueNotInList(asyncResp->res, "[]",
1026 "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1027 return;
1028 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1029 }
1030 if (baseDNList)
1031 {
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]1032 if (baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1033 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1034 messages::propertyValueNotInList(asyncResp->res, "[]",
1035 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1036 return;
1037 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1038 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1039
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1040 // nothing to update, then return
1041 if (!userName && !password && !serviceAddressList && !baseDNList &&
1042 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1043 !remoteRoleMapData)
1044 {
1045 return;
1046 }
1047
1048 // Get the existing resource first then keep modifying
1049 // whenever any property gets updated.
1050 getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList,
1051 userNameAttribute, groupsAttribute,
1052 serviceAddressList, serviceEnabled,
1053 dbusObjectPath, remoteRoleMapData](
1054 bool success,
1055 const LDAPConfigData& confData,
1056 const std::string& serverT) {
1057 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1058 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1059 messages::internalError(asyncResp->res);
1060 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1061 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1062 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1063 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1064 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1065 // Disable the service first and update the rest of
1066 // the properties.
1067 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1068 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1069
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1070 if (serviceAddressList)
1071 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1072 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1073 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1074 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1075 if (userName)
1076 {
1077 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1078 }
1079 if (password)
1080 {
1081 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1082 }
1083
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1084 if (baseDNList)
1085 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1086 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1087 }
1088 if (userNameAttribute)
1089 {
1090 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1091 dbusObjectPath);
1092 }
1093 if (groupsAttribute)
1094 {
1095 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1096 dbusObjectPath);
1097 }
1098 if (serviceEnabled)
1099 {
1100 // if user has given the value as true then enable
1101 // the service. if user has given false then no-op
1102 // as service is already stopped.
1103 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1104 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1105 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1106 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1107 }
1108 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1109 else
1110 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1111 // if user has not given the service enabled value
1112 // then revert it to the same state as it was
1113 // before.
1114 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1115 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1116 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1117
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1118 if (remoteRoleMapData)
1119 {
1120 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1121 *remoteRoleMapData);
1122 }
1123 });
1124}
1125
1126inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,
1127 const std::string& username,
1128 std::optional<std::string> password,
1129 std::optional<bool> enabled,
1130 std::optional<std::string> roleId,
1131 std::optional<bool> locked)
1132{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1133 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1134 tempObjPath /= username;
1135 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1136
1137 dbus::utility::checkDbusPathExists(
1138 dbusObjectPath,
Ed Tanous11063332021-09-24 11:55:44 -0700[diff] [blame]1139 [dbusObjectPath, username, password(std::move(password)),
1140 roleId(std::move(roleId)), enabled, locked,
1141 asyncResp{std::move(asyncResp)}](int rc) {
Ed Tanouse662eae2022-01-25 10:39:19 -0800[diff] [blame]1142 if (rc <= 0)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1143 {
1144 messages::resourceNotFound(
1145 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1146 username);
1147 return;
1148 }
1149
1150 if (password)
1151 {
1152 int retval = pamUpdatePassword(username, *password);
1153
1154 if (retval == PAM_USER_UNKNOWN)
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1155 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1156 messages::resourceNotFound(
1157 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1158 username);
1159 }
1160 else if (retval == PAM_AUTHTOK_ERR)
1161 {
1162 // If password is invalid
1163 messages::propertyValueFormatError(asyncResp->res,
1164 *password, "Password");
1165 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1166 }
1167 else if (retval != PAM_SUCCESS)
1168 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1169 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1170 return;
1171 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1172 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1173
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1174 if (enabled)
1175 {
1176 crow::connections::systemBus->async_method_call(
1177 [asyncResp](const boost::system::error_code ec) {
1178 if (ec)
1179 {
1180 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1181 messages::internalError(asyncResp->res);
1182 return;
1183 }
1184 messages::success(asyncResp->res);
1185 return;
1186 },
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]1187 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1188 "org.freedesktop.DBus.Properties", "Set",
1189 "xyz.openbmc_project.User.Attributes", "UserEnabled",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1190 dbus::utility::DbusVariantType{*enabled});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1191 }
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1192
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1193 if (roleId)
1194 {
1195 std::string priv = getPrivilegeFromRoleId(*roleId);
1196 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1197 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1198 messages::propertyValueNotInList(asyncResp->res, *roleId,
1199 "RoleId");
1200 return;
1201 }
1202 if (priv == "priv-noaccess")
1203 {
1204 priv = "";
1205 }
1206
1207 crow::connections::systemBus->async_method_call(
1208 [asyncResp](const boost::system::error_code ec) {
1209 if (ec)
1210 {
1211 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1212 messages::internalError(asyncResp->res);
1213 return;
1214 }
1215 messages::success(asyncResp->res);
1216 },
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]1217 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1218 "org.freedesktop.DBus.Properties", "Set",
1219 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1220 dbus::utility::DbusVariantType{priv});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1221 }
1222
1223 if (locked)
1224 {
1225 // admin can unlock the account which is locked by
1226 // successive authentication failures but admin should
1227 // not be allowed to lock an account.
1228 if (*locked)
1229 {
1230 messages::propertyValueNotInList(asyncResp->res, "true",
1231 "Locked");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1232 return;
1233 }
1234
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1235 crow::connections::systemBus->async_method_call(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1236 [asyncResp](const boost::system::error_code ec) {
1237 if (ec)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1238 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1239 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1240 messages::internalError(asyncResp->res);
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1241 return;
1242 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1243 messages::success(asyncResp->res);
1244 return;
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1245 },
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]1246 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1247 "org.freedesktop.DBus.Properties", "Set",
1248 "xyz.openbmc_project.User.Attributes",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1249 "UserLockedForFailedAttempt",
1250 dbus::utility::DbusVariantType{*locked});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1251 }
1252 });
1253}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1254
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1255inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1256{
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1257
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1258 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1259 .privileges(redfish::privileges::getAccountService)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1260 .methods(
Abhishek Patel72048782021-06-02 09:53:24 -0500[diff] [blame]1261 boost::beast::http::verb::get)([](const crow::Request& req,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1262 const std::shared_ptr<
1263 bmcweb::AsyncResp>& asyncResp)
1264 -> void {
1265 const persistent_data::AuthConfigMethods& authMethodsConfig =
1266 persistent_data::SessionStore::getInstance()
1267 .getAuthMethodsConfig();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1268
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1269 asyncResp->res.jsonValue = {
1270 {"@odata.id", "/redfish/v1/AccountService"},
1271 {"@odata.type", "#AccountService."
1272 "v1_5_0.AccountService"},
1273 {"Id", "AccountService"},
1274 {"Name", "Account Service"},
1275 {"Description", "Account Service"},
1276 {"ServiceEnabled", true},
1277 {"MaxPasswordLength", 20},
1278 {"Accounts",
1279 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
1280 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
1281 {"Oem",
1282 {{"OpenBMC",
1283 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
Ed Tanousd8e3c292021-09-21 18:01:43 -0700[diff] [blame]1284 {"@odata.id", "/redfish/v1/AccountService#/Oem/OpenBMC"},
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1285 {"AuthMethods",
1286 {
1287 {"BasicAuth", authMethodsConfig.basic},
1288 {"SessionToken", authMethodsConfig.sessionToken},
1289 {"XToken", authMethodsConfig.xtoken},
1290 {"Cookie", authMethodsConfig.cookie},
1291 {"TLS", authMethodsConfig.tls},
Abhishek Patel72048782021-06-02 09:53:24 -0500[diff] [blame]1292 }}}}}}};
1293 // /redfish/v1/AccountService/LDAP/Certificates is something only
1294 // ConfigureManager can access then only display when the user has
1295 // permissions ConfigureManager
1296 Privileges effectiveUserPrivileges =
1297 redfish::getUserPrivileges(req.userRole);
1298
1299 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1300 effectiveUserPrivileges))
1301 {
1302 asyncResp->res.jsonValue["LDAP"] = {
1303 {"Certificates",
1304 {{"@odata.id",
1305 "/redfish/v1/AccountService/LDAP/Certificates"}}}};
1306 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1307 crow::connections::systemBus->async_method_call(
1308 [asyncResp](
1309 const boost::system::error_code ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800[diff] [blame]1310 const dbus::utility::DBusPropertiesMap& propertiesList) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1311 if (ec)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1312 {
1313 messages::internalError(asyncResp->res);
1314 return;
1315 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1316 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1317 << "properties for AccountService";
1318 for (const std::pair<std::string,
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1319 dbus::utility::DbusVariantType>&
1320 property : propertiesList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1321 {
1322 if (property.first == "MinPasswordLength")
1323 {
1324 const uint8_t* value =
1325 std::get_if<uint8_t>(&property.second);
1326 if (value != nullptr)
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1327 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1328 asyncResp->res.jsonValue["MinPasswordLength"] =
1329 *value;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1330 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1331 }
1332 if (property.first == "AccountUnlockTimeout")
1333 {
1334 const uint32_t* value =
1335 std::get_if<uint32_t>(&property.second);
1336 if (value != nullptr)
1337 {
1338 asyncResp->res
1339 .jsonValue["AccountLockoutDuration"] =
1340 *value;
1341 }
1342 }
1343 if (property.first == "MaxLoginAttemptBeforeLockout")
1344 {
1345 const uint16_t* value =
1346 std::get_if<uint16_t>(&property.second);
1347 if (value != nullptr)
1348 {
1349 asyncResp->res
1350 .jsonValue["AccountLockoutThreshold"] =
1351 *value;
1352 }
1353 }
1354 }
1355 },
1356 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1357 "org.freedesktop.DBus.Properties", "GetAll",
1358 "xyz.openbmc_project.User.AccountPolicy");
1359
1360 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1361 const std::string& ldapType) {
1362 if (!success)
1363 {
1364 return;
1365 }
1366 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1367 ldapType);
1368 };
1369
1370 getLDAPConfigData("LDAP", callback);
1371 getLDAPConfigData("ActiveDirectory", callback);
1372 });
1373
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1374 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -0600[diff] [blame]1375 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1376 .methods(boost::beast::http::verb::patch)(
1377 [](const crow::Request& req,
1378 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1379 std::optional<uint32_t> unlockTimeout;
1380 std::optional<uint16_t> lockoutThreshold;
Paul Fertseref73ad02022-01-21 19:44:40 +0000[diff] [blame]1381 std::optional<uint8_t> minPasswordLength;
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1382 std::optional<uint16_t> maxPasswordLength;
1383 std::optional<nlohmann::json> ldapObject;
1384 std::optional<nlohmann::json> activeDirectoryObject;
1385 std::optional<nlohmann::json> oemObject;
1386
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1387 if (!json_util::readJsonPatch(
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1388 req, asyncResp->res, "AccountLockoutDuration",
1389 unlockTimeout, "AccountLockoutThreshold",
1390 lockoutThreshold, "MaxPasswordLength",
1391 maxPasswordLength, "MinPasswordLength",
1392 minPasswordLength, "LDAP", ldapObject,
1393 "ActiveDirectory", activeDirectoryObject, "Oem",
1394 oemObject))
1395 {
1396 return;
1397 }
1398
1399 if (minPasswordLength)
1400 {
Paul Fertseref73ad02022-01-21 19:44:40 +0000[diff] [blame]1401 crow::connections::systemBus->async_method_call(
1402 [asyncResp](const boost::system::error_code ec) {
1403 if (ec)
1404 {
1405 messages::internalError(asyncResp->res);
1406 return;
1407 }
1408 messages::success(asyncResp->res);
1409 },
1410 "xyz.openbmc_project.User.Manager",
1411 "/xyz/openbmc_project/user",
1412 "org.freedesktop.DBus.Properties", "Set",
1413 "xyz.openbmc_project.User.AccountPolicy",
1414 "MinPasswordLength",
1415 dbus::utility::DbusVariantType(*minPasswordLength));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1416 }
1417
1418 if (maxPasswordLength)
1419 {
1420 messages::propertyNotWritable(asyncResp->res,
1421 "MaxPasswordLength");
1422 }
1423
1424 if (ldapObject)
1425 {
1426 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1427 }
1428
1429 if (std::optional<nlohmann::json> oemOpenBMCObject;
1430 oemObject &&
1431 json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1432 oemOpenBMCObject))
1433 {
1434 if (std::optional<nlohmann::json> authMethodsObject;
1435 oemOpenBMCObject &&
1436 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1437 "AuthMethods", authMethodsObject))
1438 {
1439 if (authMethodsObject)
1440 {
1441 handleAuthMethodsPatch(*authMethodsObject,
1442 asyncResp);
1443 }
1444 }
1445 }
1446
1447 if (activeDirectoryObject)
1448 {
1449 handleLDAPPatch(*activeDirectoryObject, asyncResp,
1450 "ActiveDirectory");
1451 }
1452
1453 if (unlockTimeout)
1454 {
1455 crow::connections::systemBus->async_method_call(
1456 [asyncResp](const boost::system::error_code ec) {
1457 if (ec)
1458 {
1459 messages::internalError(asyncResp->res);
1460 return;
1461 }
1462 messages::success(asyncResp->res);
1463 },
1464 "xyz.openbmc_project.User.Manager",
1465 "/xyz/openbmc_project/user",
1466 "org.freedesktop.DBus.Properties", "Set",
1467 "xyz.openbmc_project.User.AccountPolicy",
1468 "AccountUnlockTimeout",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1469 dbus::utility::DbusVariantType(*unlockTimeout));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1470 }
1471 if (lockoutThreshold)
1472 {
1473 crow::connections::systemBus->async_method_call(
1474 [asyncResp](const boost::system::error_code ec) {
1475 if (ec)
1476 {
1477 messages::internalError(asyncResp->res);
1478 return;
1479 }
1480 messages::success(asyncResp->res);
1481 },
1482 "xyz.openbmc_project.User.Manager",
1483 "/xyz/openbmc_project/user",
1484 "org.freedesktop.DBus.Properties", "Set",
1485 "xyz.openbmc_project.User.AccountPolicy",
1486 "MaxLoginAttemptBeforeLockout",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1487 dbus::utility::DbusVariantType(*lockoutThreshold));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1488 }
1489 });
1490
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1491 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1492 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1493 .methods(boost::beast::http::verb::get)(
1494 [](const crow::Request& req,
1495 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1496 asyncResp->res.jsonValue = {
1497 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1498 {"@odata.type", "#ManagerAccountCollection."
1499 "ManagerAccountCollection"},
1500 {"Name", "Accounts Collection"},
1501 {"Description", "BMC User Accounts"}};
1502
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1503 Privileges effectiveUserPrivileges =
1504 redfish::getUserPrivileges(req.userRole);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1505
JunLin Chenf5e29f32021-12-08 16:47:04 +0800[diff] [blame]1506 std::string thisUser;
1507 if (req.session)
1508 {
1509 thisUser = req.session->username;
1510 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1511 crow::connections::systemBus->async_method_call(
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1512 [asyncResp, thisUser, effectiveUserPrivileges](
1513 const boost::system::error_code ec,
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1514 const dbus::utility::ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1515 if (ec)
1516 {
1517 messages::internalError(asyncResp->res);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1518 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1519 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1520
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1521 bool userCanSeeAllAccounts =
1522 effectiveUserPrivileges.isSupersetOf(
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1523 {"ConfigureUsers"});
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1524
1525 bool userCanSeeSelf =
1526 effectiveUserPrivileges.isSupersetOf(
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1527 {"ConfigureSelf"});
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1528
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1529 nlohmann::json& memberArray =
1530 asyncResp->res.jsonValue["Members"];
1531 memberArray = nlohmann::json::array();
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1532
Ed Tanous9eb808c2022-01-25 10:19:23 -0800[diff] [blame]1533 for (const auto& userpath : users)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1534 {
1535 std::string user = userpath.first.filename();
1536 if (user.empty())
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1537 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1538 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1539 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1540
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1541 return;
1542 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1543
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1544 // As clarified by Redfish here:
1545 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1546 // Users without ConfigureUsers, only see their own
1547 // account. Users with ConfigureUsers, see all
1548 // accounts.
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1549 if (userCanSeeAllAccounts ||
1550 (thisUser == user && userCanSeeSelf))
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1551 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1552 memberArray.push_back(
1553 {{"@odata.id",
1554 "/redfish/v1/AccountService/Accounts/" +
1555 user}});
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1556 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1557 }
1558 asyncResp->res.jsonValue["Members@odata.count"] =
1559 memberArray.size();
1560 },
1561 "xyz.openbmc_project.User.Manager",
1562 "/xyz/openbmc_project/user",
1563 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1564 });
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1565
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1566 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1567 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1568 .methods(boost::beast::http::verb::post)([](const crow::Request& req,
1569 const std::shared_ptr<
1570 bmcweb::AsyncResp>&
1571 asyncResp) -> void {
1572 std::string username;
1573 std::string password;
1574 std::optional<std::string> roleId("User");
1575 std::optional<bool> enabled = true;
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1576 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName",
1577 username, "Password", password,
1578 "RoleId", roleId, "Enabled", enabled))
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1579 {
1580 return;
1581 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1582
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1583 std::string priv = getPrivilegeFromRoleId(*roleId);
1584 if (priv.empty())
1585 {
1586 messages::propertyValueNotInList(asyncResp->res, *roleId,
1587 "RoleId");
1588 return;
1589 }
1590 // TODO: Following override will be reverted once support in
1591 // phosphor-user-manager is added. In order to avoid dependency
1592 // issues, this is added in bmcweb, which will removed, once
1593 // phosphor-user-manager supports priv-noaccess.
1594 if (priv == "priv-noaccess")
1595 {
1596 roleId = "";
1597 }
1598 else
1599 {
1600 roleId = priv;
1601 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1602
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1603 // Reading AllGroups property
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1604 sdbusplus::asio::getProperty<std::vector<std::string>>(
1605 *crow::connections::systemBus,
1606 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1607 "xyz.openbmc_project.User.Manager", "AllGroups",
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1608 [asyncResp, username, password{std::move(password)}, roleId,
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1609 enabled](const boost::system::error_code ec,
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1610 const std::vector<std::string>& allGroupsList) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1611 if (ec)
1612 {
1613 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1614 messages::internalError(asyncResp->res);
1615 return;
1616 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1617
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1618 if (allGroupsList.empty())
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1619 {
1620 messages::internalError(asyncResp->res);
1621 return;
1622 }
1623
1624 crow::connections::systemBus->async_method_call(
1625 [asyncResp, username,
1626 password](const boost::system::error_code ec2,
1627 sdbusplus::message::message& m) {
1628 if (ec2)
1629 {
1630 userErrorMessageHandler(
1631 m.get_error(), asyncResp, username, "");
1632 return;
1633 }
1634
1635 if (pamUpdatePassword(username, password) !=
1636 PAM_SUCCESS)
1637 {
1638 // At this point we have a user that's been
1639 // created, but the password set
1640 // failed.Something is wrong, so delete the user
1641 // that we've already created
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1642 sdbusplus::message::object_path tempObjPath(
1643 rootUserDbusPath);
1644 tempObjPath /= username;
1645 const std::string userPath(tempObjPath);
1646
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1647 crow::connections::systemBus->async_method_call(
1648 [asyncResp, password](
1649 const boost::system::error_code ec3) {
1650 if (ec3)
1651 {
1652 messages::internalError(
1653 asyncResp->res);
1654 return;
1655 }
1656
1657 // If password is invalid
1658 messages::propertyValueFormatError(
1659 asyncResp->res, password,
1660 "Password");
1661 },
1662 "xyz.openbmc_project.User.Manager",
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1663 userPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1664 "xyz.openbmc_project.Object.Delete",
1665 "Delete");
1666
1667 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1668 return;
1669 }
1670
1671 messages::created(asyncResp->res);
1672 asyncResp->res.addHeader(
1673 "Location",
1674 "/redfish/v1/AccountService/Accounts/" +
1675 username);
1676 },
1677 "xyz.openbmc_project.User.Manager",
1678 "/xyz/openbmc_project/user",
1679 "xyz.openbmc_project.User.Manager", "CreateUser",
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1680 username, allGroupsList, *roleId, *enabled);
1681 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1682 });
1683
1684 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1685 .privileges(redfish::privileges::getManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1686 .methods(
1687 boost::beast::http::verb::
1688 get)([](const crow::Request& req,
1689 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1690 const std::string& accountName) -> void {
1691 if (req.session->username != accountName)
1692 {
1693 // At this point we've determined that the user is trying to
1694 // modify a user that isn't them. We need to verify that they
1695 // have permissions to modify other users, so re-run the auth
1696 // check with the same permissions, minus ConfigureSelf.
1697 Privileges effectiveUserPrivileges =
1698 redfish::getUserPrivileges(req.userRole);
1699 Privileges requiredPermissionsToChangeNonSelf = {
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1700 "ConfigureUsers", "ConfigureManager"};
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1701 if (!effectiveUserPrivileges.isSupersetOf(
1702 requiredPermissionsToChangeNonSelf))
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1703 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1704 BMCWEB_LOG_DEBUG << "GET Account denied access";
1705 messages::insufficientPrivilege(asyncResp->res);
1706 return;
1707 }
1708 }
1709
1710 crow::connections::systemBus->async_method_call(
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1711 [asyncResp,
1712 accountName](const boost::system::error_code ec,
1713 const dbus::utility::ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1714 if (ec)
1715 {
1716 messages::internalError(asyncResp->res);
1717 return;
1718 }
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1719 const auto userIt = std::find_if(
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1720 users.begin(), users.end(),
1721 [accountName](
1722 const std::pair<sdbusplus::message::object_path,
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1723 dbus::utility::DBusInteracesMap>&
1724 user) {
Ed Tanous55f79e62022-01-25 11:26:16 -0800[diff] [blame]1725 return accountName == user.first.filename();
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1726 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1727
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1728 if (userIt == users.end())
1729 {
1730 messages::resourceNotFound(
1731 asyncResp->res, "ManagerAccount", accountName);
1732 return;
1733 }
1734
1735 asyncResp->res.jsonValue = {
1736 {"@odata.type",
1737 "#ManagerAccount.v1_4_0.ManagerAccount"},
1738 {"Name", "User Account"},
1739 {"Description", "User Account"},
1740 {"Password", nullptr},
1741 {"AccountTypes", {"Redfish"}}};
1742
1743 for (const auto& interface : userIt->second)
1744 {
1745 if (interface.first ==
1746 "xyz.openbmc_project.User.Attributes")
1747 {
1748 for (const auto& property : interface.second)
1749 {
1750 if (property.first == "UserEnabled")
1751 {
1752 const bool* userEnabled =
1753 std::get_if<bool>(&property.second);
1754 if (userEnabled == nullptr)
1755 {
1756 BMCWEB_LOG_ERROR
1757 << "UserEnabled wasn't a bool";
1758 messages::internalError(asyncResp->res);
1759 return;
1760 }
1761 asyncResp->res.jsonValue["Enabled"] =
1762 *userEnabled;
1763 }
1764 else if (property.first ==
1765 "UserLockedForFailedAttempt")
1766 {
1767 const bool* userLocked =
1768 std::get_if<bool>(&property.second);
1769 if (userLocked == nullptr)
1770 {
1771 BMCWEB_LOG_ERROR << "UserLockedForF"
1772 "ailedAttempt "
1773 "wasn't a bool";
1774 messages::internalError(asyncResp->res);
1775 return;
1776 }
1777 asyncResp->res.jsonValue["Locked"] =
1778 *userLocked;
1779 asyncResp->res.jsonValue
1780 ["Locked@Redfish.AllowableValues"] = {
1781 "false"}; // can only unlock accounts
1782 }
1783 else if (property.first == "UserPrivilege")
1784 {
1785 const std::string* userPrivPtr =
1786 std::get_if<std::string>(
1787 &property.second);
1788 if (userPrivPtr == nullptr)
1789 {
1790 BMCWEB_LOG_ERROR
1791 << "UserPrivilege wasn't a "
1792 "string";
1793 messages::internalError(asyncResp->res);
1794 return;
1795 }
1796 std::string role =
1797 getRoleIdFromPrivilege(*userPrivPtr);
1798 if (role.empty())
1799 {
1800 BMCWEB_LOG_ERROR << "Invalid user role";
1801 messages::internalError(asyncResp->res);
1802 return;
1803 }
1804 asyncResp->res.jsonValue["RoleId"] = role;
1805
1806 asyncResp->res.jsonValue["Links"]["Role"] =
1807 {{"@odata.id",
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]1808 "/redfish/v1/AccountService/Roles/" +
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1809 role}};
1810 }
1811 else if (property.first ==
1812 "UserPasswordExpired")
1813 {
1814 const bool* userPasswordExpired =
1815 std::get_if<bool>(&property.second);
1816 if (userPasswordExpired == nullptr)
1817 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]1818 BMCWEB_LOG_ERROR
1819 << "UserPasswordExpired wasn't a bool";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1820 messages::internalError(asyncResp->res);
1821 return;
1822 }
1823 asyncResp->res
1824 .jsonValue["PasswordChangeRequired"] =
1825 *userPasswordExpired;
1826 }
1827 }
1828 }
1829 }
1830
1831 asyncResp->res.jsonValue["@odata.id"] =
1832 "/redfish/v1/AccountService/Accounts/" + accountName;
1833 asyncResp->res.jsonValue["Id"] = accountName;
1834 asyncResp->res.jsonValue["UserName"] = accountName;
1835 },
1836 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1837 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1838 });
1839
1840 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1841 // TODO this privilege should be using the generated endpoints, but
1842 // because of the special handling of ConfigureSelf, it's not able to
1843 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1844 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
1845 .methods(boost::beast::http::verb::patch)(
1846 [](const crow::Request& req,
1847 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1848 const std::string& username) -> void {
1849 std::optional<std::string> newUserName;
1850 std::optional<std::string> password;
1851 std::optional<bool> enabled;
1852 std::optional<std::string> roleId;
1853 std::optional<bool> locked;
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1854
1855 Privileges effectiveUserPrivileges =
1856 redfish::getUserPrivileges(req.userRole);
1857 Privileges configureUsers = {"ConfigureUsers"};
1858 bool userHasConfigureUsers =
1859 effectiveUserPrivileges.isSupersetOf(configureUsers);
1860 if (userHasConfigureUsers)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1861 {
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1862 // Users with ConfigureUsers can modify for all users
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1863 if (!json_util::readJsonPatch(
1864 req, asyncResp->res, "UserName", newUserName,
1865 "Password", password, "RoleId", roleId, "Enabled",
1866 enabled, "Locked", locked))
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1867 {
1868 return;
1869 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1870 }
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1871 else
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1872 {
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1873 // ConfigureSelf accounts can only modify their own account
1874 if (username != req.session->username)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1875 {
1876 messages::insufficientPrivilege(asyncResp->res);
1877 return;
1878 }
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1879 // ConfigureSelf accounts can only modify their password
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1880 if (!json_util::readJsonPatch(req, asyncResp->res,
1881 "Password", password))
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1882 {
1883 return;
1884 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1885 }
1886
1887 // if user name is not provided in the patch method or if it
1888 // matches the user name in the URI, then we are treating it as
1889 // updating user properties other then username. If username
1890 // provided doesn't match the URI, then we are treating this as
1891 // user rename request.
1892 if (!newUserName || (newUserName.value() == username))
1893 {
1894 updateUserProperties(asyncResp, username, password, enabled,
1895 roleId, locked);
1896 return;
1897 }
1898 crow::connections::systemBus->async_method_call(
1899 [asyncResp, username, password(std::move(password)),
1900 roleId(std::move(roleId)), enabled,
1901 newUser{std::string(*newUserName)},
1902 locked](const boost::system::error_code ec,
1903 sdbusplus::message::message& m) {
1904 if (ec)
1905 {
1906 userErrorMessageHandler(m.get_error(), asyncResp,
1907 newUser, username);
1908 return;
1909 }
1910
1911 updateUserProperties(asyncResp, newUser, password,
1912 enabled, roleId, locked);
1913 },
1914 "xyz.openbmc_project.User.Manager",
1915 "/xyz/openbmc_project/user",
1916 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1917 *newUserName);
1918 });
1919
1920 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1921 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1922 .methods(boost::beast::http::verb::delete_)(
1923 [](const crow::Request& /*req*/,
1924 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1925 const std::string& username) -> void {
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1926 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1927 tempObjPath /= username;
1928 const std::string userPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1929
1930 crow::connections::systemBus->async_method_call(
1931 [asyncResp, username](const boost::system::error_code ec) {
1932 if (ec)
1933 {
1934 messages::resourceNotFound(
1935 asyncResp->res,
1936 "#ManagerAccount.v1_4_0.ManagerAccount",
1937 username);
1938 return;
1939 }
1940
1941 messages::accountRemoved(asyncResp->res);
1942 },
1943 "xyz.openbmc_project.User.Manager", userPath,
1944 "xyz.openbmc_project.Object.Delete", "Delete");
1945 });
1946}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1947
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1948} // namespace redfish