Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 2205bbf681bfac508a9e985b9581ce9d662db4df / . / redfish-core / lib / account_service.hpp
blob: 835fae39d6bf911e70cbb3f116208a6f8de54dce [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17
John Edward Broadbent7e860f12021-04-08 15:57:16 -0700[diff] [blame]18#include <app.hpp>
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]19#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]20#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]21#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]22#include <persistent_data.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]23#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]24
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]25#include <variant>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]26
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]27namespace redfish
28{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]29
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]30constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]31 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]32constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]33 "/xyz/openbmc_project/user/ldap/active_directory";
34
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]35constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
36constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
37constexpr const char* ldapConfigInterface =
38 "xyz.openbmc_project.User.Ldap.Config";
39constexpr const char* ldapCreateInterface =
40 "xyz.openbmc_project.User.Ldap.Create";
41constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]42constexpr const char* ldapPrivMapperInterface =
43 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]44constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
45constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
46constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
47constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
48constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
49
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]50struct LDAPRoleMapData
51{
52 std::string groupName;
53 std::string privilege;
54};
55
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]56struct LDAPConfigData
57{
58 std::string uri{};
59 std::string bindDN{};
60 std::string baseDN{};
61 std::string searchScope{};
62 std::string serverType{};
63 bool serviceEnabled = false;
64 std::string userNameAttribute{};
65 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]66 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]67};
68
Patrick Williams19bd78d2020-05-13 17:38:24 -0500[diff] [blame]69using DbusVariantType = std::variant<bool, int32_t, std::string>;
Przemyslaw Czarnowski107077d2019-07-11 10:16:43 +0200[diff] [blame]70
71using DbusInterfaceType = boost::container::flat_map<
72 std::string, boost::container::flat_map<std::string, DbusVariantType>>;
73
74using ManagedObjectType =
75 std::vector<std::pair<sdbusplus::message::object_path, DbusInterfaceType>>;
76
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]77using GetObjectType =
78 std::vector<std::pair<std::string, std::vector<std::string>>>;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]79
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]80inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]81{
82 if (role == "priv-admin")
83 {
84 return "Administrator";
85 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]86 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]87 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]88 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]89 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]90 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]91 {
92 return "Operator";
93 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]94 if ((role == "") || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]95 {
96 return "NoAccess";
97 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]98 return "";
99}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]100inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]101{
102 if (role == "Administrator")
103 {
104 return "priv-admin";
105 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]106 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]107 {
108 return "priv-user";
109 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]110 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]111 {
112 return "priv-operator";
113 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]114 if ((role == "NoAccess") || (role == ""))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]115 {
116 return "priv-noaccess";
117 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]118 return "";
119}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]120
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]121inline void userErrorMessageHandler(
122 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
123 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]124{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]125 if (e == nullptr)
126 {
127 messages::internalError(asyncResp->res);
128 return;
129 }
130
Manojkiran Eda055806b2020-11-03 09:36:28 +0530[diff] [blame]131 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]132 if (strcmp(errorMessage,
133 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
134 {
135 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]136 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]137 "UserName", newUser);
138 }
139 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
140 "UserNameDoesNotExist") == 0)
141 {
142 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]143 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]144 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]145 else if ((strcmp(errorMessage,
146 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
147 0) ||
148 (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
149 "UserNameGroupFail") == 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]150 {
151 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
152 }
153 else if (strcmp(errorMessage,
154 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
155 {
156 messages::createLimitReachedForResource(asyncResp->res);
157 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]158 else
159 {
160 messages::internalError(asyncResp->res);
161 }
162
163 return;
164}
165
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]166inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]167 const LDAPConfigData& confData,
168 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]169{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]170 std::string service =
171 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]172 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]173 {"ServiceEnabled", confData.serviceEnabled},
174 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
175 {"Authentication",
176 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]177 {"Username", confData.bindDN},
178 {"Password", nullptr}}},
179 {"LDAPService",
180 {{"SearchSettings",
181 {{"BaseDistinguishedNames",
182 nlohmann::json::array({confData.baseDN})},
183 {"UsernameAttribute", confData.userNameAttribute},
184 {"GroupsAttribute", confData.groupAttribute}}}}},
185 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]186
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]187 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]188
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]189 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]190 roleMapArray = nlohmann::json::array();
191 for (auto& obj : confData.groupRoleList)
192 {
193 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
194 << obj.second.groupName << "\n";
195 roleMapArray.push_back(
196 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
197 nlohmann::json::array(
198 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
199 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]200}
201
202/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]203 * @brief validates given JSON input and then calls appropriate method to
204 * create, to delete or to set Rolemapping object based on the given input.
205 *
206 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]207inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]208 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]209 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]210 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]211{
212 for (size_t index = 0; index < input.size(); index++)
213 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]214 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]215
216 if (thisJson.is_null())
217 {
218 // delete the existing object
219 if (index < roleMapObjData.size())
220 {
221 crow::connections::systemBus->async_method_call(
222 [asyncResp, roleMapObjData, serverType,
223 index](const boost::system::error_code ec) {
224 if (ec)
225 {
226 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
227 messages::internalError(asyncResp->res);
228 return;
229 }
230 asyncResp->res
231 .jsonValue[serverType]["RemoteRoleMapping"][index] =
232 nullptr;
233 },
234 ldapDbusService, roleMapObjData[index].first,
235 "xyz.openbmc_project.Object.Delete", "Delete");
236 }
237 else
238 {
239 BMCWEB_LOG_ERROR << "Can't delete the object";
240 messages::propertyValueTypeError(
Ed Tanous71f52d92021-02-19 08:51:17 -0800[diff] [blame]241 asyncResp->res,
242 thisJson.dump(2, ' ', true,
243 nlohmann::json::error_handler_t::replace),
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]244 "RemoteRoleMapping/" + std::to_string(index));
245 return;
246 }
247 }
248 else if (thisJson.empty())
249 {
250 // Don't do anything for the empty objects,parse next json
251 // eg {"RemoteRoleMapping",[{}]}
252 }
253 else
254 {
255 // update/create the object
256 std::optional<std::string> remoteGroup;
257 std::optional<std::string> localRole;
258
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]259 // This is a copy, but it's required in this case because of how
260 // readJson is structured
261 nlohmann::json thisJsonCopy = thisJson;
262 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
263 "RemoteGroup", remoteGroup, "LocalRole",
264 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]265 {
266 continue;
267 }
268
269 // Update existing RoleMapping Object
270 if (index < roleMapObjData.size())
271 {
272 BMCWEB_LOG_DEBUG << "Update Role Map Object";
273 // If "RemoteGroup" info is provided
274 if (remoteGroup)
275 {
276 crow::connections::systemBus->async_method_call(
277 [asyncResp, roleMapObjData, serverType, index,
278 remoteGroup](const boost::system::error_code ec) {
279 if (ec)
280 {
281 BMCWEB_LOG_ERROR << "DBUS response error: "
282 << ec;
283 messages::internalError(asyncResp->res);
284 return;
285 }
286 asyncResp->res
287 .jsonValue[serverType]["RemoteRoleMapping"]
288 [index]["RemoteGroup"] = *remoteGroup;
289 },
290 ldapDbusService, roleMapObjData[index].first,
291 propertyInterface, "Set",
292 "xyz.openbmc_project.User.PrivilegeMapperEntry",
293 "GroupName",
294 std::variant<std::string>(std::move(*remoteGroup)));
295 }
296
297 // If "LocalRole" info is provided
298 if (localRole)
299 {
300 crow::connections::systemBus->async_method_call(
301 [asyncResp, roleMapObjData, serverType, index,
302 localRole](const boost::system::error_code ec) {
303 if (ec)
304 {
305 BMCWEB_LOG_ERROR << "DBUS response error: "
306 << ec;
307 messages::internalError(asyncResp->res);
308 return;
309 }
310 asyncResp->res
311 .jsonValue[serverType]["RemoteRoleMapping"]
312 [index]["LocalRole"] = *localRole;
313 },
314 ldapDbusService, roleMapObjData[index].first,
315 propertyInterface, "Set",
316 "xyz.openbmc_project.User.PrivilegeMapperEntry",
317 "Privilege",
318 std::variant<std::string>(
319 getPrivilegeFromRoleId(std::move(*localRole))));
320 }
321 }
322 // Create a new RoleMapping Object.
323 else
324 {
325 BMCWEB_LOG_DEBUG
326 << "setRoleMappingProperties: Creating new Object";
327 std::string pathString =
328 "RemoteRoleMapping/" + std::to_string(index);
329
330 if (!localRole)
331 {
332 messages::propertyMissing(asyncResp->res,
333 pathString + "/LocalRole");
334 continue;
335 }
336 if (!remoteGroup)
337 {
338 messages::propertyMissing(asyncResp->res,
339 pathString + "/RemoteGroup");
340 continue;
341 }
342
343 std::string dbusObjectPath;
344 if (serverType == "ActiveDirectory")
345 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]346 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]347 }
348 else if (serverType == "LDAP")
349 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]350 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]351 }
352
353 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
354 << ",LocalRole=" << *localRole;
355
356 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]357 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]358 remoteGroup](const boost::system::error_code ec) {
359 if (ec)
360 {
361 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
362 messages::internalError(asyncResp->res);
363 return;
364 }
365 nlohmann::json& remoteRoleJson =
366 asyncResp->res
367 .jsonValue[serverType]["RemoteRoleMapping"];
368 remoteRoleJson.push_back(
369 {{"LocalRole", *localRole},
370 {"RemoteGroup", *remoteGroup}});
371 },
372 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]373 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]374 getPrivilegeFromRoleId(std::move(*localRole)));
375 }
376 }
377 }
378}
379
380/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]381 * Function that retrieves all properties for LDAP config object
382 * into JSON
383 */
384template <typename CallbackFunc>
385inline void getLDAPConfigData(const std::string& ldapType,
386 CallbackFunc&& callback)
387{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]388
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]389 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]390 ldapConfigInterface};
391
392 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]393 [callback, ldapType](const boost::system::error_code ec,
394 const GetObjectType& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]395 if (ec || resp.empty())
396 {
397 BMCWEB_LOG_ERROR << "DBUS response error during getting of "
398 "service name: "
399 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]400 LDAPConfigData empty{};
401 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]402 return;
403 }
404 std::string service = resp.begin()->first;
405 crow::connections::systemBus->async_method_call(
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]406 [callback, ldapType](const boost::system::error_code errorCode,
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]407 const ManagedObjectType& ldapObjects) {
408 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]409 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]410 {
411 callback(false, confData, ldapType);
412 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]413 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]414 return;
415 }
416
417 std::string ldapDbusType;
418 std::string searchString;
419
420 if (ldapType == "LDAP")
421 {
422 ldapDbusType = "xyz.openbmc_project.User.Ldap.Config."
423 "Type.OpenLdap";
424 searchString = "openldap";
425 }
426 else if (ldapType == "ActiveDirectory")
427 {
428 ldapDbusType =
429 "xyz.openbmc_project.User.Ldap.Config.Type."
430 "ActiveDirectory";
431 searchString = "active_directory";
432 }
433 else
434 {
435 BMCWEB_LOG_ERROR
436 << "Can't get the DbusType for the given type="
437 << ldapType;
438 callback(false, confData, ldapType);
439 return;
440 }
441
442 std::string ldapEnableInterfaceStr = ldapEnableInterface;
443 std::string ldapConfigInterfaceStr = ldapConfigInterface;
444
445 for (const auto& object : ldapObjects)
446 {
447 // let's find the object whose ldap type is equal to the
448 // given type
449 if (object.first.str.find(searchString) ==
450 std::string::npos)
451 {
452 continue;
453 }
454
455 for (const auto& interface : object.second)
456 {
457 if (interface.first == ldapEnableInterfaceStr)
458 {
459 // rest of the properties are string.
460 for (const auto& property : interface.second)
461 {
462 if (property.first == "Enabled")
463 {
464 const bool* value =
465 std::get_if<bool>(&property.second);
466 if (value == nullptr)
467 {
468 continue;
469 }
470 confData.serviceEnabled = *value;
471 break;
472 }
473 }
474 }
475 else if (interface.first == ldapConfigInterfaceStr)
476 {
477
478 for (const auto& property : interface.second)
479 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]480 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]481 std::get_if<std::string>(
482 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]483 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]484 {
485 continue;
486 }
487 if (property.first == "LDAPServerURI")
488 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]489 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]490 }
491 else if (property.first == "LDAPBindDN")
492 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]493 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]494 }
495 else if (property.first == "LDAPBaseDN")
496 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]497 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]498 }
499 else if (property.first ==
500 "LDAPSearchScope")
501 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]502 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]503 }
504 else if (property.first ==
505 "GroupNameAttribute")
506 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]507 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]508 }
509 else if (property.first ==
510 "UserNameAttribute")
511 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]512 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]513 }
514 else if (property.first == "LDAPType")
515 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]516 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]517 }
518 }
519 }
520 else if (interface.first ==
521 "xyz.openbmc_project.User."
522 "PrivilegeMapperEntry")
523 {
524 LDAPRoleMapData roleMapData{};
525 for (const auto& property : interface.second)
526 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]527 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]528 std::get_if<std::string>(
529 &property.second);
530
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]531 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]532 {
533 continue;
534 }
535
536 if (property.first == "GroupName")
537 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]538 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]539 }
540 else if (property.first == "Privilege")
541 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]542 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]543 }
544 }
545
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]546 confData.groupRoleList.emplace_back(
547 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]548 }
549 }
550 }
551 callback(true, confData, ldapType);
552 },
553 service, ldapRootObject, dbusObjManagerIntf,
554 "GetManagedObjects");
555 },
556 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]557 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]558}
559
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]560/**
561 * @brief parses the authentication section under the LDAP
562 * @param input JSON data
563 * @param asyncResp pointer to the JSON response
564 * @param userName userName to be filled from the given JSON.
565 * @param password password to be filled from the given JSON.
566 */
567void parseLDAPAuthenticationJson(
568 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
569 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]570{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]571 std::optional<std::string> authType;
572
573 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
574 authType, "Username", username, "Password",
575 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]576 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]577 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]578 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]579 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]580 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]581 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]582 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]583 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]584 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]585 messages::propertyValueNotInList(asyncResp->res, *authType,
586 "AuthenticationType");
587 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]588 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]589}
590/**
591 * @brief parses the LDAPService section under the LDAP
592 * @param input JSON data
593 * @param asyncResp pointer to the JSON response
594 * @param baseDNList baseDN to be filled from the given JSON.
595 * @param userNameAttribute userName to be filled from the given JSON.
596 * @param groupaAttribute password to be filled from the given JSON.
597 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]598
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]599void parseLDAPServiceJson(nlohmann::json input,
600 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
601 std::optional<std::vector<std::string>>& baseDNList,
602 std::optional<std::string>& userNameAttribute,
603 std::optional<std::string>& groupsAttribute)
604{
605 std::optional<nlohmann::json> searchSettings;
606
607 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
608 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]609 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]610 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]611 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]612 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]613 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]614 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]615 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]616 if (!json_util::readJson(*searchSettings, asyncResp->res,
617 "BaseDistinguishedNames", baseDNList,
618 "UsernameAttribute", userNameAttribute,
619 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]620 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]621 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]622 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]623}
624/**
625 * @brief updates the LDAP server address and updates the
626 json response with the new value.
627 * @param serviceAddressList address to be updated.
628 * @param asyncResp pointer to the JSON response
629 * @param ldapServerElementName Type of LDAP
630 server(openLDAP/ActiveDirectory)
631 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]632
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]633void handleServiceAddressPatch(
634 const std::vector<std::string>& serviceAddressList,
635 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
636 const std::string& ldapServerElementName,
637 const std::string& ldapConfigObject)
638{
639 crow::connections::systemBus->async_method_call(
640 [asyncResp, ldapServerElementName,
641 serviceAddressList](const boost::system::error_code ec) {
642 if (ec)
643 {
644 BMCWEB_LOG_DEBUG
645 << "Error Occurred in updating the service address";
646 messages::internalError(asyncResp->res);
647 return;
648 }
649 std::vector<std::string> modifiedserviceAddressList = {
650 serviceAddressList.front()};
651 asyncResp->res
652 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
653 modifiedserviceAddressList;
654 if ((serviceAddressList).size() > 1)
655 {
656 messages::propertyValueModified(asyncResp->res,
657 "ServiceAddresses",
658 serviceAddressList.front());
659 }
660 BMCWEB_LOG_DEBUG << "Updated the service address";
661 },
662 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
663 ldapConfigInterface, "LDAPServerURI",
664 std::variant<std::string>(serviceAddressList.front()));
665}
666/**
667 * @brief updates the LDAP Bind DN and updates the
668 json response with the new value.
669 * @param username name of the user which needs to be updated.
670 * @param asyncResp pointer to the JSON response
671 * @param ldapServerElementName Type of LDAP
672 server(openLDAP/ActiveDirectory)
673 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]674
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]675void handleUserNamePatch(const std::string& username,
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]676 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]677 const std::string& ldapServerElementName,
678 const std::string& ldapConfigObject)
679{
680 crow::connections::systemBus->async_method_call(
681 [asyncResp, username,
682 ldapServerElementName](const boost::system::error_code ec) {
683 if (ec)
684 {
685 BMCWEB_LOG_DEBUG << "Error occurred in updating the username";
686 messages::internalError(asyncResp->res);
687 return;
688 }
689 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
690 ["Username"] = username;
691 BMCWEB_LOG_DEBUG << "Updated the username";
692 },
693 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
694 ldapConfigInterface, "LDAPBindDN", std::variant<std::string>(username));
695}
696
697/**
698 * @brief updates the LDAP password
699 * @param password : ldap password which needs to be updated.
700 * @param asyncResp pointer to the JSON response
701 * @param ldapServerElementName Type of LDAP
702 * server(openLDAP/ActiveDirectory)
703 */
704
705void handlePasswordPatch(const std::string& password,
706 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
707 const std::string& ldapServerElementName,
708 const std::string& ldapConfigObject)
709{
710 crow::connections::systemBus->async_method_call(
711 [asyncResp, password,
712 ldapServerElementName](const boost::system::error_code ec) {
713 if (ec)
714 {
715 BMCWEB_LOG_DEBUG << "Error occurred in updating the password";
716 messages::internalError(asyncResp->res);
717 return;
718 }
719 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
720 ["Password"] = "";
721 BMCWEB_LOG_DEBUG << "Updated the password";
722 },
723 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
724 ldapConfigInterface, "LDAPBindDNPassword",
725 std::variant<std::string>(password));
726}
727
728/**
729 * @brief updates the LDAP BaseDN and updates the
730 json response with the new value.
731 * @param baseDNList baseDN list which needs to be updated.
732 * @param asyncResp pointer to the JSON response
733 * @param ldapServerElementName Type of LDAP
734 server(openLDAP/ActiveDirectory)
735 */
736
737void handleBaseDNPatch(const std::vector<std::string>& baseDNList,
738 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
739 const std::string& ldapServerElementName,
740 const std::string& ldapConfigObject)
741{
742 crow::connections::systemBus->async_method_call(
743 [asyncResp, baseDNList,
744 ldapServerElementName](const boost::system::error_code ec) {
745 if (ec)
746 {
747 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN";
748 messages::internalError(asyncResp->res);
749 return;
750 }
751 auto& serverTypeJson =
752 asyncResp->res.jsonValue[ldapServerElementName];
753 auto& searchSettingsJson =
754 serverTypeJson["LDAPService"]["SearchSettings"];
755 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
756 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
757 if (baseDNList.size() > 1)
758 {
759 messages::propertyValueModified(asyncResp->res,
760 "BaseDistinguishedNames",
761 baseDNList.front());
762 }
763 BMCWEB_LOG_DEBUG << "Updated the base DN";
764 },
765 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
766 ldapConfigInterface, "LDAPBaseDN",
767 std::variant<std::string>(baseDNList.front()));
768}
769/**
770 * @brief updates the LDAP user name attribute and updates the
771 json response with the new value.
772 * @param userNameAttribute attribute to be updated.
773 * @param asyncResp pointer to the JSON response
774 * @param ldapServerElementName Type of LDAP
775 server(openLDAP/ActiveDirectory)
776 */
777
778void handleUserNameAttrPatch(
779 const std::string& userNameAttribute,
780 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
781 const std::string& ldapServerElementName,
782 const std::string& ldapConfigObject)
783{
784 crow::connections::systemBus->async_method_call(
785 [asyncResp, userNameAttribute,
786 ldapServerElementName](const boost::system::error_code ec) {
787 if (ec)
788 {
789 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
790 "username attribute";
791 messages::internalError(asyncResp->res);
792 return;
793 }
794 auto& serverTypeJson =
795 asyncResp->res.jsonValue[ldapServerElementName];
796 auto& searchSettingsJson =
797 serverTypeJson["LDAPService"]["SearchSettings"];
798 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
799 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
800 },
801 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
802 ldapConfigInterface, "UserNameAttribute",
803 std::variant<std::string>(userNameAttribute));
804}
805/**
806 * @brief updates the LDAP group attribute and updates the
807 json response with the new value.
808 * @param groupsAttribute attribute to be updated.
809 * @param asyncResp pointer to the JSON response
810 * @param ldapServerElementName Type of LDAP
811 server(openLDAP/ActiveDirectory)
812 */
813
814void handleGroupNameAttrPatch(
815 const std::string& groupsAttribute,
816 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
817 const std::string& ldapServerElementName,
818 const std::string& ldapConfigObject)
819{
820 crow::connections::systemBus->async_method_call(
821 [asyncResp, groupsAttribute,
822 ldapServerElementName](const boost::system::error_code ec) {
823 if (ec)
824 {
825 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
826 "groupname attribute";
827 messages::internalError(asyncResp->res);
828 return;
829 }
830 auto& serverTypeJson =
831 asyncResp->res.jsonValue[ldapServerElementName];
832 auto& searchSettingsJson =
833 serverTypeJson["LDAPService"]["SearchSettings"];
834 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
835 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
836 },
837 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
838 ldapConfigInterface, "GroupNameAttribute",
839 std::variant<std::string>(groupsAttribute));
840}
841/**
842 * @brief updates the LDAP service enable and updates the
843 json response with the new value.
844 * @param input JSON data.
845 * @param asyncResp pointer to the JSON response
846 * @param ldapServerElementName Type of LDAP
847 server(openLDAP/ActiveDirectory)
848 */
849
850void handleServiceEnablePatch(
851 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
852 const std::string& ldapServerElementName,
853 const std::string& ldapConfigObject)
854{
855 crow::connections::systemBus->async_method_call(
856 [asyncResp, serviceEnabled,
857 ldapServerElementName](const boost::system::error_code ec) {
858 if (ec)
859 {
860 BMCWEB_LOG_DEBUG
861 << "Error Occurred in Updating the service enable";
862 messages::internalError(asyncResp->res);
863 return;
864 }
865 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
866 serviceEnabled;
867 BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled;
868 },
869 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
870 ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
871}
872
873void handleAuthMethodsPatch(nlohmann::json& input,
874 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
875{
876 std::optional<bool> basicAuth;
877 std::optional<bool> cookie;
878 std::optional<bool> sessionToken;
879 std::optional<bool> xToken;
880 std::optional<bool> tls;
881
882 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
883 "Cookie", cookie, "SessionToken", sessionToken,
884 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]885 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]886 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
887 return;
888 }
889
890 // Make a copy of methods configuration
891 persistent_data::AuthConfigMethods authMethodsConfig =
892 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
893
894 if (basicAuth)
895 {
896#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
897 messages::actionNotSupported(
898 asyncResp->res, "Setting BasicAuth when basic-auth feature "
899 "is disabled");
900 return;
901#endif
902 authMethodsConfig.basic = *basicAuth;
903 }
904
905 if (cookie)
906 {
907#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
908 messages::actionNotSupported(asyncResp->res,
909 "Setting Cookie when cookie-auth feature "
910 "is disabled");
911 return;
912#endif
913 authMethodsConfig.cookie = *cookie;
914 }
915
916 if (sessionToken)
917 {
918#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
919 messages::actionNotSupported(
920 asyncResp->res, "Setting SessionToken when session-auth feature "
921 "is disabled");
922 return;
923#endif
924 authMethodsConfig.sessionToken = *sessionToken;
925 }
926
927 if (xToken)
928 {
929#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
930 messages::actionNotSupported(asyncResp->res,
931 "Setting XToken when xtoken-auth feature "
932 "is disabled");
933 return;
934#endif
935 authMethodsConfig.xtoken = *xToken;
936 }
937
938 if (tls)
939 {
940#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
941 messages::actionNotSupported(asyncResp->res,
942 "Setting TLS when mutual-tls-auth feature "
943 "is disabled");
944 return;
945#endif
946 authMethodsConfig.tls = *tls;
947 }
948
949 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
950 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
951 !authMethodsConfig.tls)
952 {
953 // Do not allow user to disable everything
954 messages::actionNotSupported(asyncResp->res,
955 "of disabling all available methods");
956 return;
957 }
958
959 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
960 authMethodsConfig);
961 // Save configuration immediately
962 persistent_data::getConfig().writeData();
963
964 messages::success(asyncResp->res);
965}
966
967/**
968 * @brief Get the required values from the given JSON, validates the
969 * value and create the LDAP config object.
970 * @param input JSON data
971 * @param asyncResp pointer to the JSON response
972 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
973 */
974
975inline void handleLDAPPatch(nlohmann::json& input,
976 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
977 const std::string& serverType)
978{
979 std::string dbusObjectPath;
980 if (serverType == "ActiveDirectory")
981 {
982 dbusObjectPath = adConfigObject;
983 }
984 else if (serverType == "LDAP")
985 {
986 dbusObjectPath = ldapConfigObjectName;
987 }
988 else
989 {
990 return;
991 }
992
993 std::optional<nlohmann::json> authentication;
994 std::optional<nlohmann::json> ldapService;
995 std::optional<std::vector<std::string>> serviceAddressList;
996 std::optional<bool> serviceEnabled;
997 std::optional<std::vector<std::string>> baseDNList;
998 std::optional<std::string> userNameAttribute;
999 std::optional<std::string> groupsAttribute;
1000 std::optional<std::string> userName;
1001 std::optional<std::string> password;
1002 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1003
1004 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1005 authentication, "LDAPService", ldapService,
1006 "ServiceAddresses", serviceAddressList,
1007 "ServiceEnabled", serviceEnabled,
1008 "RemoteRoleMapping", remoteRoleMapData))
1009 {
1010 return;
1011 }
1012
1013 if (authentication)
1014 {
1015 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1016 password);
1017 }
1018 if (ldapService)
1019 {
1020 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1021 userNameAttribute, groupsAttribute);
1022 }
1023 if (serviceAddressList)
1024 {
1025 if ((*serviceAddressList).size() == 0)
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1026 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1027 messages::propertyValueNotInList(asyncResp->res, "[]",
1028 "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1029 return;
1030 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1031 }
1032 if (baseDNList)
1033 {
1034 if ((*baseDNList).size() == 0)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1035 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1036 messages::propertyValueNotInList(asyncResp->res, "[]",
1037 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1038 return;
1039 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1040 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1041
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1042 // nothing to update, then return
1043 if (!userName && !password && !serviceAddressList && !baseDNList &&
1044 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1045 !remoteRoleMapData)
1046 {
1047 return;
1048 }
1049
1050 // Get the existing resource first then keep modifying
1051 // whenever any property gets updated.
1052 getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList,
1053 userNameAttribute, groupsAttribute,
1054 serviceAddressList, serviceEnabled,
1055 dbusObjectPath, remoteRoleMapData](
1056 bool success,
1057 const LDAPConfigData& confData,
1058 const std::string& serverT) {
1059 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1060 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1061 messages::internalError(asyncResp->res);
1062 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1063 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1064 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1065 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1066 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1067 // Disable the service first and update the rest of
1068 // the properties.
1069 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1070 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1071
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1072 if (serviceAddressList)
1073 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1074 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1075 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1076 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1077 if (userName)
1078 {
1079 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1080 }
1081 if (password)
1082 {
1083 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1084 }
1085
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1086 if (baseDNList)
1087 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1088 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1089 }
1090 if (userNameAttribute)
1091 {
1092 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1093 dbusObjectPath);
1094 }
1095 if (groupsAttribute)
1096 {
1097 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1098 dbusObjectPath);
1099 }
1100 if (serviceEnabled)
1101 {
1102 // if user has given the value as true then enable
1103 // the service. if user has given false then no-op
1104 // as service is already stopped.
1105 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1106 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1107 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1108 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1109 }
1110 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1111 else
1112 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1113 // if user has not given the service enabled value
1114 // then revert it to the same state as it was
1115 // before.
1116 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1117 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1118 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1119
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1120 if (remoteRoleMapData)
1121 {
1122 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1123 *remoteRoleMapData);
1124 }
1125 });
1126}
1127
1128inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,
1129 const std::string& username,
1130 std::optional<std::string> password,
1131 std::optional<bool> enabled,
1132 std::optional<std::string> roleId,
1133 std::optional<bool> locked)
1134{
1135 std::string dbusObjectPath = "/xyz/openbmc_project/user/" + username;
1136 dbus::utility::escapePathForDbus(dbusObjectPath);
1137
1138 dbus::utility::checkDbusPathExists(
1139 dbusObjectPath,
1140 [dbusObjectPath(std::move(dbusObjectPath)), username,
1141 password(std::move(password)), roleId(std::move(roleId)), enabled,
1142 locked, asyncResp{std::move(asyncResp)}](int rc) {
1143 if (!rc)
1144 {
1145 messages::resourceNotFound(
1146 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1147 username);
1148 return;
1149 }
1150
1151 if (password)
1152 {
1153 int retval = pamUpdatePassword(username, *password);
1154
1155 if (retval == PAM_USER_UNKNOWN)
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1156 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1157 messages::resourceNotFound(
1158 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1159 username);
1160 }
1161 else if (retval == PAM_AUTHTOK_ERR)
1162 {
1163 // If password is invalid
1164 messages::propertyValueFormatError(asyncResp->res,
1165 *password, "Password");
1166 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1167 }
1168 else if (retval != PAM_SUCCESS)
1169 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1170 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1171 return;
1172 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1173 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1174
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1175 if (enabled)
1176 {
1177 crow::connections::systemBus->async_method_call(
1178 [asyncResp](const boost::system::error_code ec) {
1179 if (ec)
1180 {
1181 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1182 messages::internalError(asyncResp->res);
1183 return;
1184 }
1185 messages::success(asyncResp->res);
1186 return;
1187 },
1188 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1189 "org.freedesktop.DBus.Properties", "Set",
1190 "xyz.openbmc_project.User.Attributes", "UserEnabled",
1191 std::variant<bool>{*enabled});
1192 }
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1193
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1194 if (roleId)
1195 {
1196 std::string priv = getPrivilegeFromRoleId(*roleId);
1197 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1198 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1199 messages::propertyValueNotInList(asyncResp->res, *roleId,
1200 "RoleId");
1201 return;
1202 }
1203 if (priv == "priv-noaccess")
1204 {
1205 priv = "";
1206 }
1207
1208 crow::connections::systemBus->async_method_call(
1209 [asyncResp](const boost::system::error_code ec) {
1210 if (ec)
1211 {
1212 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1213 messages::internalError(asyncResp->res);
1214 return;
1215 }
1216 messages::success(asyncResp->res);
1217 },
1218 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1219 "org.freedesktop.DBus.Properties", "Set",
1220 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
1221 std::variant<std::string>{priv});
1222 }
1223
1224 if (locked)
1225 {
1226 // admin can unlock the account which is locked by
1227 // successive authentication failures but admin should
1228 // not be allowed to lock an account.
1229 if (*locked)
1230 {
1231 messages::propertyValueNotInList(asyncResp->res, "true",
1232 "Locked");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1233 return;
1234 }
1235
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1236 crow::connections::systemBus->async_method_call(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1237 [asyncResp](const boost::system::error_code ec) {
1238 if (ec)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1239 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1240 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1241 messages::internalError(asyncResp->res);
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1242 return;
1243 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1244 messages::success(asyncResp->res);
1245 return;
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1246 },
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1247 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1248 "org.freedesktop.DBus.Properties", "Set",
1249 "xyz.openbmc_project.User.Attributes",
1250 "UserLockedForFailedAttempt", std::variant<bool>{*locked});
1251 }
1252 });
1253}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1254
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1255inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1256{
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1257
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1258 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
1259 .privileges({{"Login"}})
1260 .methods(
1261 boost::beast::http::verb::get)([](const crow::Request& /* req */,
1262 const std::shared_ptr<
1263 bmcweb::AsyncResp>& asyncResp)
1264 -> void {
1265 const persistent_data::AuthConfigMethods& authMethodsConfig =
1266 persistent_data::SessionStore::getInstance()
1267 .getAuthMethodsConfig();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1268
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1269 asyncResp->res.jsonValue = {
1270 {"@odata.id", "/redfish/v1/AccountService"},
1271 {"@odata.type", "#AccountService."
1272 "v1_5_0.AccountService"},
1273 {"Id", "AccountService"},
1274 {"Name", "Account Service"},
1275 {"Description", "Account Service"},
1276 {"ServiceEnabled", true},
1277 {"MaxPasswordLength", 20},
1278 {"Accounts",
1279 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
1280 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
1281 {"Oem",
1282 {{"OpenBMC",
1283 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
1284 {"AuthMethods",
1285 {
1286 {"BasicAuth", authMethodsConfig.basic},
1287 {"SessionToken", authMethodsConfig.sessionToken},
1288 {"XToken", authMethodsConfig.xtoken},
1289 {"Cookie", authMethodsConfig.cookie},
1290 {"TLS", authMethodsConfig.tls},
1291 }}}}}},
1292 {"LDAP",
1293 {{"Certificates",
1294 {{"@odata.id",
1295 "/redfish/v1/AccountService/LDAP/Certificates"}}}}}};
1296 crow::connections::systemBus->async_method_call(
1297 [asyncResp](
1298 const boost::system::error_code ec,
1299 const std::vector<
1300 std::pair<std::string,
1301 std::variant<uint32_t, uint16_t, uint8_t>>>&
1302 propertiesList) {
1303 if (ec)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1304 {
1305 messages::internalError(asyncResp->res);
1306 return;
1307 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1308 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1309 << "properties for AccountService";
1310 for (const std::pair<std::string,
1311 std::variant<uint32_t, uint16_t,
1312 uint8_t>>& property :
1313 propertiesList)
1314 {
1315 if (property.first == "MinPasswordLength")
1316 {
1317 const uint8_t* value =
1318 std::get_if<uint8_t>(&property.second);
1319 if (value != nullptr)
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1320 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1321 asyncResp->res.jsonValue["MinPasswordLength"] =
1322 *value;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1323 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1324 }
1325 if (property.first == "AccountUnlockTimeout")
1326 {
1327 const uint32_t* value =
1328 std::get_if<uint32_t>(&property.second);
1329 if (value != nullptr)
1330 {
1331 asyncResp->res
1332 .jsonValue["AccountLockoutDuration"] =
1333 *value;
1334 }
1335 }
1336 if (property.first == "MaxLoginAttemptBeforeLockout")
1337 {
1338 const uint16_t* value =
1339 std::get_if<uint16_t>(&property.second);
1340 if (value != nullptr)
1341 {
1342 asyncResp->res
1343 .jsonValue["AccountLockoutThreshold"] =
1344 *value;
1345 }
1346 }
1347 }
1348 },
1349 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1350 "org.freedesktop.DBus.Properties", "GetAll",
1351 "xyz.openbmc_project.User.AccountPolicy");
1352
1353 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1354 const std::string& ldapType) {
1355 if (!success)
1356 {
1357 return;
1358 }
1359 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1360 ldapType);
1361 };
1362
1363 getLDAPConfigData("LDAP", callback);
1364 getLDAPConfigData("ActiveDirectory", callback);
1365 });
1366
1367 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1368 .privileges({{"Login"}})
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1369 .methods(boost::beast::http::verb::get)(
1370 [](const crow::Request& req,
1371 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1372 asyncResp->res.jsonValue = {
1373 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1374 {"@odata.type", "#ManagerAccountCollection."
1375 "ManagerAccountCollection"},
1376 {"Name", "Accounts Collection"},
1377 {"Description", "BMC User Accounts"}};
1378
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1379 Privileges effectiveUserPrivileges =
1380 redfish::getUserPrivileges(req.userRole);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1381
1382 std::string thisUser = req.session->username;
1383
1384 crow::connections::systemBus->async_method_call(
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1385 [asyncResp, thisUser, effectiveUserPrivileges](
1386 const boost::system::error_code ec,
1387 const ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1388 if (ec)
1389 {
1390 messages::internalError(asyncResp->res);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1391 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1392 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1393
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1394 bool userCanSeeAllAccounts =
1395 effectiveUserPrivileges.isSupersetOf(
1396 {{"ConfigureUsers"}});
1397
1398 bool userCanSeeSelf =
1399 effectiveUserPrivileges.isSupersetOf(
1400 {{"ConfigureSelf"}});
1401
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1402 nlohmann::json& memberArray =
1403 asyncResp->res.jsonValue["Members"];
1404 memberArray = nlohmann::json::array();
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1405
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1406 for (auto& userpath : users)
1407 {
1408 std::string user = userpath.first.filename();
1409 if (user.empty())
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1410 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1411 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1412 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1413
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1414 return;
1415 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1416
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1417 // As clarified by Redfish here:
1418 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1419 // Users without ConfigureUsers, only see their own
1420 // account. Users with ConfigureUsers, see all
1421 // accounts.
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1422 if (userCanSeeAllAccounts ||
1423 (thisUser == user && userCanSeeSelf))
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1424 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1425 memberArray.push_back(
1426 {{"@odata.id",
1427 "/redfish/v1/AccountService/Accounts/" +
1428 user}});
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1429 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1430 }
1431 asyncResp->res.jsonValue["Members@odata.count"] =
1432 memberArray.size();
1433 },
1434 "xyz.openbmc_project.User.Manager",
1435 "/xyz/openbmc_project/user",
1436 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1437 });
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1438
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1439 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
1440 .privileges({{"ConfigureUsers"}})
1441 .methods(boost::beast::http::verb::post)([](const crow::Request& req,
1442 const std::shared_ptr<
1443 bmcweb::AsyncResp>&
1444 asyncResp) -> void {
1445 std::string username;
1446 std::string password;
1447 std::optional<std::string> roleId("User");
1448 std::optional<bool> enabled = true;
1449 if (!json_util::readJson(req, asyncResp->res, "UserName", username,
1450 "Password", password, "RoleId", roleId,
1451 "Enabled", enabled))
1452 {
1453 return;
1454 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1455
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1456 std::string priv = getPrivilegeFromRoleId(*roleId);
1457 if (priv.empty())
1458 {
1459 messages::propertyValueNotInList(asyncResp->res, *roleId,
1460 "RoleId");
1461 return;
1462 }
1463 // TODO: Following override will be reverted once support in
1464 // phosphor-user-manager is added. In order to avoid dependency
1465 // issues, this is added in bmcweb, which will removed, once
1466 // phosphor-user-manager supports priv-noaccess.
1467 if (priv == "priv-noaccess")
1468 {
1469 roleId = "";
1470 }
1471 else
1472 {
1473 roleId = priv;
1474 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1475
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1476 // Reading AllGroups property
1477 crow::connections::systemBus->async_method_call(
1478 [asyncResp, username, password{std::move(password)}, roleId,
1479 enabled](
1480 const boost::system::error_code ec,
1481 const std::variant<std::vector<std::string>>& allGroups) {
1482 if (ec)
1483 {
1484 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1485 messages::internalError(asyncResp->res);
1486 return;
1487 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1488
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1489 const std::vector<std::string>* allGroupsList =
1490 std::get_if<std::vector<std::string>>(&allGroups);
1491
1492 if (allGroupsList == nullptr || allGroupsList->empty())
1493 {
1494 messages::internalError(asyncResp->res);
1495 return;
1496 }
1497
1498 crow::connections::systemBus->async_method_call(
1499 [asyncResp, username,
1500 password](const boost::system::error_code ec2,
1501 sdbusplus::message::message& m) {
1502 if (ec2)
1503 {
1504 userErrorMessageHandler(
1505 m.get_error(), asyncResp, username, "");
1506 return;
1507 }
1508
1509 if (pamUpdatePassword(username, password) !=
1510 PAM_SUCCESS)
1511 {
1512 // At this point we have a user that's been
1513 // created, but the password set
1514 // failed.Something is wrong, so delete the user
1515 // that we've already created
1516 crow::connections::systemBus->async_method_call(
1517 [asyncResp, password](
1518 const boost::system::error_code ec3) {
1519 if (ec3)
1520 {
1521 messages::internalError(
1522 asyncResp->res);
1523 return;
1524 }
1525
1526 // If password is invalid
1527 messages::propertyValueFormatError(
1528 asyncResp->res, password,
1529 "Password");
1530 },
1531 "xyz.openbmc_project.User.Manager",
1532 "/xyz/openbmc_project/user/" + username,
1533 "xyz.openbmc_project.Object.Delete",
1534 "Delete");
1535
1536 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1537 return;
1538 }
1539
1540 messages::created(asyncResp->res);
1541 asyncResp->res.addHeader(
1542 "Location",
1543 "/redfish/v1/AccountService/Accounts/" +
1544 username);
1545 },
1546 "xyz.openbmc_project.User.Manager",
1547 "/xyz/openbmc_project/user",
1548 "xyz.openbmc_project.User.Manager", "CreateUser",
1549 username, *allGroupsList, *roleId, *enabled);
1550 },
1551 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1552 "org.freedesktop.DBus.Properties", "Get",
1553 "xyz.openbmc_project.User.Manager", "AllGroups");
1554 });
1555
1556 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
1557 .privileges(
1558 {{"ConfigureUsers"}, {"ConfigureManager"}, {"ConfigureSelf"}})
1559 .methods(
1560 boost::beast::http::verb::
1561 get)([](const crow::Request& req,
1562 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1563 const std::string& accountName) -> void {
1564 if (req.session->username != accountName)
1565 {
1566 // At this point we've determined that the user is trying to
1567 // modify a user that isn't them. We need to verify that they
1568 // have permissions to modify other users, so re-run the auth
1569 // check with the same permissions, minus ConfigureSelf.
1570 Privileges effectiveUserPrivileges =
1571 redfish::getUserPrivileges(req.userRole);
1572 Privileges requiredPermissionsToChangeNonSelf = {
1573 {"ConfigureUsers"}, {"ConfigureManager"}};
1574 if (!effectiveUserPrivileges.isSupersetOf(
1575 requiredPermissionsToChangeNonSelf))
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1576 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1577 BMCWEB_LOG_DEBUG << "GET Account denied access";
1578 messages::insufficientPrivilege(asyncResp->res);
1579 return;
1580 }
1581 }
1582
1583 crow::connections::systemBus->async_method_call(
1584 [asyncResp, accountName](const boost::system::error_code ec,
1585 const ManagedObjectType& users) {
1586 if (ec)
1587 {
1588 messages::internalError(asyncResp->res);
1589 return;
1590 }
1591 auto userIt = users.begin();
1592
1593 for (; userIt != users.end(); userIt++)
1594 {
1595 if (boost::ends_with(userIt->first.str,
1596 "/" + accountName))
1597 {
1598 break;
1599 }
1600 }
1601 if (userIt == users.end())
1602 {
1603 messages::resourceNotFound(
1604 asyncResp->res, "ManagerAccount", accountName);
1605 return;
1606 }
1607
1608 asyncResp->res.jsonValue = {
1609 {"@odata.type",
1610 "#ManagerAccount.v1_4_0.ManagerAccount"},
1611 {"Name", "User Account"},
1612 {"Description", "User Account"},
1613 {"Password", nullptr},
1614 {"AccountTypes", {"Redfish"}}};
1615
1616 for (const auto& interface : userIt->second)
1617 {
1618 if (interface.first ==
1619 "xyz.openbmc_project.User.Attributes")
1620 {
1621 for (const auto& property : interface.second)
1622 {
1623 if (property.first == "UserEnabled")
1624 {
1625 const bool* userEnabled =
1626 std::get_if<bool>(&property.second);
1627 if (userEnabled == nullptr)
1628 {
1629 BMCWEB_LOG_ERROR
1630 << "UserEnabled wasn't a bool";
1631 messages::internalError(asyncResp->res);
1632 return;
1633 }
1634 asyncResp->res.jsonValue["Enabled"] =
1635 *userEnabled;
1636 }
1637 else if (property.first ==
1638 "UserLockedForFailedAttempt")
1639 {
1640 const bool* userLocked =
1641 std::get_if<bool>(&property.second);
1642 if (userLocked == nullptr)
1643 {
1644 BMCWEB_LOG_ERROR << "UserLockedForF"
1645 "ailedAttempt "
1646 "wasn't a bool";
1647 messages::internalError(asyncResp->res);
1648 return;
1649 }
1650 asyncResp->res.jsonValue["Locked"] =
1651 *userLocked;
1652 asyncResp->res.jsonValue
1653 ["Locked@Redfish.AllowableValues"] = {
1654 "false"}; // can only unlock accounts
1655 }
1656 else if (property.first == "UserPrivilege")
1657 {
1658 const std::string* userPrivPtr =
1659 std::get_if<std::string>(
1660 &property.second);
1661 if (userPrivPtr == nullptr)
1662 {
1663 BMCWEB_LOG_ERROR
1664 << "UserPrivilege wasn't a "
1665 "string";
1666 messages::internalError(asyncResp->res);
1667 return;
1668 }
1669 std::string role =
1670 getRoleIdFromPrivilege(*userPrivPtr);
1671 if (role.empty())
1672 {
1673 BMCWEB_LOG_ERROR << "Invalid user role";
1674 messages::internalError(asyncResp->res);
1675 return;
1676 }
1677 asyncResp->res.jsonValue["RoleId"] = role;
1678
1679 asyncResp->res.jsonValue["Links"]["Role"] =
1680 {{"@odata.id",
1681 "/redfish/v1/AccountService/"
1682 "Roles/" +
1683 role}};
1684 }
1685 else if (property.first ==
1686 "UserPasswordExpired")
1687 {
1688 const bool* userPasswordExpired =
1689 std::get_if<bool>(&property.second);
1690 if (userPasswordExpired == nullptr)
1691 {
1692 BMCWEB_LOG_ERROR << "UserPassword"
1693 "Expired "
1694 "wasn't a bool";
1695 messages::internalError(asyncResp->res);
1696 return;
1697 }
1698 asyncResp->res
1699 .jsonValue["PasswordChangeRequired"] =
1700 *userPasswordExpired;
1701 }
1702 }
1703 }
1704 }
1705
1706 asyncResp->res.jsonValue["@odata.id"] =
1707 "/redfish/v1/AccountService/Accounts/" + accountName;
1708 asyncResp->res.jsonValue["Id"] = accountName;
1709 asyncResp->res.jsonValue["UserName"] = accountName;
1710 },
1711 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1712 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1713 });
1714
1715 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
1716 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
1717 .methods(boost::beast::http::verb::patch)(
1718 [](const crow::Request& req,
1719 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1720 const std::string& username) -> void {
1721 std::optional<std::string> newUserName;
1722 std::optional<std::string> password;
1723 std::optional<bool> enabled;
1724 std::optional<std::string> roleId;
1725 std::optional<bool> locked;
1726 if (!json_util::readJson(req, asyncResp->res, "UserName",
1727 newUserName, "Password", password,
1728 "RoleId", roleId, "Enabled", enabled,
1729 "Locked", locked))
1730 {
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1731 return;
1732 }
1733
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1734 // Perform a proper ConfigureSelf authority check. If the
1735 // session is being used to PATCH a property other than
1736 // Password, then the ConfigureSelf privilege does not apply.
1737 // If the user is operating on an account not their own, then
1738 // their ConfigureSelf privilege does not apply. In either
1739 // case, perform the authority check again without the user's
1740 // ConfigureSelf privilege.
1741 if ((username != req.session->username))
1742 {
1743 Privileges requiredPermissionsToChangeNonSelf = {
1744 {"ConfigureUsers"}};
1745 Privileges effectiveUserPrivileges =
1746 redfish::getUserPrivileges(req.userRole);
1747
1748 if (!effectiveUserPrivileges.isSupersetOf(
1749 requiredPermissionsToChangeNonSelf))
1750 {
1751 messages::insufficientPrivilege(asyncResp->res);
1752 return;
1753 }
1754 }
1755
1756 // if user name is not provided in the patch method or if it
1757 // matches the user name in the URI, then we are treating it as
1758 // updating user properties other then username. If username
1759 // provided doesn't match the URI, then we are treating this as
1760 // user rename request.
1761 if (!newUserName || (newUserName.value() == username))
1762 {
1763 updateUserProperties(asyncResp, username, password, enabled,
1764 roleId, locked);
1765 return;
1766 }
1767 crow::connections::systemBus->async_method_call(
1768 [asyncResp, username, password(std::move(password)),
1769 roleId(std::move(roleId)), enabled,
1770 newUser{std::string(*newUserName)},
1771 locked](const boost::system::error_code ec,
1772 sdbusplus::message::message& m) {
1773 if (ec)
1774 {
1775 userErrorMessageHandler(m.get_error(), asyncResp,
1776 newUser, username);
1777 return;
1778 }
1779
1780 updateUserProperties(asyncResp, newUser, password,
1781 enabled, roleId, locked);
1782 },
1783 "xyz.openbmc_project.User.Manager",
1784 "/xyz/openbmc_project/user",
1785 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1786 *newUserName);
1787 });
1788
1789 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
1790 .privileges({{"ConfigureUsers"}})
1791 .methods(boost::beast::http::verb::delete_)(
1792 [](const crow::Request& /*req*/,
1793 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1794 const std::string& username) -> void {
1795 const std::string userPath =
1796 "/xyz/openbmc_project/user/" + username;
1797
1798 crow::connections::systemBus->async_method_call(
1799 [asyncResp, username](const boost::system::error_code ec) {
1800 if (ec)
1801 {
1802 messages::resourceNotFound(
1803 asyncResp->res,
1804 "#ManagerAccount.v1_4_0.ManagerAccount",
1805 username);
1806 return;
1807 }
1808
1809 messages::accountRemoved(asyncResp->res);
1810 },
1811 "xyz.openbmc_project.User.Manager", userPath,
1812 "xyz.openbmc_project.Object.Delete", "Delete");
1813 });
1814}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1815
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1816} // namespace redfish