blob: 4bfbdd8d6f036c1b5a479a7cfbf6c81eff61c66b [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080018#include "app.hpp"
Ed Tanous1aa375b2024-04-13 11:51:10 -070019#include "certificate_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080020#include "dbus_utility.hpp"
21#include "error_messages.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070022#include "generated/enums/account_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080023#include "persistent_data.hpp"
24#include "query.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070025#include "registries/privilege_registry.hpp"
Ed Tanous1aa375b2024-04-13 11:51:10 -070026#include "utils/collection.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080027#include "utils/dbus_utils.hpp"
28#include "utils/json_utils.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070029
Ed Tanous1aa375b2024-04-13 11:51:10 -070030#include <boost/url/format.hpp>
31#include <boost/url/url.hpp>
Jonathan Doman1e1e5982021-06-11 09:36:17 -070032#include <sdbusplus/asio/property.hpp>
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +020033#include <sdbusplus/unpack_properties.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050034
George Liu2b731192023-01-11 16:27:13 +080035#include <array>
Ed Tanous1aa375b2024-04-13 11:51:10 -070036#include <memory>
Abhishek Patelc7229812022-02-01 10:07:15 -060037#include <optional>
Ed Tanous3544d2a2023-08-06 18:12:20 -070038#include <ranges>
Abhishek Patelc7229812022-02-01 10:07:15 -060039#include <string>
George Liu2b731192023-01-11 16:27:13 +080040#include <string_view>
Ed Tanous20fa6a22024-05-20 18:02:58 -070041#include <utility>
Abhishek Patelc7229812022-02-01 10:07:15 -060042#include <vector>
43
Ed Tanous1abe55e2018-09-05 08:30:59 -070044namespace redfish
45{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010046
Ed Tanous23a21a12020-07-25 04:45:05 +000047constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053048 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070049constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053050 "/xyz/openbmc_project/user/ldap/active_directory";
51
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +053052constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +053053constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
54constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
55constexpr const char* ldapConfigInterface =
56 "xyz.openbmc_project.User.Ldap.Config";
57constexpr const char* ldapCreateInterface =
58 "xyz.openbmc_project.User.Ldap.Create";
59constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053060constexpr const char* ldapPrivMapperInterface =
61 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053062
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060063struct LDAPRoleMapData
64{
65 std::string groupName;
66 std::string privilege;
67};
68
Ratan Gupta6973a582018-12-13 18:25:44 +053069struct LDAPConfigData
70{
Ed Tanous47f29342024-03-19 12:18:06 -070071 std::string uri;
72 std::string bindDN;
73 std::string baseDN;
74 std::string searchScope;
75 std::string serverType;
Ratan Gupta6973a582018-12-13 18:25:44 +053076 bool serviceEnabled = false;
Ed Tanous47f29342024-03-19 12:18:06 -070077 std::string userNameAttribute;
78 std::string groupAttribute;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060079 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053080};
81
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060082inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053083{
84 if (role == "priv-admin")
85 {
86 return "Administrator";
87 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070088 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053089 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053090 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053091 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070092 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053093 {
94 return "Operator";
95 }
96 return "";
97}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060098inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053099{
100 if (role == "Administrator")
101 {
102 return "priv-admin";
103 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700104 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530105 {
106 return "priv-user";
107 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700108 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530109 {
110 return "priv-operator";
111 }
112 return "";
113}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700114
Abhishek Patelc7229812022-02-01 10:07:15 -0600115/**
116 * @brief Maps user group names retrieved from D-Bus object to
117 * Account Types.
118 *
119 * @param[in] userGroups List of User groups
120 * @param[out] res AccountTypes populated
121 *
122 * @return true in case of success, false if UserGroups contains
123 * invalid group name(s).
124 */
125inline bool translateUserGroup(const std::vector<std::string>& userGroups,
126 crow::Response& res)
127{
128 std::vector<std::string> accountTypes;
129 for (const auto& userGroup : userGroups)
130 {
131 if (userGroup == "redfish")
132 {
133 accountTypes.emplace_back("Redfish");
134 accountTypes.emplace_back("WebUI");
135 }
136 else if (userGroup == "ipmi")
137 {
138 accountTypes.emplace_back("IPMI");
139 }
140 else if (userGroup == "ssh")
141 {
Abhishek Patelc7229812022-02-01 10:07:15 -0600142 accountTypes.emplace_back("ManagerConsole");
143 }
Ninad Palsule3e72c202023-03-27 17:19:55 -0500144 else if (userGroup == "hostconsole")
145 {
146 // The hostconsole group controls who can access the host console
147 // port via ssh and websocket.
148 accountTypes.emplace_back("HostConsole");
149 }
Abhishek Patelc7229812022-02-01 10:07:15 -0600150 else if (userGroup == "web")
151 {
152 // 'web' is one of the valid groups in the UserGroups property of
153 // the user account in the D-Bus object. This group is currently not
154 // doing anything, and is considered to be equivalent to 'redfish'.
155 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
156 // AccountTypes, so do nothing here...
157 }
158 else
159 {
Ed Tanous8ece0e42024-01-02 13:16:50 -0800160 // Invalid user group name. Caller throws an exception.
Abhishek Patelc7229812022-02-01 10:07:15 -0600161 return false;
162 }
163 }
164
165 res.jsonValue["AccountTypes"] = std::move(accountTypes);
166 return true;
167}
168
Abhishek Patel58345852022-02-02 08:54:25 -0600169/**
170 * @brief Builds User Groups from the Account Types
171 *
172 * @param[in] asyncResp Async Response
173 * @param[in] accountTypes List of Account Types
174 * @param[out] userGroups List of User Groups mapped from Account Types
175 *
176 * @return true if Account Types mapped to User Groups, false otherwise.
177 */
178inline bool
179 getUserGroupFromAccountType(crow::Response& res,
180 const std::vector<std::string>& accountTypes,
181 std::vector<std::string>& userGroups)
182{
183 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
184 bool redfishType = false;
185 bool webUIType = false;
186
187 for (const auto& accountType : accountTypes)
188 {
189 if (accountType == "Redfish")
190 {
191 redfishType = true;
192 }
193 else if (accountType == "WebUI")
194 {
195 webUIType = true;
196 }
197 else if (accountType == "IPMI")
198 {
199 userGroups.emplace_back("ipmi");
200 }
201 else if (accountType == "HostConsole")
202 {
203 userGroups.emplace_back("hostconsole");
204 }
205 else if (accountType == "ManagerConsole")
206 {
207 userGroups.emplace_back("ssh");
208 }
209 else
210 {
211 // Invalid Account Type
212 messages::propertyValueNotInList(res, "AccountTypes", accountType);
213 return false;
214 }
215 }
216
217 // Both Redfish and WebUI Account Types are needed to PATCH
218 if (redfishType ^ webUIType)
219 {
Ed Tanous62598e32023-07-17 17:06:25 -0700220 BMCWEB_LOG_ERROR(
221 "Missing Redfish or WebUI Account Type to set redfish User Group");
Abhishek Patel58345852022-02-02 08:54:25 -0600222 messages::strictAccountTypes(res, "AccountTypes");
223 return false;
224 }
225
226 if (redfishType && webUIType)
227 {
228 userGroups.emplace_back("redfish");
229 }
230
231 return true;
232}
233
234/**
235 * @brief Sets UserGroups property of the user based on the Account Types
236 *
237 * @param[in] accountTypes List of User Account Types
238 * @param[in] asyncResp Async Response
239 * @param[in] dbusObjectPath D-Bus Object Path
240 * @param[in] userSelf true if User is updating OWN Account Types
241 */
242inline void
243 patchAccountTypes(const std::vector<std::string>& accountTypes,
244 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
245 const std::string& dbusObjectPath, bool userSelf)
246{
247 // Check if User is disabling own Redfish Account Type
248 if (userSelf &&
249 (accountTypes.cend() ==
250 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
251 {
Ed Tanous62598e32023-07-17 17:06:25 -0700252 BMCWEB_LOG_ERROR(
253 "User disabling OWN Redfish Account Type is not allowed");
Abhishek Patel58345852022-02-02 08:54:25 -0600254 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
255 return;
256 }
257
258 std::vector<std::string> updatedUserGroups;
259 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
260 updatedUserGroups))
261 {
262 // Problem in mapping Account Types to User Groups, Error already
263 // logged.
264 return;
265 }
Ed Tanousd02aad32024-02-13 14:43:34 -0800266 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
267 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
268 "UserGroups", "AccountTypes", updatedUserGroups);
Abhishek Patel58345852022-02-02 08:54:25 -0600269}
270
zhanghch058d1b46d2021-04-01 11:18:24 +0800271inline void userErrorMessageHandler(
272 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
273 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000274{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000275 if (e == nullptr)
276 {
277 messages::internalError(asyncResp->res);
278 return;
279 }
280
Manojkiran Eda055806b2020-11-03 09:36:28 +0530281 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000282 if (strcmp(errorMessage,
283 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
284 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800285 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000286 "UserName", newUser);
287 }
288 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
289 "UserNameDoesNotExist") == 0)
290 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800291 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000292 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700293 else if ((strcmp(errorMessage,
294 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
295 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800296 (strcmp(
297 errorMessage,
298 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
299 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000300 {
301 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
302 }
303 else if (strcmp(errorMessage,
304 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
305 {
306 messages::createLimitReachedForResource(asyncResp->res);
307 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000308 else
309 {
Gunnar Millsb8ad5832023-10-02 16:26:07 -0500310 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000311 messages::internalError(asyncResp->res);
312 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000313}
314
Ed Tanous81ce6092020-12-17 16:54:55 +0000315inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000316 const LDAPConfigData& confData,
317 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530318{
Ed Tanous49cc2632024-03-20 12:49:15 -0700319 nlohmann::json::object_t ldap;
Ed Tanous14766872022-03-15 10:44:42 -0700320 ldap["ServiceEnabled"] = confData.serviceEnabled;
Ed Tanous49cc2632024-03-20 12:49:15 -0700321 nlohmann::json::array_t serviceAddresses;
322 serviceAddresses.emplace_back(confData.uri);
323 ldap["ServiceAddresses"] = std::move(serviceAddresses);
324
325 nlohmann::json::object_t authentication;
326 authentication["AuthenticationType"] =
Ed Tanous0ec8b832022-03-14 14:56:47 -0700327 account_service::AuthenticationTypes::UsernameAndPassword;
Ed Tanous49cc2632024-03-20 12:49:15 -0700328 authentication["Username"] = confData.bindDN;
329 authentication["Password"] = nullptr;
330 ldap["Authentication"] = std::move(authentication);
Ed Tanous14766872022-03-15 10:44:42 -0700331
Ed Tanous49cc2632024-03-20 12:49:15 -0700332 nlohmann::json::object_t ldapService;
333 nlohmann::json::object_t searchSettings;
334 nlohmann::json::array_t baseDistinguishedNames;
335 baseDistinguishedNames.emplace_back(confData.baseDN);
Ed Tanous14766872022-03-15 10:44:42 -0700336
Ed Tanous49cc2632024-03-20 12:49:15 -0700337 searchSettings["BaseDistinguishedNames"] =
338 std::move(baseDistinguishedNames);
339 searchSettings["UsernameAttribute"] = confData.userNameAttribute;
340 searchSettings["GroupsAttribute"] = confData.groupAttribute;
341 ldapService["SearchSettings"] = std::move(searchSettings);
342 ldap["LDAPService"] = std::move(ldapService);
343
344 nlohmann::json::array_t roleMapArray;
Ed Tanous9eb808c2022-01-25 10:19:23 -0800345 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600346 {
Ed Tanous62598e32023-07-17 17:06:25 -0700347 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
Ed Tanous613dabe2022-07-09 11:17:36 -0700348
Ed Tanous613dabe2022-07-09 11:17:36 -0700349 nlohmann::json::object_t remoteGroup;
350 remoteGroup["RemoteGroup"] = obj.second.groupName;
Jorge Cisneros329f0342022-11-04 16:26:25 +0000351 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
352 roleMapArray.emplace_back(std::move(remoteGroup));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600353 }
Ed Tanous49cc2632024-03-20 12:49:15 -0700354
355 ldap["RemoteRoleMapping"] = std::move(roleMapArray);
356
357 jsonResponse[ldapType].update(ldap);
Ratan Gupta6973a582018-12-13 18:25:44 +0530358}
359
360/**
Ratan Gupta06785242019-07-26 22:30:16 +0530361 * @brief validates given JSON input and then calls appropriate method to
362 * create, to delete or to set Rolemapping object based on the given input.
363 *
364 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000365inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800366 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530367 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousc1019822024-03-06 12:54:38 -0800368 const std::string& serverType,
369 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530370{
371 for (size_t index = 0; index < input.size(); index++)
372 {
Ed Tanousc1019822024-03-06 12:54:38 -0800373 std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson =
374 input[index];
375 nlohmann::json::object_t* obj =
376 std::get_if<nlohmann::json::object_t>(&thisJson);
377 if (obj == nullptr)
Ratan Gupta06785242019-07-26 22:30:16 +0530378 {
379 // delete the existing object
380 if (index < roleMapObjData.size())
381 {
382 crow::connections::systemBus->async_method_call(
383 [asyncResp, roleMapObjData, serverType,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800384 index](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700385 if (ec)
386 {
Ed Tanous62598e32023-07-17 17:06:25 -0700387 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700388 messages::internalError(asyncResp->res);
389 return;
390 }
Patrick Williams89492a12023-05-10 07:51:34 -0500391 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
392 [index] = nullptr;
Patrick Williams5a39f772023-10-20 11:20:21 -0500393 },
Ratan Gupta06785242019-07-26 22:30:16 +0530394 ldapDbusService, roleMapObjData[index].first,
395 "xyz.openbmc_project.Object.Delete", "Delete");
396 }
397 else
398 {
Ed Tanous62598e32023-07-17 17:06:25 -0700399 BMCWEB_LOG_ERROR("Can't delete the object");
Ed Tanousc1019822024-03-06 12:54:38 -0800400 messages::propertyValueTypeError(asyncResp->res, "null",
Ed Tanous2e8c4bd2022-06-27 12:59:12 -0700401 "RemoteRoleMapping/" +
402 std::to_string(index));
Ratan Gupta06785242019-07-26 22:30:16 +0530403 return;
404 }
405 }
Ed Tanousc1019822024-03-06 12:54:38 -0800406 else if (obj->empty())
Ratan Gupta06785242019-07-26 22:30:16 +0530407 {
408 // Don't do anything for the empty objects,parse next json
409 // eg {"RemoteRoleMapping",[{}]}
410 }
411 else
412 {
413 // update/create the object
414 std::optional<std::string> remoteGroup;
415 std::optional<std::string> localRole;
416
Ed Tanousc1019822024-03-06 12:54:38 -0800417 if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup",
418 remoteGroup, "LocalRole", localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530419 {
420 continue;
421 }
422
423 // Update existing RoleMapping Object
424 if (index < roleMapObjData.size())
425 {
Ed Tanous62598e32023-07-17 17:06:25 -0700426 BMCWEB_LOG_DEBUG("Update Role Map Object");
Ratan Gupta06785242019-07-26 22:30:16 +0530427 // If "RemoteGroup" info is provided
428 if (remoteGroup)
429 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800430 setDbusProperty(
431 asyncResp, ldapDbusService, roleMapObjData[index].first,
George Liu9ae226f2023-06-21 17:56:46 +0800432 "xyz.openbmc_project.User.PrivilegeMapperEntry",
Ed Tanousd02aad32024-02-13 14:43:34 -0800433 "GroupName",
434 std::format("RemoteRoleMapping/{}/RemoteGroup", index),
435 *remoteGroup);
Ratan Gupta06785242019-07-26 22:30:16 +0530436 }
437
438 // If "LocalRole" info is provided
439 if (localRole)
440 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800441 setDbusProperty(
442 asyncResp, ldapDbusService, roleMapObjData[index].first,
George Liu9ae226f2023-06-21 17:56:46 +0800443 "xyz.openbmc_project.User.PrivilegeMapperEntry",
Ed Tanousd02aad32024-02-13 14:43:34 -0800444 "Privilege",
445 std::format("RemoteRoleMapping/{}/LocalRole", index),
446 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530447 }
448 }
449 // Create a new RoleMapping Object.
450 else
451 {
Ed Tanous62598e32023-07-17 17:06:25 -0700452 BMCWEB_LOG_DEBUG(
453 "setRoleMappingProperties: Creating new Object");
Patrick Williams89492a12023-05-10 07:51:34 -0500454 std::string pathString = "RemoteRoleMapping/" +
455 std::to_string(index);
Ratan Gupta06785242019-07-26 22:30:16 +0530456
457 if (!localRole)
458 {
459 messages::propertyMissing(asyncResp->res,
460 pathString + "/LocalRole");
461 continue;
462 }
463 if (!remoteGroup)
464 {
465 messages::propertyMissing(asyncResp->res,
466 pathString + "/RemoteGroup");
467 continue;
468 }
469
470 std::string dbusObjectPath;
471 if (serverType == "ActiveDirectory")
472 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700473 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530474 }
475 else if (serverType == "LDAP")
476 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000477 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530478 }
479
Ed Tanous62598e32023-07-17 17:06:25 -0700480 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
481 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530482
483 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700484 [asyncResp, serverType, localRole,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800485 remoteGroup](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700486 if (ec)
487 {
Ed Tanous62598e32023-07-17 17:06:25 -0700488 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700489 messages::internalError(asyncResp->res);
490 return;
491 }
492 nlohmann::json& remoteRoleJson =
493 asyncResp->res
494 .jsonValue[serverType]["RemoteRoleMapping"];
495 nlohmann::json::object_t roleMapEntry;
496 roleMapEntry["LocalRole"] = *localRole;
497 roleMapEntry["RemoteGroup"] = *remoteGroup;
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500498 remoteRoleJson.emplace_back(std::move(roleMapEntry));
Patrick Williams5a39f772023-10-20 11:20:21 -0500499 },
Ratan Gupta06785242019-07-26 22:30:16 +0530500 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700501 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530502 getPrivilegeFromRoleId(std::move(*localRole)));
503 }
504 }
505 }
506}
507
508/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530509 * Function that retrieves all properties for LDAP config object
510 * into JSON
511 */
512template <typename CallbackFunc>
513inline void getLDAPConfigData(const std::string& ldapType,
514 CallbackFunc&& callback)
515{
George Liu2b731192023-01-11 16:27:13 +0800516 constexpr std::array<std::string_view, 2> interfaces = {
517 ldapEnableInterface, ldapConfigInterface};
Ratan Gupta6973a582018-12-13 18:25:44 +0530518
George Liu2b731192023-01-11 16:27:13 +0800519 dbus::utility::getDbusObject(
520 ldapConfigObjectName, interfaces,
Ed Tanous8cb2c022024-03-27 16:31:46 -0700521 [callback = std::forward<CallbackFunc>(callback),
Ed Tanousc1019822024-03-06 12:54:38 -0800522 ldapType](const boost::system::error_code& ec,
523 const dbus::utility::MapperGetObject& resp) mutable {
Ed Tanous002d39b2022-05-31 08:59:27 -0700524 if (ec || resp.empty())
525 {
Carson Labradobf2dded2023-08-10 00:37:06 +0000526 BMCWEB_LOG_WARNING(
Ed Tanous62598e32023-07-17 17:06:25 -0700527 "DBUS response error during getting of service name: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700528 LDAPConfigData empty{};
529 callback(false, empty, ldapType);
530 return;
531 }
532 std::string service = resp.begin()->first;
George Liu5eb468d2023-06-20 17:03:24 +0800533 sdbusplus::message::object_path path(ldapRootObject);
534 dbus::utility::getManagedObjects(
535 service, path,
Ed Tanousc1019822024-03-06 12:54:38 -0800536 [callback, ldapType](
537 const boost::system::error_code& ec2,
538 const dbus::utility::ManagedObjectType& ldapObjects) mutable {
Ed Tanous002d39b2022-05-31 08:59:27 -0700539 LDAPConfigData confData{};
Ed Tanous8b242752023-06-27 17:17:13 -0700540 if (ec2)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600541 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700542 callback(false, confData, ldapType);
Carson Labradobf2dded2023-08-10 00:37:06 +0000543 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600544 return;
545 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600546
Ed Tanous002d39b2022-05-31 08:59:27 -0700547 std::string ldapDbusType;
548 std::string searchString;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600549
Ed Tanous002d39b2022-05-31 08:59:27 -0700550 if (ldapType == "LDAP")
551 {
552 ldapDbusType =
553 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
554 searchString = "openldap";
555 }
556 else if (ldapType == "ActiveDirectory")
557 {
558 ldapDbusType =
559 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
560 searchString = "active_directory";
561 }
562 else
563 {
Ed Tanous62598e32023-07-17 17:06:25 -0700564 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}",
565 ldapType);
Ed Tanous002d39b2022-05-31 08:59:27 -0700566 callback(false, confData, ldapType);
567 return;
568 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600569
Ed Tanous002d39b2022-05-31 08:59:27 -0700570 std::string ldapEnableInterfaceStr = ldapEnableInterface;
571 std::string ldapConfigInterfaceStr = ldapConfigInterface;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600572
Ed Tanous002d39b2022-05-31 08:59:27 -0700573 for (const auto& object : ldapObjects)
574 {
575 // let's find the object whose ldap type is equal to the
576 // given type
577 if (object.first.str.find(searchString) == std::string::npos)
578 {
579 continue;
580 }
581
582 for (const auto& interface : object.second)
583 {
584 if (interface.first == ldapEnableInterfaceStr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600585 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700586 // rest of the properties are string.
587 for (const auto& property : interface.second)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600588 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700589 if (property.first == "Enabled")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600590 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700591 const bool* value =
592 std::get_if<bool>(&property.second);
593 if (value == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600594 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700595 continue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600596 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700597 confData.serviceEnabled = *value;
598 break;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600599 }
600 }
601 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700602 else if (interface.first == ldapConfigInterfaceStr)
603 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700604 for (const auto& property : interface.second)
605 {
606 const std::string* strValue =
607 std::get_if<std::string>(&property.second);
608 if (strValue == nullptr)
609 {
610 continue;
611 }
612 if (property.first == "LDAPServerURI")
613 {
614 confData.uri = *strValue;
615 }
616 else if (property.first == "LDAPBindDN")
617 {
618 confData.bindDN = *strValue;
619 }
620 else if (property.first == "LDAPBaseDN")
621 {
622 confData.baseDN = *strValue;
623 }
624 else if (property.first == "LDAPSearchScope")
625 {
626 confData.searchScope = *strValue;
627 }
628 else if (property.first == "GroupNameAttribute")
629 {
630 confData.groupAttribute = *strValue;
631 }
632 else if (property.first == "UserNameAttribute")
633 {
634 confData.userNameAttribute = *strValue;
635 }
636 else if (property.first == "LDAPType")
637 {
638 confData.serverType = *strValue;
639 }
640 }
641 }
642 else if (interface.first ==
643 "xyz.openbmc_project.User.PrivilegeMapperEntry")
644 {
645 LDAPRoleMapData roleMapData{};
646 for (const auto& property : interface.second)
647 {
648 const std::string* strValue =
649 std::get_if<std::string>(&property.second);
650
651 if (strValue == nullptr)
652 {
653 continue;
654 }
655
656 if (property.first == "GroupName")
657 {
658 roleMapData.groupName = *strValue;
659 }
660 else if (property.first == "Privilege")
661 {
662 roleMapData.privilege = *strValue;
663 }
664 }
665
666 confData.groupRoleList.emplace_back(object.first.str,
667 roleMapData);
668 }
669 }
670 }
671 callback(true, confData, ldapType);
George Liu2b731192023-01-11 16:27:13 +0800672 });
Patrick Williams5a39f772023-10-20 11:20:21 -0500673 });
Ratan Gupta6973a582018-12-13 18:25:44 +0530674}
675
Ed Tanous6c51eab2021-06-03 12:30:29 -0700676/**
Ed Tanous6c51eab2021-06-03 12:30:29 -0700677 * @brief updates the LDAP server address and updates the
678 json response with the new value.
679 * @param serviceAddressList address to be updated.
680 * @param asyncResp pointer to the JSON response
681 * @param ldapServerElementName Type of LDAP
682 server(openLDAP/ActiveDirectory)
683 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530684
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700685inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700686 const std::vector<std::string>& serviceAddressList,
687 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
688 const std::string& ldapServerElementName,
689 const std::string& ldapConfigObject)
690{
Ed Tanousd02aad32024-02-13 14:43:34 -0800691 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
692 ldapConfigInterface, "LDAPServerURI",
693 ldapServerElementName + "/ServiceAddress",
694 serviceAddressList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700695}
696/**
697 * @brief updates the LDAP Bind DN and updates the
698 json response with the new value.
699 * @param username name of the user which needs to be updated.
700 * @param asyncResp pointer to the JSON response
701 * @param ldapServerElementName Type of LDAP
702 server(openLDAP/ActiveDirectory)
703 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530704
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700705inline void
706 handleUserNamePatch(const std::string& username,
707 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
708 const std::string& ldapServerElementName,
709 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700710{
Ed Tanousd02aad32024-02-13 14:43:34 -0800711 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
712 ldapConfigInterface, "LDAPBindDN",
713 ldapServerElementName + "/Authentication/Username",
714 username);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700715}
716
717/**
718 * @brief updates the LDAP password
719 * @param password : ldap password which needs to be updated.
720 * @param asyncResp pointer to the JSON response
721 * @param ldapServerElementName Type of LDAP
722 * server(openLDAP/ActiveDirectory)
723 */
724
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700725inline void
726 handlePasswordPatch(const std::string& password,
727 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
728 const std::string& ldapServerElementName,
729 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700730{
Ed Tanousd02aad32024-02-13 14:43:34 -0800731 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
732 ldapConfigInterface, "LDAPBindDNPassword",
733 ldapServerElementName + "/Authentication/Password",
734 password);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700735}
736
737/**
738 * @brief updates the LDAP BaseDN and updates the
739 json response with the new value.
740 * @param baseDNList baseDN list which needs to be updated.
741 * @param asyncResp pointer to the JSON response
742 * @param ldapServerElementName Type of LDAP
743 server(openLDAP/ActiveDirectory)
744 */
745
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700746inline void
747 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
748 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
749 const std::string& ldapServerElementName,
750 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700751{
Ed Tanousd02aad32024-02-13 14:43:34 -0800752 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
753 ldapConfigInterface, "LDAPBaseDN",
754 ldapServerElementName +
755 "/LDAPService/SearchSettings/BaseDistinguishedNames",
756 baseDNList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700757}
758/**
759 * @brief updates the LDAP user name attribute and updates the
760 json response with the new value.
761 * @param userNameAttribute attribute to be updated.
762 * @param asyncResp pointer to the JSON response
763 * @param ldapServerElementName Type of LDAP
764 server(openLDAP/ActiveDirectory)
765 */
766
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700767inline void
768 handleUserNameAttrPatch(const std::string& userNameAttribute,
769 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
770 const std::string& ldapServerElementName,
771 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700772{
Ed Tanousd02aad32024-02-13 14:43:34 -0800773 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
774 ldapConfigInterface, "UserNameAttribute",
775 ldapServerElementName +
776 "LDAPService/SearchSettings/UsernameAttribute",
777 userNameAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700778}
779/**
780 * @brief updates the LDAP group attribute and updates the
781 json response with the new value.
782 * @param groupsAttribute attribute to be updated.
783 * @param asyncResp pointer to the JSON response
784 * @param ldapServerElementName Type of LDAP
785 server(openLDAP/ActiveDirectory)
786 */
787
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700788inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700789 const std::string& groupsAttribute,
790 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
791 const std::string& ldapServerElementName,
792 const std::string& ldapConfigObject)
793{
Ed Tanousd02aad32024-02-13 14:43:34 -0800794 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
795 ldapConfigInterface, "GroupNameAttribute",
796 ldapServerElementName +
797 "/LDAPService/SearchSettings/GroupsAttribute",
798 groupsAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700799}
800/**
801 * @brief updates the LDAP service enable and updates the
802 json response with the new value.
803 * @param input JSON data.
804 * @param asyncResp pointer to the JSON response
805 * @param ldapServerElementName Type of LDAP
806 server(openLDAP/ActiveDirectory)
807 */
808
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700809inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700810 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
811 const std::string& ldapServerElementName,
812 const std::string& ldapConfigObject)
813{
Ed Tanousd02aad32024-02-13 14:43:34 -0800814 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
815 ldapEnableInterface, "Enabled",
816 ldapServerElementName + "/ServiceEnabled", serviceEnabled);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700817}
818
Ed Tanousc1019822024-03-06 12:54:38 -0800819struct AuthMethods
Ed Tanous6c51eab2021-06-03 12:30:29 -0700820{
821 std::optional<bool> basicAuth;
822 std::optional<bool> cookie;
823 std::optional<bool> sessionToken;
824 std::optional<bool> xToken;
825 std::optional<bool> tls;
Ed Tanousc1019822024-03-06 12:54:38 -0800826};
Ed Tanous6c51eab2021-06-03 12:30:29 -0700827
Ed Tanousc1019822024-03-06 12:54:38 -0800828inline void
829 handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
830 const AuthMethods& auth)
831{
832 persistent_data::AuthConfigMethods& authMethodsConfig =
Ed Tanous6c51eab2021-06-03 12:30:29 -0700833 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
834
Ed Tanousc1019822024-03-06 12:54:38 -0800835 if (auth.basicAuth)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700836 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700837 if constexpr (!BMCWEB_BASIC_AUTH)
838 {
839 messages::actionNotSupported(
840 asyncResp->res,
841 "Setting BasicAuth when basic-auth feature is disabled");
842 return;
843 }
844
Ed Tanousc1019822024-03-06 12:54:38 -0800845 authMethodsConfig.basic = *auth.basicAuth;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700846 }
847
Ed Tanousc1019822024-03-06 12:54:38 -0800848 if (auth.cookie)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700849 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700850 if constexpr (!BMCWEB_COOKIE_AUTH)
851 {
852 messages::actionNotSupported(
853 asyncResp->res,
854 "Setting Cookie when cookie-auth feature is disabled");
855 return;
856 }
Ed Tanousc1019822024-03-06 12:54:38 -0800857 authMethodsConfig.cookie = *auth.cookie;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700858 }
859
Ed Tanousc1019822024-03-06 12:54:38 -0800860 if (auth.sessionToken)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700861 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700862 if constexpr (!BMCWEB_SESSION_AUTH)
863 {
864 messages::actionNotSupported(
865 asyncResp->res,
866 "Setting SessionToken when session-auth feature is disabled");
867 return;
868 }
Ed Tanousc1019822024-03-06 12:54:38 -0800869 authMethodsConfig.sessionToken = *auth.sessionToken;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700870 }
871
Ed Tanousc1019822024-03-06 12:54:38 -0800872 if (auth.xToken)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700873 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700874 if constexpr (!BMCWEB_XTOKEN_AUTH)
875 {
876 messages::actionNotSupported(
877 asyncResp->res,
878 "Setting XToken when xtoken-auth feature is disabled");
879 return;
880 }
Ed Tanousc1019822024-03-06 12:54:38 -0800881 authMethodsConfig.xtoken = *auth.xToken;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700882 }
883
Ed Tanousc1019822024-03-06 12:54:38 -0800884 if (auth.tls)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700885 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700886 if constexpr (!BMCWEB_MUTUAL_TLS_AUTH)
887 {
888 messages::actionNotSupported(
889 asyncResp->res,
890 "Setting TLS when mutual-tls-auth feature is disabled");
891 return;
892 }
Ed Tanousc1019822024-03-06 12:54:38 -0800893 authMethodsConfig.tls = *auth.tls;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700894 }
895
896 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
897 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
898 !authMethodsConfig.tls)
899 {
900 // Do not allow user to disable everything
901 messages::actionNotSupported(asyncResp->res,
902 "of disabling all available methods");
903 return;
904 }
905
906 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
907 authMethodsConfig);
908 // Save configuration immediately
909 persistent_data::getConfig().writeData();
910
911 messages::success(asyncResp->res);
912}
913
914/**
915 * @brief Get the required values from the given JSON, validates the
916 * value and create the LDAP config object.
917 * @param input JSON data
918 * @param asyncResp pointer to the JSON response
919 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
920 */
921
Ed Tanous10cb44f2024-04-11 13:05:20 -0700922struct LdapPatchParams
923{
924 std::optional<std::string> authType;
925 std::optional<std::vector<std::string>> serviceAddressList;
926 std::optional<bool> serviceEnabled;
927 std::optional<std::vector<std::string>> baseDNList;
928 std::optional<std::string> userNameAttribute;
929 std::optional<std::string> groupsAttribute;
930 std::optional<std::string> userName;
931 std::optional<std::string> password;
932 std::optional<
933 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>>
934 remoteRoleMapData;
935};
936
937inline void handleLDAPPatch(LdapPatchParams&& input,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700938 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
939 const std::string& serverType)
940{
941 std::string dbusObjectPath;
942 if (serverType == "ActiveDirectory")
943 {
944 dbusObjectPath = adConfigObject;
945 }
946 else if (serverType == "LDAP")
947 {
948 dbusObjectPath = ldapConfigObjectName;
949 }
950 else
951 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700952 BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????",
953 serverType);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700954 return;
955 }
956
Ed Tanous10cb44f2024-04-11 13:05:20 -0700957 if (input.authType && *input.authType != "UsernameAndPassword")
Ed Tanous6c51eab2021-06-03 12:30:29 -0700958 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700959 messages::propertyValueNotInList(asyncResp->res, *input.authType,
Ed Tanousc1019822024-03-06 12:54:38 -0800960 "AuthenticationType");
961 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700962 }
Ed Tanousc1019822024-03-06 12:54:38 -0800963
Ed Tanous10cb44f2024-04-11 13:05:20 -0700964 if (input.serviceAddressList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700965 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700966 if (input.serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530967 {
Ed Tanouse2616cc2022-06-27 12:45:55 -0700968 messages::propertyValueNotInList(
Ed Tanous10cb44f2024-04-11 13:05:20 -0700969 asyncResp->res, *input.serviceAddressList, "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000970 return;
971 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700972 }
Ed Tanous10cb44f2024-04-11 13:05:20 -0700973 if (input.baseDNList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700974 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700975 if (input.baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +0530976 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700977 messages::propertyValueNotInList(asyncResp->res, *input.baseDNList,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700978 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530979 return;
980 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700981 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530982
Ed Tanous6c51eab2021-06-03 12:30:29 -0700983 // nothing to update, then return
Ed Tanous10cb44f2024-04-11 13:05:20 -0700984 if (!input.userName && !input.password && !input.serviceAddressList &&
985 !input.baseDNList && !input.userNameAttribute &&
986 !input.groupsAttribute && !input.serviceEnabled &&
987 !input.remoteRoleMapData)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700988 {
989 return;
990 }
991
992 // Get the existing resource first then keep modifying
993 // whenever any property gets updated.
Ed Tanous10cb44f2024-04-11 13:05:20 -0700994 getLDAPConfigData(serverType,
995 [asyncResp, input = std::move(input),
996 dbusObjectPath = std::move(dbusObjectPath)](
997 bool success, const LDAPConfigData& confData,
998 const std::string& serverT) mutable {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700999 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301000 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001001 messages::internalError(asyncResp->res);
1002 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +05301003 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001004 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1005 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301006 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001007 // Disable the service first and update the rest of
1008 // the properties.
1009 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301010 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001011
Ed Tanous10cb44f2024-04-11 13:05:20 -07001012 if (input.serviceAddressList)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301013 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001014 handleServiceAddressPatch(*input.serviceAddressList, asyncResp,
1015 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301016 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001017 if (input.userName)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001018 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001019 handleUserNamePatch(*input.userName, asyncResp, serverT,
1020 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001021 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001022 if (input.password)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001023 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001024 handlePasswordPatch(*input.password, asyncResp, serverT,
1025 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001026 }
1027
Ed Tanous10cb44f2024-04-11 13:05:20 -07001028 if (input.baseDNList)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301029 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001030 handleBaseDNPatch(*input.baseDNList, asyncResp, serverT,
1031 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001032 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001033 if (input.userNameAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001034 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001035 handleUserNameAttrPatch(*input.userNameAttribute, asyncResp,
1036 serverT, dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001037 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001038 if (input.groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001039 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001040 handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001041 dbusObjectPath);
1042 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001043 if (input.serviceEnabled)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001044 {
1045 // if user has given the value as true then enable
1046 // the service. if user has given false then no-op
1047 // as service is already stopped.
Ed Tanous10cb44f2024-04-11 13:05:20 -07001048 if (*input.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301049 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001050 handleServiceEnablePatch(*input.serviceEnabled, asyncResp,
1051 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301052 }
1053 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001054 else
1055 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001056 // if user has not given the service enabled value
1057 // then revert it to the same state as it was
1058 // before.
1059 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1060 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001061 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001062
Ed Tanous10cb44f2024-04-11 13:05:20 -07001063 if (input.remoteRoleMapData)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001064 {
1065 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001066 *input.remoteRoleMapData);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001067 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001068 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001069}
1070
Abhishek Patel58345852022-02-02 08:54:25 -06001071inline void updateUserProperties(
1072 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1073 const std::optional<std::string>& password,
1074 const std::optional<bool>& enabled,
1075 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
Ravi Tejae518ef32024-05-16 10:33:08 -05001076 std::optional<std::vector<std::string>> accountTypes, bool userSelf,
1077 const std::shared_ptr<persistent_data::UserSession>& session)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001078{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +05301079 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1080 tempObjPath /= username;
1081 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001082
1083 dbus::utility::checkDbusPathExists(
Ravi Tejae518ef32024-05-16 10:33:08 -05001084 dbusObjectPath,
1085 [dbusObjectPath, username, password, roleId, enabled, locked,
1086 accountTypes(std::move(accountTypes)), userSelf, session,
1087 asyncResp{std::move(asyncResp)}](int rc) {
Patrick Williams5a39f772023-10-20 11:20:21 -05001088 if (rc <= 0)
1089 {
1090 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1091 username);
1092 return;
1093 }
1094
1095 if (password)
1096 {
1097 int retval = pamUpdatePassword(username, *password);
1098
1099 if (retval == PAM_USER_UNKNOWN)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001100 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001101 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1102 username);
Patrick Williams5a39f772023-10-20 11:20:21 -05001103 }
1104 else if (retval == PAM_AUTHTOK_ERR)
1105 {
1106 // If password is invalid
1107 messages::propertyValueFormatError(asyncResp->res, nullptr,
1108 "Password");
1109 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1110 }
1111 else if (retval != PAM_SUCCESS)
1112 {
1113 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001114 return;
1115 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001116 else
Ed Tanous618c14b2022-06-30 17:44:25 -07001117 {
Ravi Tejae518ef32024-05-16 10:33:08 -05001118 // Remove existing sessions of the user when password changed
1119 persistent_data::SessionStore::getInstance()
1120 .removeSessionsByUsernameExceptSession(username, session);
Patrick Williams5a39f772023-10-20 11:20:21 -05001121 messages::success(asyncResp->res);
Ed Tanous618c14b2022-06-30 17:44:25 -07001122 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001123 }
Ed Tanous618c14b2022-06-30 17:44:25 -07001124
Patrick Williams5a39f772023-10-20 11:20:21 -05001125 if (enabled)
1126 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001127 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1128 dbusObjectPath,
1129 "xyz.openbmc_project.User.Attributes",
1130 "UserEnabled", "Enabled", *enabled);
Patrick Williams5a39f772023-10-20 11:20:21 -05001131 }
1132
1133 if (roleId)
1134 {
1135 std::string priv = getPrivilegeFromRoleId(*roleId);
1136 if (priv.empty())
1137 {
1138 messages::propertyValueNotInList(asyncResp->res, true,
1139 "Locked");
1140 return;
Ed Tanous618c14b2022-06-30 17:44:25 -07001141 }
Ed Tanousd02aad32024-02-13 14:43:34 -08001142 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1143 dbusObjectPath,
1144 "xyz.openbmc_project.User.Attributes",
1145 "UserPrivilege", "RoleId", priv);
Patrick Williams5a39f772023-10-20 11:20:21 -05001146 }
1147
1148 if (locked)
1149 {
1150 // admin can unlock the account which is locked by
1151 // successive authentication failures but admin should
1152 // not be allowed to lock an account.
1153 if (*locked)
Abhishek Patel58345852022-02-02 08:54:25 -06001154 {
Patrick Williams5a39f772023-10-20 11:20:21 -05001155 messages::propertyValueNotInList(asyncResp->res, "true",
1156 "Locked");
1157 return;
Abhishek Patel58345852022-02-02 08:54:25 -06001158 }
Ed Tanousd02aad32024-02-13 14:43:34 -08001159 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1160 dbusObjectPath,
1161 "xyz.openbmc_project.User.Attributes",
1162 "UserLockedForFailedAttempt", "Locked", *locked);
Patrick Williams5a39f772023-10-20 11:20:21 -05001163 }
1164
1165 if (accountTypes)
1166 {
1167 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1168 userSelf);
1169 }
1170 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001171}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001172
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001173inline void handleAccountServiceHead(
1174 App& app, const crow::Request& req,
1175 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001176{
1177 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1178 {
1179 return;
1180 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001181 asyncResp->res.addHeader(
1182 boost::beast::http::field::link,
1183 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1184}
1185
1186inline void
Ed Tanous1aa375b2024-04-13 11:51:10 -07001187 getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1188 const nlohmann::json::json_pointer& keyLocation)
1189{
1190 boost::urls::url url(
1191 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates");
1192 std::array<std::string_view, 1> interfaces = {
1193 "xyz.openbmc_project.Certs.Certificate"};
1194 std::string path = "/xyz/openbmc_project/certs/authority/truststore";
1195
1196 collection_util::getCollectionToKey(asyncResp, url, interfaces, path,
1197 keyLocation);
1198}
1199
1200inline void handleAccountServiceClientCertificatesInstanceHead(
1201 App& app, const crow::Request& req,
1202 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1203 const std::string& /*id*/)
1204{
1205 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1206 {
1207 return;
1208 }
1209
1210 asyncResp->res.addHeader(
1211 boost::beast::http::field::link,
1212 "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby");
1213}
1214
1215inline void handleAccountServiceClientCertificatesInstanceGet(
1216 App& app, const crow::Request& req,
1217 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id)
1218{
1219 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1220 {
1221 return;
1222 }
1223 BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id);
1224 const boost::urls::url certURL = boost::urls::format(
1225 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}",
1226 id);
1227 std::string objPath =
1228 sdbusplus::message::object_path(certs::authorityObjectPath) / id;
1229 getCertificateProperties(
1230 asyncResp, objPath,
1231 "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL,
1232 "Client Certificate");
1233}
1234
1235inline void handleAccountServiceClientCertificatesHead(
1236 App& app, const crow::Request& req,
1237 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1238{
1239 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1240 {
1241 return;
1242 }
1243
1244 asyncResp->res.addHeader(
1245 boost::beast::http::field::link,
1246 "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby");
1247}
1248
1249inline void handleAccountServiceClientCertificatesGet(
1250 App& app, const crow::Request& req,
1251 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1252{
1253 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1254 {
1255 return;
1256 }
1257 getClientCertificates(asyncResp, "/Members"_json_pointer);
1258}
1259
1260inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001261 handleAccountServiceGet(App& app, const crow::Request& req,
1262 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1263{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001264 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1265 {
1266 return;
1267 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001268
1269 if (req.session == nullptr)
1270 {
1271 messages::internalError(asyncResp->res);
1272 return;
1273 }
1274
Ed Tanousc1019822024-03-06 12:54:38 -08001275 const persistent_data::AuthConfigMethods& authMethodsConfig =
1276 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1277
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001278 asyncResp->res.addHeader(
1279 boost::beast::http::field::link,
1280 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1281
Ed Tanous1ef4c342022-05-12 16:12:36 -07001282 nlohmann::json& json = asyncResp->res.jsonValue;
1283 json["@odata.id"] = "/redfish/v1/AccountService";
Ravi Teja482a69e2024-04-22 06:56:13 -05001284 json["@odata.type"] = "#AccountService.v1_15_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001285 json["Id"] = "AccountService";
1286 json["Name"] = "Account Service";
1287 json["Description"] = "Account Service";
1288 json["ServiceEnabled"] = true;
1289 json["MaxPasswordLength"] = 20;
1290 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1291 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
Ravi Teja482a69e2024-04-22 06:56:13 -05001292 json["HTTPBasicAuth"] = authMethodsConfig.basic
1293 ? account_service::BasicAuthState::Enabled
1294 : account_service::BasicAuthState::Disabled;
1295
1296 nlohmann::json::array_t allowed;
1297 allowed.emplace_back(account_service::BasicAuthState::Enabled);
1298 allowed.emplace_back(account_service::BasicAuthState::Disabled);
1299 json["HTTPBasicAuth@AllowableValues"] = std::move(allowed);
1300
Ed Tanous1aa375b2024-04-13 11:51:10 -07001301 nlohmann::json::object_t clientCertificate;
1302 clientCertificate["Enabled"] = authMethodsConfig.tls;
1303 clientCertificate["RespondToUnauthenticatedClients"] = true;
1304 clientCertificate["CertificateMappingAttribute"] =
1305 account_service::CertificateMappingAttribute::CommonName;
1306 nlohmann::json::object_t certificates;
1307 certificates["@odata.id"] =
1308 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates";
1309 certificates["@odata.type"] =
1310 "#CertificateCollection.CertificateCollection";
1311 clientCertificate["Certificates"] = std::move(certificates);
1312 json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate);
1313
1314 getClientCertificates(
1315 asyncResp,
1316 "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer);
1317
Ed Tanous1ef4c342022-05-12 16:12:36 -07001318 json["Oem"]["OpenBMC"]["@odata.type"] =
Ed Tanous5b5574a2022-09-26 19:53:36 -07001319 "#OpenBMCAccountService.v1_0_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001320 json["Oem"]["OpenBMC"]["@odata.id"] =
1321 "/redfish/v1/AccountService#/Oem/OpenBMC";
1322 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1323 authMethodsConfig.basic;
1324 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1325 authMethodsConfig.sessionToken;
1326 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1327 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1328 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1329
1330 // /redfish/v1/AccountService/LDAP/Certificates is something only
1331 // ConfigureManager can access then only display when the user has
1332 // permissions ConfigureManager
1333 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001334 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001335
1336 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1337 effectiveUserPrivileges))
1338 {
1339 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1340 "/redfish/v1/AccountService/LDAP/Certificates";
1341 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001342 sdbusplus::asio::getAllProperties(
1343 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1344 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001345 [asyncResp](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001346 const dbus::utility::DBusPropertiesMap& propertiesList) {
1347 if (ec)
1348 {
1349 messages::internalError(asyncResp->res);
1350 return;
1351 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001352
Ed Tanous1aa375b2024-04-13 11:51:10 -07001353 BMCWEB_LOG_DEBUG("Got {} properties for AccountService",
Ed Tanous62598e32023-07-17 17:06:25 -07001354 propertiesList.size());
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001355
1356 const uint8_t* minPasswordLength = nullptr;
1357 const uint32_t* accountUnlockTimeout = nullptr;
1358 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1359
1360 const bool success = sdbusplus::unpackPropertiesNoThrow(
1361 dbus_utils::UnpackErrorPrinter(), propertiesList,
1362 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1363 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1364 maxLoginAttemptBeforeLockout);
1365
1366 if (!success)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001367 {
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001368 messages::internalError(asyncResp->res);
1369 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001370 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001371
1372 if (minPasswordLength != nullptr)
1373 {
1374 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1375 }
1376
1377 if (accountUnlockTimeout != nullptr)
1378 {
1379 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1380 *accountUnlockTimeout;
1381 }
1382
1383 if (maxLoginAttemptBeforeLockout != nullptr)
1384 {
1385 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1386 *maxLoginAttemptBeforeLockout;
1387 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001388 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001389
Ed Tanous02cad962022-06-30 16:50:15 -07001390 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001391 const std::string& ldapType) {
1392 if (!success)
1393 {
1394 return;
1395 }
1396 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1397 };
1398
1399 getLDAPConfigData("LDAP", callback);
1400 getLDAPConfigData("ActiveDirectory", callback);
1401}
1402
1403inline void handleAccountServicePatch(
1404 App& app, const crow::Request& req,
1405 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1406{
1407 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1408 {
1409 return;
1410 }
1411 std::optional<uint32_t> unlockTimeout;
1412 std::optional<uint16_t> lockoutThreshold;
1413 std::optional<uint8_t> minPasswordLength;
1414 std::optional<uint16_t> maxPasswordLength;
Ed Tanous10cb44f2024-04-11 13:05:20 -07001415 LdapPatchParams ldapObject;
1416 LdapPatchParams activeDirectoryObject;
Ed Tanousc1019822024-03-06 12:54:38 -08001417 AuthMethods auth;
Ravi Teja482a69e2024-04-22 06:56:13 -05001418 std::optional<std::string> httpBasicAuth;
Ed Tanousc1019822024-03-06 12:54:38 -08001419 // clang-format off
Ed Tanous1ef4c342022-05-12 16:12:36 -07001420 if (!json_util::readJsonPatch(
Ed Tanousc1019822024-03-06 12:54:38 -08001421 req, asyncResp->res,
1422 "AccountLockoutDuration", unlockTimeout,
1423 "AccountLockoutThreshold", lockoutThreshold,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001424 "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType,
1425 "ActiveDirectory/Authentication/Password", activeDirectoryObject.password,
1426 "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName,
1427 "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList,
1428 "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute,
1429 "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute,
1430 "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData,
1431 "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList,
1432 "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled,
1433 "LDAP/Authentication/AuthenticationType", ldapObject.authType,
1434 "LDAP/Authentication/Password", ldapObject.password,
1435 "LDAP/Authentication/Username", ldapObject.userName,
1436 "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList,
1437 "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute,
1438 "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute,
1439 "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData,
1440 "LDAP/ServiceAddresses", ldapObject.serviceAddressList,
1441 "LDAP/ServiceEnabled", ldapObject.serviceEnabled,
Ed Tanousc1019822024-03-06 12:54:38 -08001442 "MaxPasswordLength", maxPasswordLength,
1443 "MinPasswordLength", minPasswordLength,
Ed Tanousc1019822024-03-06 12:54:38 -08001444 "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth,
1445 "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie,
1446 "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001447 "Oem/OpenBMC/AuthMethods/TLS", auth.tls,
Ravi Teja482a69e2024-04-22 06:56:13 -05001448 "Oem/OpenBMC/AuthMethods/XToken", auth.xToken,
1449 "HTTPBasicAuth", httpBasicAuth))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001450 {
1451 return;
1452 }
Ed Tanousc1019822024-03-06 12:54:38 -08001453 // clang-format on
Ed Tanous1ef4c342022-05-12 16:12:36 -07001454
Ravi Teja482a69e2024-04-22 06:56:13 -05001455 if (httpBasicAuth)
1456 {
1457 if (*httpBasicAuth == "Enabled")
1458 {
1459 auth.basicAuth = true;
1460 }
1461 else if (*httpBasicAuth == "Disabled")
1462 {
1463 auth.basicAuth = false;
1464 }
1465 else
1466 {
1467 messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth",
1468 *httpBasicAuth);
1469 }
1470 }
1471
Ed Tanous1ef4c342022-05-12 16:12:36 -07001472 if (minPasswordLength)
1473 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001474 setDbusProperty(
1475 asyncResp, "xyz.openbmc_project.User.Manager",
1476 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001477 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
Ed Tanousd02aad32024-02-13 14:43:34 -08001478 "MinPasswordLength", *minPasswordLength);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001479 }
1480
1481 if (maxPasswordLength)
1482 {
1483 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1484 }
1485
Ed Tanous10cb44f2024-04-11 13:05:20 -07001486 handleLDAPPatch(std::move(activeDirectoryObject), asyncResp,
1487 "ActiveDirectory");
1488 handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001489
Ed Tanousc1019822024-03-06 12:54:38 -08001490 handleAuthMethodsPatch(asyncResp, auth);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001491
Ed Tanous1ef4c342022-05-12 16:12:36 -07001492 if (unlockTimeout)
1493 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001494 setDbusProperty(
1495 asyncResp, "xyz.openbmc_project.User.Manager",
1496 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
Ed Tanous1ef4c342022-05-12 16:12:36 -07001497 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
Ed Tanousd02aad32024-02-13 14:43:34 -08001498 "AccountLockoutDuration", *unlockTimeout);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001499 }
1500 if (lockoutThreshold)
1501 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001502 setDbusProperty(
1503 asyncResp, "xyz.openbmc_project.User.Manager",
1504 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001505 "xyz.openbmc_project.User.AccountPolicy",
Ed Tanousd02aad32024-02-13 14:43:34 -08001506 "MaxLoginAttemptBeforeLockout", "AccountLockoutThreshold",
1507 *lockoutThreshold);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001508 }
1509}
1510
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001511inline void handleAccountCollectionHead(
Ed Tanous1ef4c342022-05-12 16:12:36 -07001512 App& app, const crow::Request& req,
1513 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1514{
1515 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1516 {
1517 return;
1518 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001519 asyncResp->res.addHeader(
1520 boost::beast::http::field::link,
1521 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1522}
1523
1524inline void handleAccountCollectionGet(
1525 App& app, const crow::Request& req,
1526 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1527{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001528 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1529 {
1530 return;
1531 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001532
1533 if (req.session == nullptr)
1534 {
1535 messages::internalError(asyncResp->res);
1536 return;
1537 }
1538
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001539 asyncResp->res.addHeader(
1540 boost::beast::http::field::link,
1541 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001542
1543 asyncResp->res.jsonValue["@odata.id"] =
1544 "/redfish/v1/AccountService/Accounts";
1545 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1546 "ManagerAccountCollection";
1547 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1548 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1549
1550 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001551 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001552
1553 std::string thisUser;
1554 if (req.session)
1555 {
1556 thisUser = req.session->username;
1557 }
George Liu5eb468d2023-06-20 17:03:24 +08001558 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1559 dbus::utility::getManagedObjects(
1560 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001561 [asyncResp, thisUser, effectiveUserPrivileges](
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001562 const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001563 const dbus::utility::ManagedObjectType& users) {
1564 if (ec)
1565 {
1566 messages::internalError(asyncResp->res);
1567 return;
1568 }
1569
1570 bool userCanSeeAllAccounts =
1571 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1572
1573 bool userCanSeeSelf =
1574 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1575
1576 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1577 memberArray = nlohmann::json::array();
1578
1579 for (const auto& userpath : users)
1580 {
1581 std::string user = userpath.first.filename();
1582 if (user.empty())
1583 {
1584 messages::internalError(asyncResp->res);
Ed Tanous62598e32023-07-17 17:06:25 -07001585 BMCWEB_LOG_ERROR("Invalid firmware ID");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001586
1587 return;
1588 }
1589
1590 // As clarified by Redfish here:
1591 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1592 // Users without ConfigureUsers, only see their own
1593 // account. Users with ConfigureUsers, see all
1594 // accounts.
1595 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1596 {
1597 nlohmann::json::object_t member;
Ed Tanous3b327802023-08-14 09:23:43 -07001598 member["@odata.id"] = boost::urls::format(
1599 "/redfish/v1/AccountService/Accounts/{}", user);
Patrick Williamsb2ba3072023-05-12 10:27:39 -05001600 memberArray.emplace_back(std::move(member));
Ed Tanous1ef4c342022-05-12 16:12:36 -07001601 }
1602 }
1603 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
Patrick Williams5a39f772023-10-20 11:20:21 -05001604 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001605}
1606
Ninad Palsule97e90da2023-05-17 14:04:52 -05001607inline void processAfterCreateUser(
1608 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1609 const std::string& username, const std::string& password,
1610 const boost::system::error_code& ec, sdbusplus::message_t& m)
1611{
1612 if (ec)
1613 {
1614 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1615 return;
1616 }
1617
1618 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1619 {
1620 // At this point we have a user that's been
1621 // created, but the password set
1622 // failed.Something is wrong, so delete the user
1623 // that we've already created
1624 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1625 tempObjPath /= username;
1626 const std::string userPath(tempObjPath);
1627
1628 crow::connections::systemBus->async_method_call(
1629 [asyncResp, password](const boost::system::error_code& ec3) {
1630 if (ec3)
1631 {
1632 messages::internalError(asyncResp->res);
1633 return;
1634 }
1635
1636 // If password is invalid
Jason M. Bills9bd80832023-08-30 15:19:41 -07001637 messages::propertyValueFormatError(asyncResp->res, nullptr,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001638 "Password");
Patrick Williams5a39f772023-10-20 11:20:21 -05001639 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001640 "xyz.openbmc_project.User.Manager", userPath,
1641 "xyz.openbmc_project.Object.Delete", "Delete");
1642
Ed Tanous62598e32023-07-17 17:06:25 -07001643 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
Ninad Palsule97e90da2023-05-17 14:04:52 -05001644 return;
1645 }
1646
1647 messages::created(asyncResp->res);
1648 asyncResp->res.addHeader("Location",
1649 "/redfish/v1/AccountService/Accounts/" + username);
1650}
1651
1652inline void processAfterGetAllGroups(
1653 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1654 const std::string& username, const std::string& password,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001655 const std::string& roleId, bool enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001656 std::optional<std::vector<std::string>> accountTypes,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001657 const std::vector<std::string>& allGroupsList)
Ninad Palsule97e90da2023-05-17 14:04:52 -05001658{
Ninad Palsule3e72c202023-03-27 17:19:55 -05001659 std::vector<std::string> userGroups;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001660 std::vector<std::string> accountTypeUserGroups;
1661
1662 // If user specified account types then convert them to unix user groups
1663 if (accountTypes)
1664 {
1665 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1666 accountTypeUserGroups))
1667 {
1668 // Problem in mapping Account Types to User Groups, Error already
1669 // logged.
1670 return;
1671 }
1672 }
1673
Ninad Palsule3e72c202023-03-27 17:19:55 -05001674 for (const auto& grp : allGroupsList)
1675 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001676 // If user specified the account type then only accept groups which are
1677 // in the account types group list.
1678 if (!accountTypeUserGroups.empty())
1679 {
1680 bool found = false;
1681 for (const auto& grp1 : accountTypeUserGroups)
1682 {
1683 if (grp == grp1)
1684 {
1685 found = true;
1686 break;
1687 }
1688 }
1689 if (!found)
1690 {
1691 continue;
1692 }
1693 }
1694
Ninad Palsule3e72c202023-03-27 17:19:55 -05001695 // Console access is provided to the user who is a member of
1696 // hostconsole group and has a administrator role. So, set
1697 // hostconsole group only for the administrator.
Ninad Palsule9ba73932023-06-01 16:38:57 -05001698 if ((grp == "hostconsole") && (roleId != "priv-admin"))
Ninad Palsule3e72c202023-03-27 17:19:55 -05001699 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001700 if (!accountTypeUserGroups.empty())
1701 {
Ed Tanous62598e32023-07-17 17:06:25 -07001702 BMCWEB_LOG_ERROR(
1703 "Only administrator can get HostConsole access");
Ninad Palsule9ba73932023-06-01 16:38:57 -05001704 asyncResp->res.result(boost::beast::http::status::bad_request);
1705 return;
1706 }
1707 continue;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001708 }
Ninad Palsule9ba73932023-06-01 16:38:57 -05001709 userGroups.emplace_back(grp);
1710 }
1711
1712 // Make sure user specified groups are valid. This is internal error because
1713 // it some inconsistencies between user manager and bmcweb.
1714 if (!accountTypeUserGroups.empty() &&
1715 accountTypeUserGroups.size() != userGroups.size())
1716 {
1717 messages::internalError(asyncResp->res);
1718 return;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001719 }
Ninad Palsule97e90da2023-05-17 14:04:52 -05001720 crow::connections::systemBus->async_method_call(
1721 [asyncResp, username, password](const boost::system::error_code& ec2,
1722 sdbusplus::message_t& m) {
1723 processAfterCreateUser(asyncResp, username, password, ec2, m);
Patrick Williams5a39f772023-10-20 11:20:21 -05001724 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001725 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ninad Palsule3e72c202023-03-27 17:19:55 -05001726 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001727 roleId, enabled);
Ninad Palsule97e90da2023-05-17 14:04:52 -05001728}
1729
Ed Tanous1ef4c342022-05-12 16:12:36 -07001730inline void handleAccountCollectionPost(
1731 App& app, const crow::Request& req,
1732 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1733{
1734 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1735 {
1736 return;
1737 }
1738 std::string username;
1739 std::string password;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001740 std::optional<std::string> roleIdJson;
1741 std::optional<bool> enabledJson;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001742 std::optional<std::vector<std::string>> accountTypes;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001743 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
1744 "Password", password, "RoleId", roleIdJson,
1745 "Enabled", enabledJson, "AccountTypes",
1746 accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001747 {
1748 return;
1749 }
1750
Ed Tanouse01d0c32023-06-30 13:21:32 -07001751 std::string roleId = roleIdJson.value_or("User");
1752 std::string priv = getPrivilegeFromRoleId(roleId);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001753 if (priv.empty())
1754 {
Ed Tanouse01d0c32023-06-30 13:21:32 -07001755 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001756 return;
1757 }
Asmitha Karunanithi239adf82022-03-25 02:59:03 -05001758 roleId = priv;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001759
Ed Tanouse01d0c32023-06-30 13:21:32 -07001760 bool enabled = enabledJson.value_or(true);
1761
Ed Tanous1ef4c342022-05-12 16:12:36 -07001762 // Reading AllGroups property
1763 sdbusplus::asio::getProperty<std::vector<std::string>>(
1764 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1765 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1766 "AllGroups",
Ninad Palsule9ba73932023-06-01 16:38:57 -05001767 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1768 accountTypes](const boost::system::error_code& ec,
1769 const std::vector<std::string>& allGroupsList) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001770 if (ec)
1771 {
Ed Tanous62598e32023-07-17 17:06:25 -07001772 BMCWEB_LOG_DEBUG("ERROR with async_method_call");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001773 messages::internalError(asyncResp->res);
1774 return;
1775 }
1776
1777 if (allGroupsList.empty())
1778 {
1779 messages::internalError(asyncResp->res);
1780 return;
1781 }
1782
Ninad Palsule97e90da2023-05-17 14:04:52 -05001783 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001784 accountTypes, allGroupsList);
Patrick Williams5a39f772023-10-20 11:20:21 -05001785 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001786}
1787
1788inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001789 handleAccountHead(App& app, const crow::Request& req,
1790 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1791 const std::string& /*accountName*/)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001792{
1793 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1794 {
1795 return;
1796 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001797 asyncResp->res.addHeader(
1798 boost::beast::http::field::link,
1799 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1800}
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001801
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001802inline void
1803 handleAccountGet(App& app, const crow::Request& req,
1804 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1805 const std::string& accountName)
1806{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001807 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1808 {
1809 return;
1810 }
1811 asyncResp->res.addHeader(
1812 boost::beast::http::field::link,
1813 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1814
Ed Tanous25b54db2024-04-17 15:40:31 -07001815 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
1816 {
1817 // If authentication is disabled, there are no user accounts
1818 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1819 accountName);
1820 return;
1821 }
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001822
Ed Tanous1ef4c342022-05-12 16:12:36 -07001823 if (req.session == nullptr)
1824 {
1825 messages::internalError(asyncResp->res);
1826 return;
1827 }
1828 if (req.session->username != accountName)
1829 {
1830 // At this point we've determined that the user is trying to
1831 // modify a user that isn't them. We need to verify that they
1832 // have permissions to modify other users, so re-run the auth
1833 // check with the same permissions, minus ConfigureSelf.
1834 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001835 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001836 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1837 "ConfigureManager"};
1838 if (!effectiveUserPrivileges.isSupersetOf(
1839 requiredPermissionsToChangeNonSelf))
1840 {
Ed Tanous62598e32023-07-17 17:06:25 -07001841 BMCWEB_LOG_DEBUG("GET Account denied access");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001842 messages::insufficientPrivilege(asyncResp->res);
1843 return;
1844 }
1845 }
1846
George Liu5eb468d2023-06-20 17:03:24 +08001847 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1848 dbus::utility::getManagedObjects(
1849 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001850 [asyncResp,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001851 accountName](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001852 const dbus::utility::ManagedObjectType& users) {
1853 if (ec)
1854 {
1855 messages::internalError(asyncResp->res);
1856 return;
1857 }
Ed Tanous3544d2a2023-08-06 18:12:20 -07001858 const auto userIt = std::ranges::find_if(
Michael Shen80f79a42023-08-24 13:41:53 +00001859 users,
1860 [accountName](
1861 const std::pair<sdbusplus::message::object_path,
1862 dbus::utility::DBusInterfacesMap>& user) {
1863 return accountName == user.first.filename();
Patrick Williams5a39f772023-10-20 11:20:21 -05001864 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001865
1866 if (userIt == users.end())
1867 {
1868 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1869 accountName);
1870 return;
1871 }
1872
1873 asyncResp->res.jsonValue["@odata.type"] =
Abhishek Patel58345852022-02-02 08:54:25 -06001874 "#ManagerAccount.v1_7_0.ManagerAccount";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001875 asyncResp->res.jsonValue["Name"] = "User Account";
1876 asyncResp->res.jsonValue["Description"] = "User Account";
1877 asyncResp->res.jsonValue["Password"] = nullptr;
Abhishek Patel58345852022-02-02 08:54:25 -06001878 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001879
1880 for (const auto& interface : userIt->second)
1881 {
1882 if (interface.first == "xyz.openbmc_project.User.Attributes")
1883 {
1884 for (const auto& property : interface.second)
1885 {
1886 if (property.first == "UserEnabled")
1887 {
1888 const bool* userEnabled =
1889 std::get_if<bool>(&property.second);
1890 if (userEnabled == nullptr)
1891 {
Ed Tanous62598e32023-07-17 17:06:25 -07001892 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001893 messages::internalError(asyncResp->res);
1894 return;
1895 }
1896 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
1897 }
1898 else if (property.first == "UserLockedForFailedAttempt")
1899 {
1900 const bool* userLocked =
1901 std::get_if<bool>(&property.second);
1902 if (userLocked == nullptr)
1903 {
Ed Tanous62598e32023-07-17 17:06:25 -07001904 BMCWEB_LOG_ERROR("UserLockedForF"
1905 "ailedAttempt "
1906 "wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001907 messages::internalError(asyncResp->res);
1908 return;
1909 }
1910 asyncResp->res.jsonValue["Locked"] = *userLocked;
Ed Tanous20fa6a22024-05-20 18:02:58 -07001911 nlohmann::json::array_t allowed;
1912 // can only unlock accounts
1913 allowed.emplace_back("false");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001914 asyncResp->res
Ed Tanous20fa6a22024-05-20 18:02:58 -07001915 .jsonValue["Locked@Redfish.AllowableValues"] =
1916 std::move(allowed);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001917 }
1918 else if (property.first == "UserPrivilege")
1919 {
1920 const std::string* userPrivPtr =
1921 std::get_if<std::string>(&property.second);
1922 if (userPrivPtr == nullptr)
1923 {
Ed Tanous62598e32023-07-17 17:06:25 -07001924 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
1925 "string");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001926 messages::internalError(asyncResp->res);
1927 return;
1928 }
1929 std::string role = getRoleIdFromPrivilege(*userPrivPtr);
1930 if (role.empty())
1931 {
Ed Tanous62598e32023-07-17 17:06:25 -07001932 BMCWEB_LOG_ERROR("Invalid user role");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001933 messages::internalError(asyncResp->res);
1934 return;
1935 }
1936 asyncResp->res.jsonValue["RoleId"] = role;
1937
1938 nlohmann::json& roleEntry =
1939 asyncResp->res.jsonValue["Links"]["Role"];
Ed Tanous3b327802023-08-14 09:23:43 -07001940 roleEntry["@odata.id"] = boost::urls::format(
1941 "/redfish/v1/AccountService/Roles/{}", role);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001942 }
1943 else if (property.first == "UserPasswordExpired")
1944 {
1945 const bool* userPasswordExpired =
1946 std::get_if<bool>(&property.second);
1947 if (userPasswordExpired == nullptr)
1948 {
Ed Tanous62598e32023-07-17 17:06:25 -07001949 BMCWEB_LOG_ERROR(
1950 "UserPasswordExpired wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001951 messages::internalError(asyncResp->res);
1952 return;
1953 }
1954 asyncResp->res.jsonValue["PasswordChangeRequired"] =
1955 *userPasswordExpired;
1956 }
Abhishek Patelc7229812022-02-01 10:07:15 -06001957 else if (property.first == "UserGroups")
1958 {
1959 const std::vector<std::string>* userGroups =
1960 std::get_if<std::vector<std::string>>(
1961 &property.second);
1962 if (userGroups == nullptr)
1963 {
Ed Tanous62598e32023-07-17 17:06:25 -07001964 BMCWEB_LOG_ERROR(
1965 "userGroups wasn't a string vector");
Abhishek Patelc7229812022-02-01 10:07:15 -06001966 messages::internalError(asyncResp->res);
1967 return;
1968 }
1969 if (!translateUserGroup(*userGroups, asyncResp->res))
1970 {
Ed Tanous62598e32023-07-17 17:06:25 -07001971 BMCWEB_LOG_ERROR("userGroups mapping failed");
Abhishek Patelc7229812022-02-01 10:07:15 -06001972 messages::internalError(asyncResp->res);
1973 return;
1974 }
1975 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07001976 }
1977 }
1978 }
1979
Ed Tanous3b327802023-08-14 09:23:43 -07001980 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
1981 "/redfish/v1/AccountService/Accounts/{}", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001982 asyncResp->res.jsonValue["Id"] = accountName;
1983 asyncResp->res.jsonValue["UserName"] = accountName;
Patrick Williams5a39f772023-10-20 11:20:21 -05001984 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001985}
1986
1987inline void
Gunnar Mills20fc3072023-01-27 15:13:36 -06001988 handleAccountDelete(App& app, const crow::Request& req,
1989 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1990 const std::string& username)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001991{
1992 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1993 {
1994 return;
1995 }
1996
Ed Tanous25b54db2024-04-17 15:40:31 -07001997 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
1998 {
1999 // If authentication is disabled, there are no user accounts
2000 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2001 return;
2002 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002003 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2004 tempObjPath /= username;
2005 const std::string userPath(tempObjPath);
2006
2007 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08002008 [asyncResp, username](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002009 if (ec)
2010 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002011 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
Ed Tanous1ef4c342022-05-12 16:12:36 -07002012 username);
2013 return;
2014 }
2015
2016 messages::accountRemoved(asyncResp->res);
Patrick Williams5a39f772023-10-20 11:20:21 -05002017 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07002018 "xyz.openbmc_project.User.Manager", userPath,
2019 "xyz.openbmc_project.Object.Delete", "Delete");
2020}
2021
2022inline void
2023 handleAccountPatch(App& app, const crow::Request& req,
2024 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2025 const std::string& username)
2026{
2027 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2028 {
2029 return;
2030 }
Ed Tanous25b54db2024-04-17 15:40:31 -07002031 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2032 {
2033 // If authentication is disabled, there are no user accounts
2034 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2035 return;
2036 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002037 std::optional<std::string> newUserName;
2038 std::optional<std::string> password;
2039 std::optional<bool> enabled;
2040 std::optional<std::string> roleId;
2041 std::optional<bool> locked;
Abhishek Patel58345852022-02-02 08:54:25 -06002042 std::optional<std::vector<std::string>> accountTypes;
2043
Ed Tanous1ef4c342022-05-12 16:12:36 -07002044 if (req.session == nullptr)
2045 {
2046 messages::internalError(asyncResp->res);
2047 return;
2048 }
2049
Ed Tanous2b9c1df2024-04-06 13:52:01 -07002050 bool userSelf = (username == req.session->username);
2051
Ed Tanous1ef4c342022-05-12 16:12:36 -07002052 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05002053 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002054 Privileges configureUsers = {"ConfigureUsers"};
2055 bool userHasConfigureUsers =
2056 effectiveUserPrivileges.isSupersetOf(configureUsers);
2057 if (userHasConfigureUsers)
2058 {
2059 // Users with ConfigureUsers can modify for all users
Abhishek Patel58345852022-02-02 08:54:25 -06002060 if (!json_util::readJsonPatch(
2061 req, asyncResp->res, "UserName", newUserName, "Password",
2062 password, "RoleId", roleId, "Enabled", enabled, "Locked",
2063 locked, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07002064 {
2065 return;
2066 }
2067 }
2068 else
2069 {
2070 // ConfigureSelf accounts can only modify their own account
Abhishek Patel58345852022-02-02 08:54:25 -06002071 if (!userSelf)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002072 {
2073 messages::insufficientPrivilege(asyncResp->res);
2074 return;
2075 }
2076
2077 // ConfigureSelf accounts can only modify their password
2078 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2079 password))
2080 {
2081 return;
2082 }
2083 }
2084
2085 // if user name is not provided in the patch method or if it
2086 // matches the user name in the URI, then we are treating it as
2087 // updating user properties other then username. If username
2088 // provided doesn't match the URI, then we are treating this as
2089 // user rename request.
2090 if (!newUserName || (newUserName.value() == username))
2091 {
2092 updateUserProperties(asyncResp, username, password, enabled, roleId,
Ravi Tejae518ef32024-05-16 10:33:08 -05002093 locked, accountTypes, userSelf, req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002094 return;
2095 }
2096 crow::connections::systemBus->async_method_call(
2097 [asyncResp, username, password(std::move(password)),
2098 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
Ravi Tejae518ef32024-05-16 10:33:08 -05002099 locked, userSelf, req, accountTypes(std::move(accountTypes))](
Ed Tanouse81de512023-06-27 17:07:00 -07002100 const boost::system::error_code& ec, sdbusplus::message_t& m) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002101 if (ec)
2102 {
2103 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2104 username);
2105 return;
2106 }
2107
2108 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
Ravi Tejae518ef32024-05-16 10:33:08 -05002109 locked, accountTypes, userSelf, req.session);
Patrick Williams5a39f772023-10-20 11:20:21 -05002110 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07002111 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2112 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2113 *newUserName);
2114}
2115
Ed Tanous6c51eab2021-06-03 12:30:29 -07002116inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07002117{
Ed Tanous6c51eab2021-06-03 12:30:29 -07002118 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002119 .privileges(redfish::privileges::headAccountService)
2120 .methods(boost::beast::http::verb::head)(
2121 std::bind_front(handleAccountServiceHead, std::ref(app)));
2122
2123 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -07002124 .privileges(redfish::privileges::getAccountService)
Ed Tanous002d39b2022-05-31 08:59:27 -07002125 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002126 std::bind_front(handleAccountServiceGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002127
Ed Tanousf5ffd802021-07-19 10:55:33 -07002128 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -06002129 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -07002130 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002131 std::bind_front(handleAccountServicePatch, std::ref(app)));
Ed Tanousf5ffd802021-07-19 10:55:33 -07002132
Ed Tanous1aa375b2024-04-13 11:51:10 -07002133 BMCWEB_ROUTE(
2134 app,
2135 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates")
2136 .privileges(redfish::privileges::headCertificateCollection)
2137 .methods(boost::beast::http::verb::head)(std::bind_front(
2138 handleAccountServiceClientCertificatesHead, std::ref(app)));
2139
2140 BMCWEB_ROUTE(
2141 app,
2142 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates")
2143 .privileges(redfish::privileges::getCertificateCollection)
2144 .methods(boost::beast::http::verb::get)(std::bind_front(
2145 handleAccountServiceClientCertificatesGet, std::ref(app)));
2146
2147 BMCWEB_ROUTE(
2148 app,
2149 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>")
2150 .privileges(redfish::privileges::headCertificate)
2151 .methods(boost::beast::http::verb::head)(std::bind_front(
2152 handleAccountServiceClientCertificatesInstanceHead, std::ref(app)));
2153
2154 BMCWEB_ROUTE(
2155 app,
2156 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/")
2157 .privileges(redfish::privileges::getCertificate)
2158 .methods(boost::beast::http::verb::get)(std::bind_front(
2159 handleAccountServiceClientCertificatesInstanceGet, std::ref(app)));
2160
Ed Tanous6c51eab2021-06-03 12:30:29 -07002161 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002162 .privileges(redfish::privileges::headManagerAccountCollection)
2163 .methods(boost::beast::http::verb::head)(
2164 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2165
2166 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002167 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002168 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002169 std::bind_front(handleAccountCollectionGet, std::ref(app)));
Ed Tanous06e086d2018-09-19 17:19:52 -07002170
Ed Tanous6c51eab2021-06-03 12:30:29 -07002171 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002172 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous002d39b2022-05-31 08:59:27 -07002173 .methods(boost::beast::http::verb::post)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002174 std::bind_front(handleAccountCollectionPost, std::ref(app)));
Ed Tanous002d39b2022-05-31 08:59:27 -07002175
2176 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002177 .privileges(redfish::privileges::headManagerAccount)
2178 .methods(boost::beast::http::verb::head)(
2179 std::bind_front(handleAccountHead, std::ref(app)));
2180
2181 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous002d39b2022-05-31 08:59:27 -07002182 .privileges(redfish::privileges::getManagerAccount)
2183 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002184 std::bind_front(handleAccountGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002185
2186 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002187 // TODO this privilege should be using the generated endpoints, but
2188 // because of the special handling of ConfigureSelf, it's not able to
2189 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -07002190 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2191 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002192 std::bind_front(handleAccountPatch, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002193
2194 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002195 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002196 .methods(boost::beast::http::verb::delete_)(
Gunnar Mills20fc3072023-01-27 15:13:36 -06002197 std::bind_front(handleAccountDelete, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002198}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01002199
Ed Tanous1abe55e2018-09-05 08:30:59 -07002200} // namespace redfish