blob: aab116e6b1600c255e7b5ee6aea0a22726d67fea [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080018#include "app.hpp"
19#include "dbus_utility.hpp"
20#include "error_messages.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070021#include "generated/enums/account_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080022#include "openbmc_dbus_rest.hpp"
23#include "persistent_data.hpp"
24#include "query.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070025#include "registries/privilege_registry.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080026#include "utils/dbus_utils.hpp"
27#include "utils/json_utils.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070028
Jonathan Doman1e1e5982021-06-11 09:36:17 -070029#include <sdbusplus/asio/property.hpp>
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +020030#include <sdbusplus/unpack_properties.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050031
George Liu2b731192023-01-11 16:27:13 +080032#include <array>
Abhishek Patelc7229812022-02-01 10:07:15 -060033#include <optional>
Ed Tanous3544d2a2023-08-06 18:12:20 -070034#include <ranges>
Abhishek Patelc7229812022-02-01 10:07:15 -060035#include <string>
George Liu2b731192023-01-11 16:27:13 +080036#include <string_view>
Abhishek Patelc7229812022-02-01 10:07:15 -060037#include <vector>
38
Ed Tanous1abe55e2018-09-05 08:30:59 -070039namespace redfish
40{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010041
Ed Tanous23a21a12020-07-25 04:45:05 +000042constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053043 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070044constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053045 "/xyz/openbmc_project/user/ldap/active_directory";
46
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +053047constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +053048constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
49constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
50constexpr const char* ldapConfigInterface =
51 "xyz.openbmc_project.User.Ldap.Config";
52constexpr const char* ldapCreateInterface =
53 "xyz.openbmc_project.User.Ldap.Create";
54constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053055constexpr const char* ldapPrivMapperInterface =
56 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053057
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060058struct LDAPRoleMapData
59{
60 std::string groupName;
61 std::string privilege;
62};
63
Ratan Gupta6973a582018-12-13 18:25:44 +053064struct LDAPConfigData
65{
Ed Tanous47f29342024-03-19 12:18:06 -070066 std::string uri;
67 std::string bindDN;
68 std::string baseDN;
69 std::string searchScope;
70 std::string serverType;
Ratan Gupta6973a582018-12-13 18:25:44 +053071 bool serviceEnabled = false;
Ed Tanous47f29342024-03-19 12:18:06 -070072 std::string userNameAttribute;
73 std::string groupAttribute;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060074 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053075};
76
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060077inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053078{
79 if (role == "priv-admin")
80 {
81 return "Administrator";
82 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070083 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053084 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053085 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053086 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070087 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053088 {
89 return "Operator";
90 }
91 return "";
92}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060093inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053094{
95 if (role == "Administrator")
96 {
97 return "priv-admin";
98 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070099 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530100 {
101 return "priv-user";
102 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700103 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530104 {
105 return "priv-operator";
106 }
107 return "";
108}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700109
Abhishek Patelc7229812022-02-01 10:07:15 -0600110/**
111 * @brief Maps user group names retrieved from D-Bus object to
112 * Account Types.
113 *
114 * @param[in] userGroups List of User groups
115 * @param[out] res AccountTypes populated
116 *
117 * @return true in case of success, false if UserGroups contains
118 * invalid group name(s).
119 */
120inline bool translateUserGroup(const std::vector<std::string>& userGroups,
121 crow::Response& res)
122{
123 std::vector<std::string> accountTypes;
124 for (const auto& userGroup : userGroups)
125 {
126 if (userGroup == "redfish")
127 {
128 accountTypes.emplace_back("Redfish");
129 accountTypes.emplace_back("WebUI");
130 }
131 else if (userGroup == "ipmi")
132 {
133 accountTypes.emplace_back("IPMI");
134 }
135 else if (userGroup == "ssh")
136 {
Abhishek Patelc7229812022-02-01 10:07:15 -0600137 accountTypes.emplace_back("ManagerConsole");
138 }
Ninad Palsule3e72c202023-03-27 17:19:55 -0500139 else if (userGroup == "hostconsole")
140 {
141 // The hostconsole group controls who can access the host console
142 // port via ssh and websocket.
143 accountTypes.emplace_back("HostConsole");
144 }
Abhishek Patelc7229812022-02-01 10:07:15 -0600145 else if (userGroup == "web")
146 {
147 // 'web' is one of the valid groups in the UserGroups property of
148 // the user account in the D-Bus object. This group is currently not
149 // doing anything, and is considered to be equivalent to 'redfish'.
150 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
151 // AccountTypes, so do nothing here...
152 }
153 else
154 {
Ed Tanous8ece0e42024-01-02 13:16:50 -0800155 // Invalid user group name. Caller throws an exception.
Abhishek Patelc7229812022-02-01 10:07:15 -0600156 return false;
157 }
158 }
159
160 res.jsonValue["AccountTypes"] = std::move(accountTypes);
161 return true;
162}
163
Abhishek Patel58345852022-02-02 08:54:25 -0600164/**
165 * @brief Builds User Groups from the Account Types
166 *
167 * @param[in] asyncResp Async Response
168 * @param[in] accountTypes List of Account Types
169 * @param[out] userGroups List of User Groups mapped from Account Types
170 *
171 * @return true if Account Types mapped to User Groups, false otherwise.
172 */
173inline bool
174 getUserGroupFromAccountType(crow::Response& res,
175 const std::vector<std::string>& accountTypes,
176 std::vector<std::string>& userGroups)
177{
178 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
179 bool redfishType = false;
180 bool webUIType = false;
181
182 for (const auto& accountType : accountTypes)
183 {
184 if (accountType == "Redfish")
185 {
186 redfishType = true;
187 }
188 else if (accountType == "WebUI")
189 {
190 webUIType = true;
191 }
192 else if (accountType == "IPMI")
193 {
194 userGroups.emplace_back("ipmi");
195 }
196 else if (accountType == "HostConsole")
197 {
198 userGroups.emplace_back("hostconsole");
199 }
200 else if (accountType == "ManagerConsole")
201 {
202 userGroups.emplace_back("ssh");
203 }
204 else
205 {
206 // Invalid Account Type
207 messages::propertyValueNotInList(res, "AccountTypes", accountType);
208 return false;
209 }
210 }
211
212 // Both Redfish and WebUI Account Types are needed to PATCH
213 if (redfishType ^ webUIType)
214 {
Ed Tanous62598e32023-07-17 17:06:25 -0700215 BMCWEB_LOG_ERROR(
216 "Missing Redfish or WebUI Account Type to set redfish User Group");
Abhishek Patel58345852022-02-02 08:54:25 -0600217 messages::strictAccountTypes(res, "AccountTypes");
218 return false;
219 }
220
221 if (redfishType && webUIType)
222 {
223 userGroups.emplace_back("redfish");
224 }
225
226 return true;
227}
228
229/**
230 * @brief Sets UserGroups property of the user based on the Account Types
231 *
232 * @param[in] accountTypes List of User Account Types
233 * @param[in] asyncResp Async Response
234 * @param[in] dbusObjectPath D-Bus Object Path
235 * @param[in] userSelf true if User is updating OWN Account Types
236 */
237inline void
238 patchAccountTypes(const std::vector<std::string>& accountTypes,
239 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
240 const std::string& dbusObjectPath, bool userSelf)
241{
242 // Check if User is disabling own Redfish Account Type
243 if (userSelf &&
244 (accountTypes.cend() ==
245 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
246 {
Ed Tanous62598e32023-07-17 17:06:25 -0700247 BMCWEB_LOG_ERROR(
248 "User disabling OWN Redfish Account Type is not allowed");
Abhishek Patel58345852022-02-02 08:54:25 -0600249 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
250 return;
251 }
252
253 std::vector<std::string> updatedUserGroups;
254 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
255 updatedUserGroups))
256 {
257 // Problem in mapping Account Types to User Groups, Error already
258 // logged.
259 return;
260 }
Ed Tanousd02aad32024-02-13 14:43:34 -0800261 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
262 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
263 "UserGroups", "AccountTypes", updatedUserGroups);
Abhishek Patel58345852022-02-02 08:54:25 -0600264}
265
zhanghch058d1b46d2021-04-01 11:18:24 +0800266inline void userErrorMessageHandler(
267 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
268 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000269{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000270 if (e == nullptr)
271 {
272 messages::internalError(asyncResp->res);
273 return;
274 }
275
Manojkiran Eda055806b2020-11-03 09:36:28 +0530276 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000277 if (strcmp(errorMessage,
278 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
279 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800280 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000281 "UserName", newUser);
282 }
283 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
284 "UserNameDoesNotExist") == 0)
285 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800286 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000287 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700288 else if ((strcmp(errorMessage,
289 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
290 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800291 (strcmp(
292 errorMessage,
293 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
294 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000295 {
296 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
297 }
298 else if (strcmp(errorMessage,
299 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
300 {
301 messages::createLimitReachedForResource(asyncResp->res);
302 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000303 else
304 {
Gunnar Millsb8ad5832023-10-02 16:26:07 -0500305 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000306 messages::internalError(asyncResp->res);
307 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000308}
309
Ed Tanous81ce6092020-12-17 16:54:55 +0000310inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000311 const LDAPConfigData& confData,
312 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530313{
Ed Tanous49cc2632024-03-20 12:49:15 -0700314 nlohmann::json::object_t ldap;
Ed Tanous14766872022-03-15 10:44:42 -0700315 ldap["ServiceEnabled"] = confData.serviceEnabled;
Ed Tanous49cc2632024-03-20 12:49:15 -0700316 nlohmann::json::array_t serviceAddresses;
317 serviceAddresses.emplace_back(confData.uri);
318 ldap["ServiceAddresses"] = std::move(serviceAddresses);
319
320 nlohmann::json::object_t authentication;
321 authentication["AuthenticationType"] =
Ed Tanous0ec8b832022-03-14 14:56:47 -0700322 account_service::AuthenticationTypes::UsernameAndPassword;
Ed Tanous49cc2632024-03-20 12:49:15 -0700323 authentication["Username"] = confData.bindDN;
324 authentication["Password"] = nullptr;
325 ldap["Authentication"] = std::move(authentication);
Ed Tanous14766872022-03-15 10:44:42 -0700326
Ed Tanous49cc2632024-03-20 12:49:15 -0700327 nlohmann::json::object_t ldapService;
328 nlohmann::json::object_t searchSettings;
329 nlohmann::json::array_t baseDistinguishedNames;
330 baseDistinguishedNames.emplace_back(confData.baseDN);
Ed Tanous14766872022-03-15 10:44:42 -0700331
Ed Tanous49cc2632024-03-20 12:49:15 -0700332 searchSettings["BaseDistinguishedNames"] =
333 std::move(baseDistinguishedNames);
334 searchSettings["UsernameAttribute"] = confData.userNameAttribute;
335 searchSettings["GroupsAttribute"] = confData.groupAttribute;
336 ldapService["SearchSettings"] = std::move(searchSettings);
337 ldap["LDAPService"] = std::move(ldapService);
338
339 nlohmann::json::array_t roleMapArray;
Ed Tanous9eb808c2022-01-25 10:19:23 -0800340 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600341 {
Ed Tanous62598e32023-07-17 17:06:25 -0700342 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
Ed Tanous613dabe2022-07-09 11:17:36 -0700343
Ed Tanous613dabe2022-07-09 11:17:36 -0700344 nlohmann::json::object_t remoteGroup;
345 remoteGroup["RemoteGroup"] = obj.second.groupName;
Jorge Cisneros329f0342022-11-04 16:26:25 +0000346 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
347 roleMapArray.emplace_back(std::move(remoteGroup));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600348 }
Ed Tanous49cc2632024-03-20 12:49:15 -0700349
350 ldap["RemoteRoleMapping"] = std::move(roleMapArray);
351
352 jsonResponse[ldapType].update(ldap);
Ratan Gupta6973a582018-12-13 18:25:44 +0530353}
354
355/**
Ratan Gupta06785242019-07-26 22:30:16 +0530356 * @brief validates given JSON input and then calls appropriate method to
357 * create, to delete or to set Rolemapping object based on the given input.
358 *
359 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000360inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800361 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530362 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousc1019822024-03-06 12:54:38 -0800363 const std::string& serverType,
364 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530365{
366 for (size_t index = 0; index < input.size(); index++)
367 {
Ed Tanousc1019822024-03-06 12:54:38 -0800368 std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson =
369 input[index];
370 nlohmann::json::object_t* obj =
371 std::get_if<nlohmann::json::object_t>(&thisJson);
372 if (obj == nullptr)
Ratan Gupta06785242019-07-26 22:30:16 +0530373 {
374 // delete the existing object
375 if (index < roleMapObjData.size())
376 {
377 crow::connections::systemBus->async_method_call(
378 [asyncResp, roleMapObjData, serverType,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800379 index](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700380 if (ec)
381 {
Ed Tanous62598e32023-07-17 17:06:25 -0700382 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700383 messages::internalError(asyncResp->res);
384 return;
385 }
Patrick Williams89492a12023-05-10 07:51:34 -0500386 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
387 [index] = nullptr;
Patrick Williams5a39f772023-10-20 11:20:21 -0500388 },
Ratan Gupta06785242019-07-26 22:30:16 +0530389 ldapDbusService, roleMapObjData[index].first,
390 "xyz.openbmc_project.Object.Delete", "Delete");
391 }
392 else
393 {
Ed Tanous62598e32023-07-17 17:06:25 -0700394 BMCWEB_LOG_ERROR("Can't delete the object");
Ed Tanousc1019822024-03-06 12:54:38 -0800395 messages::propertyValueTypeError(asyncResp->res, "null",
Ed Tanous2e8c4bd2022-06-27 12:59:12 -0700396 "RemoteRoleMapping/" +
397 std::to_string(index));
Ratan Gupta06785242019-07-26 22:30:16 +0530398 return;
399 }
400 }
Ed Tanousc1019822024-03-06 12:54:38 -0800401 else if (obj->empty())
Ratan Gupta06785242019-07-26 22:30:16 +0530402 {
403 // Don't do anything for the empty objects,parse next json
404 // eg {"RemoteRoleMapping",[{}]}
405 }
406 else
407 {
408 // update/create the object
409 std::optional<std::string> remoteGroup;
410 std::optional<std::string> localRole;
411
Ed Tanousc1019822024-03-06 12:54:38 -0800412 if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup",
413 remoteGroup, "LocalRole", localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530414 {
415 continue;
416 }
417
418 // Update existing RoleMapping Object
419 if (index < roleMapObjData.size())
420 {
Ed Tanous62598e32023-07-17 17:06:25 -0700421 BMCWEB_LOG_DEBUG("Update Role Map Object");
Ratan Gupta06785242019-07-26 22:30:16 +0530422 // If "RemoteGroup" info is provided
423 if (remoteGroup)
424 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800425 setDbusProperty(
426 asyncResp, ldapDbusService, roleMapObjData[index].first,
George Liu9ae226f2023-06-21 17:56:46 +0800427 "xyz.openbmc_project.User.PrivilegeMapperEntry",
Ed Tanousd02aad32024-02-13 14:43:34 -0800428 "GroupName",
429 std::format("RemoteRoleMapping/{}/RemoteGroup", index),
430 *remoteGroup);
Ratan Gupta06785242019-07-26 22:30:16 +0530431 }
432
433 // If "LocalRole" info is provided
434 if (localRole)
435 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800436 setDbusProperty(
437 asyncResp, ldapDbusService, roleMapObjData[index].first,
George Liu9ae226f2023-06-21 17:56:46 +0800438 "xyz.openbmc_project.User.PrivilegeMapperEntry",
Ed Tanousd02aad32024-02-13 14:43:34 -0800439 "Privilege",
440 std::format("RemoteRoleMapping/{}/LocalRole", index),
441 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530442 }
443 }
444 // Create a new RoleMapping Object.
445 else
446 {
Ed Tanous62598e32023-07-17 17:06:25 -0700447 BMCWEB_LOG_DEBUG(
448 "setRoleMappingProperties: Creating new Object");
Patrick Williams89492a12023-05-10 07:51:34 -0500449 std::string pathString = "RemoteRoleMapping/" +
450 std::to_string(index);
Ratan Gupta06785242019-07-26 22:30:16 +0530451
452 if (!localRole)
453 {
454 messages::propertyMissing(asyncResp->res,
455 pathString + "/LocalRole");
456 continue;
457 }
458 if (!remoteGroup)
459 {
460 messages::propertyMissing(asyncResp->res,
461 pathString + "/RemoteGroup");
462 continue;
463 }
464
465 std::string dbusObjectPath;
466 if (serverType == "ActiveDirectory")
467 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700468 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530469 }
470 else if (serverType == "LDAP")
471 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000472 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530473 }
474
Ed Tanous62598e32023-07-17 17:06:25 -0700475 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
476 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530477
478 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700479 [asyncResp, serverType, localRole,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800480 remoteGroup](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700481 if (ec)
482 {
Ed Tanous62598e32023-07-17 17:06:25 -0700483 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700484 messages::internalError(asyncResp->res);
485 return;
486 }
487 nlohmann::json& remoteRoleJson =
488 asyncResp->res
489 .jsonValue[serverType]["RemoteRoleMapping"];
490 nlohmann::json::object_t roleMapEntry;
491 roleMapEntry["LocalRole"] = *localRole;
492 roleMapEntry["RemoteGroup"] = *remoteGroup;
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500493 remoteRoleJson.emplace_back(std::move(roleMapEntry));
Patrick Williams5a39f772023-10-20 11:20:21 -0500494 },
Ratan Gupta06785242019-07-26 22:30:16 +0530495 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700496 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530497 getPrivilegeFromRoleId(std::move(*localRole)));
498 }
499 }
500 }
501}
502
503/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530504 * Function that retrieves all properties for LDAP config object
505 * into JSON
506 */
507template <typename CallbackFunc>
508inline void getLDAPConfigData(const std::string& ldapType,
509 CallbackFunc&& callback)
510{
George Liu2b731192023-01-11 16:27:13 +0800511 constexpr std::array<std::string_view, 2> interfaces = {
512 ldapEnableInterface, ldapConfigInterface};
Ratan Gupta6973a582018-12-13 18:25:44 +0530513
George Liu2b731192023-01-11 16:27:13 +0800514 dbus::utility::getDbusObject(
515 ldapConfigObjectName, interfaces,
Ed Tanous8cb2c022024-03-27 16:31:46 -0700516 [callback = std::forward<CallbackFunc>(callback),
Ed Tanousc1019822024-03-06 12:54:38 -0800517 ldapType](const boost::system::error_code& ec,
518 const dbus::utility::MapperGetObject& resp) mutable {
Ed Tanous002d39b2022-05-31 08:59:27 -0700519 if (ec || resp.empty())
520 {
Carson Labradobf2dded2023-08-10 00:37:06 +0000521 BMCWEB_LOG_WARNING(
Ed Tanous62598e32023-07-17 17:06:25 -0700522 "DBUS response error during getting of service name: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700523 LDAPConfigData empty{};
524 callback(false, empty, ldapType);
525 return;
526 }
527 std::string service = resp.begin()->first;
George Liu5eb468d2023-06-20 17:03:24 +0800528 sdbusplus::message::object_path path(ldapRootObject);
529 dbus::utility::getManagedObjects(
530 service, path,
Ed Tanousc1019822024-03-06 12:54:38 -0800531 [callback, ldapType](
532 const boost::system::error_code& ec2,
533 const dbus::utility::ManagedObjectType& ldapObjects) mutable {
Ed Tanous002d39b2022-05-31 08:59:27 -0700534 LDAPConfigData confData{};
Ed Tanous8b242752023-06-27 17:17:13 -0700535 if (ec2)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600536 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700537 callback(false, confData, ldapType);
Carson Labradobf2dded2023-08-10 00:37:06 +0000538 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600539 return;
540 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600541
Ed Tanous002d39b2022-05-31 08:59:27 -0700542 std::string ldapDbusType;
543 std::string searchString;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600544
Ed Tanous002d39b2022-05-31 08:59:27 -0700545 if (ldapType == "LDAP")
546 {
547 ldapDbusType =
548 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
549 searchString = "openldap";
550 }
551 else if (ldapType == "ActiveDirectory")
552 {
553 ldapDbusType =
554 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
555 searchString = "active_directory";
556 }
557 else
558 {
Ed Tanous62598e32023-07-17 17:06:25 -0700559 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}",
560 ldapType);
Ed Tanous002d39b2022-05-31 08:59:27 -0700561 callback(false, confData, ldapType);
562 return;
563 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600564
Ed Tanous002d39b2022-05-31 08:59:27 -0700565 std::string ldapEnableInterfaceStr = ldapEnableInterface;
566 std::string ldapConfigInterfaceStr = ldapConfigInterface;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600567
Ed Tanous002d39b2022-05-31 08:59:27 -0700568 for (const auto& object : ldapObjects)
569 {
570 // let's find the object whose ldap type is equal to the
571 // given type
572 if (object.first.str.find(searchString) == std::string::npos)
573 {
574 continue;
575 }
576
577 for (const auto& interface : object.second)
578 {
579 if (interface.first == ldapEnableInterfaceStr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600580 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700581 // rest of the properties are string.
582 for (const auto& property : interface.second)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600583 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700584 if (property.first == "Enabled")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600585 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700586 const bool* value =
587 std::get_if<bool>(&property.second);
588 if (value == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600589 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700590 continue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600591 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700592 confData.serviceEnabled = *value;
593 break;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600594 }
595 }
596 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700597 else if (interface.first == ldapConfigInterfaceStr)
598 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700599 for (const auto& property : interface.second)
600 {
601 const std::string* strValue =
602 std::get_if<std::string>(&property.second);
603 if (strValue == nullptr)
604 {
605 continue;
606 }
607 if (property.first == "LDAPServerURI")
608 {
609 confData.uri = *strValue;
610 }
611 else if (property.first == "LDAPBindDN")
612 {
613 confData.bindDN = *strValue;
614 }
615 else if (property.first == "LDAPBaseDN")
616 {
617 confData.baseDN = *strValue;
618 }
619 else if (property.first == "LDAPSearchScope")
620 {
621 confData.searchScope = *strValue;
622 }
623 else if (property.first == "GroupNameAttribute")
624 {
625 confData.groupAttribute = *strValue;
626 }
627 else if (property.first == "UserNameAttribute")
628 {
629 confData.userNameAttribute = *strValue;
630 }
631 else if (property.first == "LDAPType")
632 {
633 confData.serverType = *strValue;
634 }
635 }
636 }
637 else if (interface.first ==
638 "xyz.openbmc_project.User.PrivilegeMapperEntry")
639 {
640 LDAPRoleMapData roleMapData{};
641 for (const auto& property : interface.second)
642 {
643 const std::string* strValue =
644 std::get_if<std::string>(&property.second);
645
646 if (strValue == nullptr)
647 {
648 continue;
649 }
650
651 if (property.first == "GroupName")
652 {
653 roleMapData.groupName = *strValue;
654 }
655 else if (property.first == "Privilege")
656 {
657 roleMapData.privilege = *strValue;
658 }
659 }
660
661 confData.groupRoleList.emplace_back(object.first.str,
662 roleMapData);
663 }
664 }
665 }
666 callback(true, confData, ldapType);
George Liu2b731192023-01-11 16:27:13 +0800667 });
Patrick Williams5a39f772023-10-20 11:20:21 -0500668 });
Ratan Gupta6973a582018-12-13 18:25:44 +0530669}
670
Ed Tanous6c51eab2021-06-03 12:30:29 -0700671/**
Ed Tanous6c51eab2021-06-03 12:30:29 -0700672 * @brief updates the LDAP server address and updates the
673 json response with the new value.
674 * @param serviceAddressList address to be updated.
675 * @param asyncResp pointer to the JSON response
676 * @param ldapServerElementName Type of LDAP
677 server(openLDAP/ActiveDirectory)
678 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530679
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700680inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700681 const std::vector<std::string>& serviceAddressList,
682 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
683 const std::string& ldapServerElementName,
684 const std::string& ldapConfigObject)
685{
Ed Tanousd02aad32024-02-13 14:43:34 -0800686 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
687 ldapConfigInterface, "LDAPServerURI",
688 ldapServerElementName + "/ServiceAddress",
689 serviceAddressList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700690}
691/**
692 * @brief updates the LDAP Bind DN and updates the
693 json response with the new value.
694 * @param username name of the user which needs to be updated.
695 * @param asyncResp pointer to the JSON response
696 * @param ldapServerElementName Type of LDAP
697 server(openLDAP/ActiveDirectory)
698 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530699
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700700inline void
701 handleUserNamePatch(const std::string& username,
702 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
703 const std::string& ldapServerElementName,
704 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700705{
Ed Tanousd02aad32024-02-13 14:43:34 -0800706 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
707 ldapConfigInterface, "LDAPBindDN",
708 ldapServerElementName + "/Authentication/Username",
709 username);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700710}
711
712/**
713 * @brief updates the LDAP password
714 * @param password : ldap password which needs to be updated.
715 * @param asyncResp pointer to the JSON response
716 * @param ldapServerElementName Type of LDAP
717 * server(openLDAP/ActiveDirectory)
718 */
719
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700720inline void
721 handlePasswordPatch(const std::string& password,
722 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
723 const std::string& ldapServerElementName,
724 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700725{
Ed Tanousd02aad32024-02-13 14:43:34 -0800726 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
727 ldapConfigInterface, "LDAPBindDNPassword",
728 ldapServerElementName + "/Authentication/Password",
729 password);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700730}
731
732/**
733 * @brief updates the LDAP BaseDN and updates the
734 json response with the new value.
735 * @param baseDNList baseDN list which needs to be updated.
736 * @param asyncResp pointer to the JSON response
737 * @param ldapServerElementName Type of LDAP
738 server(openLDAP/ActiveDirectory)
739 */
740
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700741inline void
742 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
743 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
744 const std::string& ldapServerElementName,
745 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700746{
Ed Tanousd02aad32024-02-13 14:43:34 -0800747 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
748 ldapConfigInterface, "LDAPBaseDN",
749 ldapServerElementName +
750 "/LDAPService/SearchSettings/BaseDistinguishedNames",
751 baseDNList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700752}
753/**
754 * @brief updates the LDAP user name attribute and updates the
755 json response with the new value.
756 * @param userNameAttribute attribute to be updated.
757 * @param asyncResp pointer to the JSON response
758 * @param ldapServerElementName Type of LDAP
759 server(openLDAP/ActiveDirectory)
760 */
761
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700762inline void
763 handleUserNameAttrPatch(const std::string& userNameAttribute,
764 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
765 const std::string& ldapServerElementName,
766 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700767{
Ed Tanousd02aad32024-02-13 14:43:34 -0800768 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
769 ldapConfigInterface, "UserNameAttribute",
770 ldapServerElementName +
771 "LDAPService/SearchSettings/UsernameAttribute",
772 userNameAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700773}
774/**
775 * @brief updates the LDAP group attribute and updates the
776 json response with the new value.
777 * @param groupsAttribute attribute to be updated.
778 * @param asyncResp pointer to the JSON response
779 * @param ldapServerElementName Type of LDAP
780 server(openLDAP/ActiveDirectory)
781 */
782
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700783inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700784 const std::string& groupsAttribute,
785 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
786 const std::string& ldapServerElementName,
787 const std::string& ldapConfigObject)
788{
Ed Tanousd02aad32024-02-13 14:43:34 -0800789 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
790 ldapConfigInterface, "GroupNameAttribute",
791 ldapServerElementName +
792 "/LDAPService/SearchSettings/GroupsAttribute",
793 groupsAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700794}
795/**
796 * @brief updates the LDAP service enable and updates the
797 json response with the new value.
798 * @param input JSON data.
799 * @param asyncResp pointer to the JSON response
800 * @param ldapServerElementName Type of LDAP
801 server(openLDAP/ActiveDirectory)
802 */
803
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700804inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700805 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
806 const std::string& ldapServerElementName,
807 const std::string& ldapConfigObject)
808{
Ed Tanousd02aad32024-02-13 14:43:34 -0800809 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
810 ldapEnableInterface, "Enabled",
811 ldapServerElementName + "/ServiceEnabled", serviceEnabled);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700812}
813
Ed Tanousc1019822024-03-06 12:54:38 -0800814struct AuthMethods
Ed Tanous6c51eab2021-06-03 12:30:29 -0700815{
816 std::optional<bool> basicAuth;
817 std::optional<bool> cookie;
818 std::optional<bool> sessionToken;
819 std::optional<bool> xToken;
820 std::optional<bool> tls;
Ed Tanousc1019822024-03-06 12:54:38 -0800821};
Ed Tanous6c51eab2021-06-03 12:30:29 -0700822
Ed Tanousc1019822024-03-06 12:54:38 -0800823inline void
824 handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
825 const AuthMethods& auth)
826{
827 persistent_data::AuthConfigMethods& authMethodsConfig =
Ed Tanous6c51eab2021-06-03 12:30:29 -0700828 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
829
Ed Tanousc1019822024-03-06 12:54:38 -0800830 if (auth.basicAuth)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700831 {
832#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
833 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800834 asyncResp->res,
835 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700836 return;
837#endif
Ed Tanousc1019822024-03-06 12:54:38 -0800838 authMethodsConfig.basic = *auth.basicAuth;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700839 }
840
Ed Tanousc1019822024-03-06 12:54:38 -0800841 if (auth.cookie)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700842 {
843#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800844 messages::actionNotSupported(
845 asyncResp->res,
846 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700847 return;
848#endif
Ed Tanousc1019822024-03-06 12:54:38 -0800849 authMethodsConfig.cookie = *auth.cookie;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700850 }
851
Ed Tanousc1019822024-03-06 12:54:38 -0800852 if (auth.sessionToken)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700853 {
854#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
855 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800856 asyncResp->res,
857 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700858 return;
859#endif
Ed Tanousc1019822024-03-06 12:54:38 -0800860 authMethodsConfig.sessionToken = *auth.sessionToken;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700861 }
862
Ed Tanousc1019822024-03-06 12:54:38 -0800863 if (auth.xToken)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700864 {
865#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800866 messages::actionNotSupported(
867 asyncResp->res,
868 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700869 return;
870#endif
Ed Tanousc1019822024-03-06 12:54:38 -0800871 authMethodsConfig.xtoken = *auth.xToken;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700872 }
873
Ed Tanousc1019822024-03-06 12:54:38 -0800874 if (auth.tls)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700875 {
876#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800877 messages::actionNotSupported(
878 asyncResp->res,
879 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700880 return;
881#endif
Ed Tanousc1019822024-03-06 12:54:38 -0800882 authMethodsConfig.tls = *auth.tls;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700883 }
884
885 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
886 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
887 !authMethodsConfig.tls)
888 {
889 // Do not allow user to disable everything
890 messages::actionNotSupported(asyncResp->res,
891 "of disabling all available methods");
892 return;
893 }
894
895 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
896 authMethodsConfig);
897 // Save configuration immediately
898 persistent_data::getConfig().writeData();
899
900 messages::success(asyncResp->res);
901}
902
903/**
904 * @brief Get the required values from the given JSON, validates the
905 * value and create the LDAP config object.
906 * @param input JSON data
907 * @param asyncResp pointer to the JSON response
908 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
909 */
910
Ed Tanous10cb44f2024-04-11 13:05:20 -0700911struct LdapPatchParams
912{
913 std::optional<std::string> authType;
914 std::optional<std::vector<std::string>> serviceAddressList;
915 std::optional<bool> serviceEnabled;
916 std::optional<std::vector<std::string>> baseDNList;
917 std::optional<std::string> userNameAttribute;
918 std::optional<std::string> groupsAttribute;
919 std::optional<std::string> userName;
920 std::optional<std::string> password;
921 std::optional<
922 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>>
923 remoteRoleMapData;
924};
925
926inline void handleLDAPPatch(LdapPatchParams&& input,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700927 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
928 const std::string& serverType)
929{
930 std::string dbusObjectPath;
931 if (serverType == "ActiveDirectory")
932 {
933 dbusObjectPath = adConfigObject;
934 }
935 else if (serverType == "LDAP")
936 {
937 dbusObjectPath = ldapConfigObjectName;
938 }
939 else
940 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700941 BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????",
942 serverType);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700943 return;
944 }
945
Ed Tanous10cb44f2024-04-11 13:05:20 -0700946 if (input.authType && *input.authType != "UsernameAndPassword")
Ed Tanous6c51eab2021-06-03 12:30:29 -0700947 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700948 messages::propertyValueNotInList(asyncResp->res, *input.authType,
Ed Tanousc1019822024-03-06 12:54:38 -0800949 "AuthenticationType");
950 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700951 }
Ed Tanousc1019822024-03-06 12:54:38 -0800952
Ed Tanous10cb44f2024-04-11 13:05:20 -0700953 if (input.serviceAddressList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700954 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700955 if (input.serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530956 {
Ed Tanouse2616cc2022-06-27 12:45:55 -0700957 messages::propertyValueNotInList(
Ed Tanous10cb44f2024-04-11 13:05:20 -0700958 asyncResp->res, *input.serviceAddressList, "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000959 return;
960 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700961 }
Ed Tanous10cb44f2024-04-11 13:05:20 -0700962 if (input.baseDNList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700963 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700964 if (input.baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +0530965 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700966 messages::propertyValueNotInList(asyncResp->res, *input.baseDNList,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700967 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530968 return;
969 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700970 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530971
Ed Tanous6c51eab2021-06-03 12:30:29 -0700972 // nothing to update, then return
Ed Tanous10cb44f2024-04-11 13:05:20 -0700973 if (!input.userName && !input.password && !input.serviceAddressList &&
974 !input.baseDNList && !input.userNameAttribute &&
975 !input.groupsAttribute && !input.serviceEnabled &&
976 !input.remoteRoleMapData)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700977 {
978 return;
979 }
980
981 // Get the existing resource first then keep modifying
982 // whenever any property gets updated.
Ed Tanous10cb44f2024-04-11 13:05:20 -0700983 getLDAPConfigData(serverType,
984 [asyncResp, input = std::move(input),
985 dbusObjectPath = std::move(dbusObjectPath)](
986 bool success, const LDAPConfigData& confData,
987 const std::string& serverT) mutable {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700988 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530989 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700990 messages::internalError(asyncResp->res);
991 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530992 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700993 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
994 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530995 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700996 // Disable the service first and update the rest of
997 // the properties.
998 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530999 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001000
Ed Tanous10cb44f2024-04-11 13:05:20 -07001001 if (input.serviceAddressList)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301002 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001003 handleServiceAddressPatch(*input.serviceAddressList, asyncResp,
1004 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301005 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001006 if (input.userName)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001007 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001008 handleUserNamePatch(*input.userName, asyncResp, serverT,
1009 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001010 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001011 if (input.password)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001012 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001013 handlePasswordPatch(*input.password, asyncResp, serverT,
1014 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001015 }
1016
Ed Tanous10cb44f2024-04-11 13:05:20 -07001017 if (input.baseDNList)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301018 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001019 handleBaseDNPatch(*input.baseDNList, asyncResp, serverT,
1020 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001021 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001022 if (input.userNameAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001023 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001024 handleUserNameAttrPatch(*input.userNameAttribute, asyncResp,
1025 serverT, dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001026 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001027 if (input.groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001028 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001029 handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001030 dbusObjectPath);
1031 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001032 if (input.serviceEnabled)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001033 {
1034 // if user has given the value as true then enable
1035 // the service. if user has given false then no-op
1036 // as service is already stopped.
Ed Tanous10cb44f2024-04-11 13:05:20 -07001037 if (*input.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301038 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001039 handleServiceEnablePatch(*input.serviceEnabled, asyncResp,
1040 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301041 }
1042 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001043 else
1044 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001045 // if user has not given the service enabled value
1046 // then revert it to the same state as it was
1047 // before.
1048 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1049 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001050 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001051
Ed Tanous10cb44f2024-04-11 13:05:20 -07001052 if (input.remoteRoleMapData)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001053 {
1054 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001055 *input.remoteRoleMapData);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001056 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001057 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001058}
1059
Abhishek Patel58345852022-02-02 08:54:25 -06001060inline void updateUserProperties(
1061 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1062 const std::optional<std::string>& password,
1063 const std::optional<bool>& enabled,
1064 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1065 std::optional<std::vector<std::string>> accountTypes, bool userSelf)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001066{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +05301067 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1068 tempObjPath /= username;
1069 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001070
1071 dbus::utility::checkDbusPathExists(
Ed Tanous618c14b2022-06-30 17:44:25 -07001072 dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled,
Abhishek Patel58345852022-02-02 08:54:25 -06001073 locked, accountTypes(std::move(accountTypes)),
1074 userSelf, asyncResp{std::move(asyncResp)}](int rc) {
Patrick Williams5a39f772023-10-20 11:20:21 -05001075 if (rc <= 0)
1076 {
1077 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1078 username);
1079 return;
1080 }
1081
1082 if (password)
1083 {
1084 int retval = pamUpdatePassword(username, *password);
1085
1086 if (retval == PAM_USER_UNKNOWN)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001087 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001088 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1089 username);
Patrick Williams5a39f772023-10-20 11:20:21 -05001090 }
1091 else if (retval == PAM_AUTHTOK_ERR)
1092 {
1093 // If password is invalid
1094 messages::propertyValueFormatError(asyncResp->res, nullptr,
1095 "Password");
1096 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1097 }
1098 else if (retval != PAM_SUCCESS)
1099 {
1100 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001101 return;
1102 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001103 else
Ed Tanous618c14b2022-06-30 17:44:25 -07001104 {
Patrick Williams5a39f772023-10-20 11:20:21 -05001105 messages::success(asyncResp->res);
Ed Tanous618c14b2022-06-30 17:44:25 -07001106 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001107 }
Ed Tanous618c14b2022-06-30 17:44:25 -07001108
Patrick Williams5a39f772023-10-20 11:20:21 -05001109 if (enabled)
1110 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001111 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1112 dbusObjectPath,
1113 "xyz.openbmc_project.User.Attributes",
1114 "UserEnabled", "Enabled", *enabled);
Patrick Williams5a39f772023-10-20 11:20:21 -05001115 }
1116
1117 if (roleId)
1118 {
1119 std::string priv = getPrivilegeFromRoleId(*roleId);
1120 if (priv.empty())
1121 {
1122 messages::propertyValueNotInList(asyncResp->res, true,
1123 "Locked");
1124 return;
Ed Tanous618c14b2022-06-30 17:44:25 -07001125 }
Ed Tanousd02aad32024-02-13 14:43:34 -08001126 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1127 dbusObjectPath,
1128 "xyz.openbmc_project.User.Attributes",
1129 "UserPrivilege", "RoleId", priv);
Patrick Williams5a39f772023-10-20 11:20:21 -05001130 }
1131
1132 if (locked)
1133 {
1134 // admin can unlock the account which is locked by
1135 // successive authentication failures but admin should
1136 // not be allowed to lock an account.
1137 if (*locked)
Abhishek Patel58345852022-02-02 08:54:25 -06001138 {
Patrick Williams5a39f772023-10-20 11:20:21 -05001139 messages::propertyValueNotInList(asyncResp->res, "true",
1140 "Locked");
1141 return;
Abhishek Patel58345852022-02-02 08:54:25 -06001142 }
Ed Tanousd02aad32024-02-13 14:43:34 -08001143 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1144 dbusObjectPath,
1145 "xyz.openbmc_project.User.Attributes",
1146 "UserLockedForFailedAttempt", "Locked", *locked);
Patrick Williams5a39f772023-10-20 11:20:21 -05001147 }
1148
1149 if (accountTypes)
1150 {
1151 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1152 userSelf);
1153 }
1154 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001155}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001156
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001157inline void handleAccountServiceHead(
1158 App& app, const crow::Request& req,
1159 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001160{
1161 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1162 {
1163 return;
1164 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001165 asyncResp->res.addHeader(
1166 boost::beast::http::field::link,
1167 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1168}
1169
1170inline void
1171 handleAccountServiceGet(App& app, const crow::Request& req,
1172 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1173{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001174 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1175 {
1176 return;
1177 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001178
1179 if (req.session == nullptr)
1180 {
1181 messages::internalError(asyncResp->res);
1182 return;
1183 }
1184
Ed Tanousc1019822024-03-06 12:54:38 -08001185 const persistent_data::AuthConfigMethods& authMethodsConfig =
1186 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1187
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001188 asyncResp->res.addHeader(
1189 boost::beast::http::field::link,
1190 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1191
Ed Tanous1ef4c342022-05-12 16:12:36 -07001192 nlohmann::json& json = asyncResp->res.jsonValue;
1193 json["@odata.id"] = "/redfish/v1/AccountService";
Ravi Teja482a69e2024-04-22 06:56:13 -05001194 json["@odata.type"] = "#AccountService.v1_15_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001195 json["Id"] = "AccountService";
1196 json["Name"] = "Account Service";
1197 json["Description"] = "Account Service";
1198 json["ServiceEnabled"] = true;
1199 json["MaxPasswordLength"] = 20;
1200 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1201 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
Ravi Teja482a69e2024-04-22 06:56:13 -05001202 json["HTTPBasicAuth"] = authMethodsConfig.basic
1203 ? account_service::BasicAuthState::Enabled
1204 : account_service::BasicAuthState::Disabled;
1205
1206 nlohmann::json::array_t allowed;
1207 allowed.emplace_back(account_service::BasicAuthState::Enabled);
1208 allowed.emplace_back(account_service::BasicAuthState::Disabled);
1209 json["HTTPBasicAuth@AllowableValues"] = std::move(allowed);
1210
Ed Tanous1ef4c342022-05-12 16:12:36 -07001211 json["Oem"]["OpenBMC"]["@odata.type"] =
Ed Tanous5b5574a2022-09-26 19:53:36 -07001212 "#OpenBMCAccountService.v1_0_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001213 json["Oem"]["OpenBMC"]["@odata.id"] =
1214 "/redfish/v1/AccountService#/Oem/OpenBMC";
1215 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1216 authMethodsConfig.basic;
1217 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1218 authMethodsConfig.sessionToken;
1219 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1220 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1221 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1222
1223 // /redfish/v1/AccountService/LDAP/Certificates is something only
1224 // ConfigureManager can access then only display when the user has
1225 // permissions ConfigureManager
1226 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001227 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001228
1229 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1230 effectiveUserPrivileges))
1231 {
1232 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1233 "/redfish/v1/AccountService/LDAP/Certificates";
1234 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001235 sdbusplus::asio::getAllProperties(
1236 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1237 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001238 [asyncResp](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001239 const dbus::utility::DBusPropertiesMap& propertiesList) {
1240 if (ec)
1241 {
1242 messages::internalError(asyncResp->res);
1243 return;
1244 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001245
Ed Tanous62598e32023-07-17 17:06:25 -07001246 BMCWEB_LOG_DEBUG("Got {}properties for AccountService",
1247 propertiesList.size());
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001248
1249 const uint8_t* minPasswordLength = nullptr;
1250 const uint32_t* accountUnlockTimeout = nullptr;
1251 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1252
1253 const bool success = sdbusplus::unpackPropertiesNoThrow(
1254 dbus_utils::UnpackErrorPrinter(), propertiesList,
1255 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1256 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1257 maxLoginAttemptBeforeLockout);
1258
1259 if (!success)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001260 {
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001261 messages::internalError(asyncResp->res);
1262 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001263 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001264
1265 if (minPasswordLength != nullptr)
1266 {
1267 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1268 }
1269
1270 if (accountUnlockTimeout != nullptr)
1271 {
1272 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1273 *accountUnlockTimeout;
1274 }
1275
1276 if (maxLoginAttemptBeforeLockout != nullptr)
1277 {
1278 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1279 *maxLoginAttemptBeforeLockout;
1280 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001281 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001282
Ed Tanous02cad962022-06-30 16:50:15 -07001283 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001284 const std::string& ldapType) {
1285 if (!success)
1286 {
1287 return;
1288 }
1289 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1290 };
1291
1292 getLDAPConfigData("LDAP", callback);
1293 getLDAPConfigData("ActiveDirectory", callback);
1294}
1295
1296inline void handleAccountServicePatch(
1297 App& app, const crow::Request& req,
1298 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1299{
1300 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1301 {
1302 return;
1303 }
1304 std::optional<uint32_t> unlockTimeout;
1305 std::optional<uint16_t> lockoutThreshold;
1306 std::optional<uint8_t> minPasswordLength;
1307 std::optional<uint16_t> maxPasswordLength;
Ed Tanous10cb44f2024-04-11 13:05:20 -07001308 LdapPatchParams ldapObject;
1309 LdapPatchParams activeDirectoryObject;
Ed Tanousc1019822024-03-06 12:54:38 -08001310 AuthMethods auth;
Ravi Teja482a69e2024-04-22 06:56:13 -05001311 std::optional<std::string> httpBasicAuth;
Ed Tanousc1019822024-03-06 12:54:38 -08001312 // clang-format off
Ed Tanous1ef4c342022-05-12 16:12:36 -07001313 if (!json_util::readJsonPatch(
Ed Tanousc1019822024-03-06 12:54:38 -08001314 req, asyncResp->res,
1315 "AccountLockoutDuration", unlockTimeout,
1316 "AccountLockoutThreshold", lockoutThreshold,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001317 "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType,
1318 "ActiveDirectory/Authentication/Password", activeDirectoryObject.password,
1319 "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName,
1320 "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList,
1321 "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute,
1322 "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute,
1323 "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData,
1324 "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList,
1325 "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled,
1326 "LDAP/Authentication/AuthenticationType", ldapObject.authType,
1327 "LDAP/Authentication/Password", ldapObject.password,
1328 "LDAP/Authentication/Username", ldapObject.userName,
1329 "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList,
1330 "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute,
1331 "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute,
1332 "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData,
1333 "LDAP/ServiceAddresses", ldapObject.serviceAddressList,
1334 "LDAP/ServiceEnabled", ldapObject.serviceEnabled,
Ed Tanousc1019822024-03-06 12:54:38 -08001335 "MaxPasswordLength", maxPasswordLength,
1336 "MinPasswordLength", minPasswordLength,
Ed Tanousc1019822024-03-06 12:54:38 -08001337 "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth,
1338 "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie,
1339 "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001340 "Oem/OpenBMC/AuthMethods/TLS", auth.tls,
Ravi Teja482a69e2024-04-22 06:56:13 -05001341 "Oem/OpenBMC/AuthMethods/XToken", auth.xToken,
1342 "HTTPBasicAuth", httpBasicAuth))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001343 {
1344 return;
1345 }
Ed Tanousc1019822024-03-06 12:54:38 -08001346 // clang-format on
Ed Tanous1ef4c342022-05-12 16:12:36 -07001347
Ravi Teja482a69e2024-04-22 06:56:13 -05001348 if (httpBasicAuth)
1349 {
1350 if (*httpBasicAuth == "Enabled")
1351 {
1352 auth.basicAuth = true;
1353 }
1354 else if (*httpBasicAuth == "Disabled")
1355 {
1356 auth.basicAuth = false;
1357 }
1358 else
1359 {
1360 messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth",
1361 *httpBasicAuth);
1362 }
1363 }
1364
Ed Tanous1ef4c342022-05-12 16:12:36 -07001365 if (minPasswordLength)
1366 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001367 setDbusProperty(
1368 asyncResp, "xyz.openbmc_project.User.Manager",
1369 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001370 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
Ed Tanousd02aad32024-02-13 14:43:34 -08001371 "MinPasswordLength", *minPasswordLength);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001372 }
1373
1374 if (maxPasswordLength)
1375 {
1376 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1377 }
1378
Ed Tanous10cb44f2024-04-11 13:05:20 -07001379 handleLDAPPatch(std::move(activeDirectoryObject), asyncResp,
1380 "ActiveDirectory");
1381 handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001382
Ed Tanousc1019822024-03-06 12:54:38 -08001383 handleAuthMethodsPatch(asyncResp, auth);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001384
Ed Tanous1ef4c342022-05-12 16:12:36 -07001385 if (unlockTimeout)
1386 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001387 setDbusProperty(
1388 asyncResp, "xyz.openbmc_project.User.Manager",
1389 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
Ed Tanous1ef4c342022-05-12 16:12:36 -07001390 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
Ed Tanousd02aad32024-02-13 14:43:34 -08001391 "AccountLockoutDuration", *unlockTimeout);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001392 }
1393 if (lockoutThreshold)
1394 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001395 setDbusProperty(
1396 asyncResp, "xyz.openbmc_project.User.Manager",
1397 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001398 "xyz.openbmc_project.User.AccountPolicy",
Ed Tanousd02aad32024-02-13 14:43:34 -08001399 "MaxLoginAttemptBeforeLockout", "AccountLockoutThreshold",
1400 *lockoutThreshold);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001401 }
1402}
1403
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001404inline void handleAccountCollectionHead(
Ed Tanous1ef4c342022-05-12 16:12:36 -07001405 App& app, const crow::Request& req,
1406 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1407{
1408 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1409 {
1410 return;
1411 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001412 asyncResp->res.addHeader(
1413 boost::beast::http::field::link,
1414 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1415}
1416
1417inline void handleAccountCollectionGet(
1418 App& app, const crow::Request& req,
1419 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1420{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001421 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1422 {
1423 return;
1424 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001425
1426 if (req.session == nullptr)
1427 {
1428 messages::internalError(asyncResp->res);
1429 return;
1430 }
1431
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001432 asyncResp->res.addHeader(
1433 boost::beast::http::field::link,
1434 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001435
1436 asyncResp->res.jsonValue["@odata.id"] =
1437 "/redfish/v1/AccountService/Accounts";
1438 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1439 "ManagerAccountCollection";
1440 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1441 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1442
1443 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001444 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001445
1446 std::string thisUser;
1447 if (req.session)
1448 {
1449 thisUser = req.session->username;
1450 }
George Liu5eb468d2023-06-20 17:03:24 +08001451 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1452 dbus::utility::getManagedObjects(
1453 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001454 [asyncResp, thisUser, effectiveUserPrivileges](
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001455 const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001456 const dbus::utility::ManagedObjectType& users) {
1457 if (ec)
1458 {
1459 messages::internalError(asyncResp->res);
1460 return;
1461 }
1462
1463 bool userCanSeeAllAccounts =
1464 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1465
1466 bool userCanSeeSelf =
1467 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1468
1469 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1470 memberArray = nlohmann::json::array();
1471
1472 for (const auto& userpath : users)
1473 {
1474 std::string user = userpath.first.filename();
1475 if (user.empty())
1476 {
1477 messages::internalError(asyncResp->res);
Ed Tanous62598e32023-07-17 17:06:25 -07001478 BMCWEB_LOG_ERROR("Invalid firmware ID");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001479
1480 return;
1481 }
1482
1483 // As clarified by Redfish here:
1484 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1485 // Users without ConfigureUsers, only see their own
1486 // account. Users with ConfigureUsers, see all
1487 // accounts.
1488 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1489 {
1490 nlohmann::json::object_t member;
Ed Tanous3b327802023-08-14 09:23:43 -07001491 member["@odata.id"] = boost::urls::format(
1492 "/redfish/v1/AccountService/Accounts/{}", user);
Patrick Williamsb2ba3072023-05-12 10:27:39 -05001493 memberArray.emplace_back(std::move(member));
Ed Tanous1ef4c342022-05-12 16:12:36 -07001494 }
1495 }
1496 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
Patrick Williams5a39f772023-10-20 11:20:21 -05001497 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001498}
1499
Ninad Palsule97e90da2023-05-17 14:04:52 -05001500inline void processAfterCreateUser(
1501 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1502 const std::string& username, const std::string& password,
1503 const boost::system::error_code& ec, sdbusplus::message_t& m)
1504{
1505 if (ec)
1506 {
1507 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1508 return;
1509 }
1510
1511 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1512 {
1513 // At this point we have a user that's been
1514 // created, but the password set
1515 // failed.Something is wrong, so delete the user
1516 // that we've already created
1517 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1518 tempObjPath /= username;
1519 const std::string userPath(tempObjPath);
1520
1521 crow::connections::systemBus->async_method_call(
1522 [asyncResp, password](const boost::system::error_code& ec3) {
1523 if (ec3)
1524 {
1525 messages::internalError(asyncResp->res);
1526 return;
1527 }
1528
1529 // If password is invalid
Jason M. Bills9bd80832023-08-30 15:19:41 -07001530 messages::propertyValueFormatError(asyncResp->res, nullptr,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001531 "Password");
Patrick Williams5a39f772023-10-20 11:20:21 -05001532 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001533 "xyz.openbmc_project.User.Manager", userPath,
1534 "xyz.openbmc_project.Object.Delete", "Delete");
1535
Ed Tanous62598e32023-07-17 17:06:25 -07001536 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
Ninad Palsule97e90da2023-05-17 14:04:52 -05001537 return;
1538 }
1539
1540 messages::created(asyncResp->res);
1541 asyncResp->res.addHeader("Location",
1542 "/redfish/v1/AccountService/Accounts/" + username);
1543}
1544
1545inline void processAfterGetAllGroups(
1546 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1547 const std::string& username, const std::string& password,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001548 const std::string& roleId, bool enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001549 std::optional<std::vector<std::string>> accountTypes,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001550 const std::vector<std::string>& allGroupsList)
Ninad Palsule97e90da2023-05-17 14:04:52 -05001551{
Ninad Palsule3e72c202023-03-27 17:19:55 -05001552 std::vector<std::string> userGroups;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001553 std::vector<std::string> accountTypeUserGroups;
1554
1555 // If user specified account types then convert them to unix user groups
1556 if (accountTypes)
1557 {
1558 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1559 accountTypeUserGroups))
1560 {
1561 // Problem in mapping Account Types to User Groups, Error already
1562 // logged.
1563 return;
1564 }
1565 }
1566
Ninad Palsule3e72c202023-03-27 17:19:55 -05001567 for (const auto& grp : allGroupsList)
1568 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001569 // If user specified the account type then only accept groups which are
1570 // in the account types group list.
1571 if (!accountTypeUserGroups.empty())
1572 {
1573 bool found = false;
1574 for (const auto& grp1 : accountTypeUserGroups)
1575 {
1576 if (grp == grp1)
1577 {
1578 found = true;
1579 break;
1580 }
1581 }
1582 if (!found)
1583 {
1584 continue;
1585 }
1586 }
1587
Ninad Palsule3e72c202023-03-27 17:19:55 -05001588 // Console access is provided to the user who is a member of
1589 // hostconsole group and has a administrator role. So, set
1590 // hostconsole group only for the administrator.
Ninad Palsule9ba73932023-06-01 16:38:57 -05001591 if ((grp == "hostconsole") && (roleId != "priv-admin"))
Ninad Palsule3e72c202023-03-27 17:19:55 -05001592 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001593 if (!accountTypeUserGroups.empty())
1594 {
Ed Tanous62598e32023-07-17 17:06:25 -07001595 BMCWEB_LOG_ERROR(
1596 "Only administrator can get HostConsole access");
Ninad Palsule9ba73932023-06-01 16:38:57 -05001597 asyncResp->res.result(boost::beast::http::status::bad_request);
1598 return;
1599 }
1600 continue;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001601 }
Ninad Palsule9ba73932023-06-01 16:38:57 -05001602 userGroups.emplace_back(grp);
1603 }
1604
1605 // Make sure user specified groups are valid. This is internal error because
1606 // it some inconsistencies between user manager and bmcweb.
1607 if (!accountTypeUserGroups.empty() &&
1608 accountTypeUserGroups.size() != userGroups.size())
1609 {
1610 messages::internalError(asyncResp->res);
1611 return;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001612 }
Ninad Palsule97e90da2023-05-17 14:04:52 -05001613 crow::connections::systemBus->async_method_call(
1614 [asyncResp, username, password](const boost::system::error_code& ec2,
1615 sdbusplus::message_t& m) {
1616 processAfterCreateUser(asyncResp, username, password, ec2, m);
Patrick Williams5a39f772023-10-20 11:20:21 -05001617 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001618 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ninad Palsule3e72c202023-03-27 17:19:55 -05001619 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001620 roleId, enabled);
Ninad Palsule97e90da2023-05-17 14:04:52 -05001621}
1622
Ed Tanous1ef4c342022-05-12 16:12:36 -07001623inline void handleAccountCollectionPost(
1624 App& app, const crow::Request& req,
1625 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1626{
1627 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1628 {
1629 return;
1630 }
1631 std::string username;
1632 std::string password;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001633 std::optional<std::string> roleIdJson;
1634 std::optional<bool> enabledJson;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001635 std::optional<std::vector<std::string>> accountTypes;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001636 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
1637 "Password", password, "RoleId", roleIdJson,
1638 "Enabled", enabledJson, "AccountTypes",
1639 accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001640 {
1641 return;
1642 }
1643
Ed Tanouse01d0c32023-06-30 13:21:32 -07001644 std::string roleId = roleIdJson.value_or("User");
1645 std::string priv = getPrivilegeFromRoleId(roleId);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001646 if (priv.empty())
1647 {
Ed Tanouse01d0c32023-06-30 13:21:32 -07001648 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001649 return;
1650 }
Asmitha Karunanithi239adf82022-03-25 02:59:03 -05001651 roleId = priv;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001652
Ed Tanouse01d0c32023-06-30 13:21:32 -07001653 bool enabled = enabledJson.value_or(true);
1654
Ed Tanous1ef4c342022-05-12 16:12:36 -07001655 // Reading AllGroups property
1656 sdbusplus::asio::getProperty<std::vector<std::string>>(
1657 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1658 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1659 "AllGroups",
Ninad Palsule9ba73932023-06-01 16:38:57 -05001660 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1661 accountTypes](const boost::system::error_code& ec,
1662 const std::vector<std::string>& allGroupsList) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001663 if (ec)
1664 {
Ed Tanous62598e32023-07-17 17:06:25 -07001665 BMCWEB_LOG_DEBUG("ERROR with async_method_call");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001666 messages::internalError(asyncResp->res);
1667 return;
1668 }
1669
1670 if (allGroupsList.empty())
1671 {
1672 messages::internalError(asyncResp->res);
1673 return;
1674 }
1675
Ninad Palsule97e90da2023-05-17 14:04:52 -05001676 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001677 accountTypes, allGroupsList);
Patrick Williams5a39f772023-10-20 11:20:21 -05001678 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001679}
1680
1681inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001682 handleAccountHead(App& app, const crow::Request& req,
1683 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1684 const std::string& /*accountName*/)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001685{
1686 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1687 {
1688 return;
1689 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001690 asyncResp->res.addHeader(
1691 boost::beast::http::field::link,
1692 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1693}
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001694
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001695inline void
1696 handleAccountGet(App& app, const crow::Request& req,
1697 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1698 const std::string& accountName)
1699{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001700 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1701 {
1702 return;
1703 }
1704 asyncResp->res.addHeader(
1705 boost::beast::http::field::link,
1706 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1707
Ed Tanous1ef4c342022-05-12 16:12:36 -07001708#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1709 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001710 messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001711 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001712#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001713
Ed Tanous1ef4c342022-05-12 16:12:36 -07001714 if (req.session == nullptr)
1715 {
1716 messages::internalError(asyncResp->res);
1717 return;
1718 }
1719 if (req.session->username != accountName)
1720 {
1721 // At this point we've determined that the user is trying to
1722 // modify a user that isn't them. We need to verify that they
1723 // have permissions to modify other users, so re-run the auth
1724 // check with the same permissions, minus ConfigureSelf.
1725 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001726 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001727 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1728 "ConfigureManager"};
1729 if (!effectiveUserPrivileges.isSupersetOf(
1730 requiredPermissionsToChangeNonSelf))
1731 {
Ed Tanous62598e32023-07-17 17:06:25 -07001732 BMCWEB_LOG_DEBUG("GET Account denied access");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001733 messages::insufficientPrivilege(asyncResp->res);
1734 return;
1735 }
1736 }
1737
George Liu5eb468d2023-06-20 17:03:24 +08001738 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1739 dbus::utility::getManagedObjects(
1740 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001741 [asyncResp,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001742 accountName](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001743 const dbus::utility::ManagedObjectType& users) {
1744 if (ec)
1745 {
1746 messages::internalError(asyncResp->res);
1747 return;
1748 }
Ed Tanous3544d2a2023-08-06 18:12:20 -07001749 const auto userIt = std::ranges::find_if(
Michael Shen80f79a42023-08-24 13:41:53 +00001750 users,
1751 [accountName](
1752 const std::pair<sdbusplus::message::object_path,
1753 dbus::utility::DBusInterfacesMap>& user) {
1754 return accountName == user.first.filename();
Patrick Williams5a39f772023-10-20 11:20:21 -05001755 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001756
1757 if (userIt == users.end())
1758 {
1759 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1760 accountName);
1761 return;
1762 }
1763
1764 asyncResp->res.jsonValue["@odata.type"] =
Abhishek Patel58345852022-02-02 08:54:25 -06001765 "#ManagerAccount.v1_7_0.ManagerAccount";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001766 asyncResp->res.jsonValue["Name"] = "User Account";
1767 asyncResp->res.jsonValue["Description"] = "User Account";
1768 asyncResp->res.jsonValue["Password"] = nullptr;
Abhishek Patel58345852022-02-02 08:54:25 -06001769 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001770
1771 for (const auto& interface : userIt->second)
1772 {
1773 if (interface.first == "xyz.openbmc_project.User.Attributes")
1774 {
1775 for (const auto& property : interface.second)
1776 {
1777 if (property.first == "UserEnabled")
1778 {
1779 const bool* userEnabled =
1780 std::get_if<bool>(&property.second);
1781 if (userEnabled == nullptr)
1782 {
Ed Tanous62598e32023-07-17 17:06:25 -07001783 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001784 messages::internalError(asyncResp->res);
1785 return;
1786 }
1787 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
1788 }
1789 else if (property.first == "UserLockedForFailedAttempt")
1790 {
1791 const bool* userLocked =
1792 std::get_if<bool>(&property.second);
1793 if (userLocked == nullptr)
1794 {
Ed Tanous62598e32023-07-17 17:06:25 -07001795 BMCWEB_LOG_ERROR("UserLockedForF"
1796 "ailedAttempt "
1797 "wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001798 messages::internalError(asyncResp->res);
1799 return;
1800 }
1801 asyncResp->res.jsonValue["Locked"] = *userLocked;
1802 asyncResp->res
1803 .jsonValue["Locked@Redfish.AllowableValues"] = {
1804 "false"}; // can only unlock accounts
1805 }
1806 else if (property.first == "UserPrivilege")
1807 {
1808 const std::string* userPrivPtr =
1809 std::get_if<std::string>(&property.second);
1810 if (userPrivPtr == nullptr)
1811 {
Ed Tanous62598e32023-07-17 17:06:25 -07001812 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
1813 "string");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001814 messages::internalError(asyncResp->res);
1815 return;
1816 }
1817 std::string role = getRoleIdFromPrivilege(*userPrivPtr);
1818 if (role.empty())
1819 {
Ed Tanous62598e32023-07-17 17:06:25 -07001820 BMCWEB_LOG_ERROR("Invalid user role");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001821 messages::internalError(asyncResp->res);
1822 return;
1823 }
1824 asyncResp->res.jsonValue["RoleId"] = role;
1825
1826 nlohmann::json& roleEntry =
1827 asyncResp->res.jsonValue["Links"]["Role"];
Ed Tanous3b327802023-08-14 09:23:43 -07001828 roleEntry["@odata.id"] = boost::urls::format(
1829 "/redfish/v1/AccountService/Roles/{}", role);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001830 }
1831 else if (property.first == "UserPasswordExpired")
1832 {
1833 const bool* userPasswordExpired =
1834 std::get_if<bool>(&property.second);
1835 if (userPasswordExpired == nullptr)
1836 {
Ed Tanous62598e32023-07-17 17:06:25 -07001837 BMCWEB_LOG_ERROR(
1838 "UserPasswordExpired wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001839 messages::internalError(asyncResp->res);
1840 return;
1841 }
1842 asyncResp->res.jsonValue["PasswordChangeRequired"] =
1843 *userPasswordExpired;
1844 }
Abhishek Patelc7229812022-02-01 10:07:15 -06001845 else if (property.first == "UserGroups")
1846 {
1847 const std::vector<std::string>* userGroups =
1848 std::get_if<std::vector<std::string>>(
1849 &property.second);
1850 if (userGroups == nullptr)
1851 {
Ed Tanous62598e32023-07-17 17:06:25 -07001852 BMCWEB_LOG_ERROR(
1853 "userGroups wasn't a string vector");
Abhishek Patelc7229812022-02-01 10:07:15 -06001854 messages::internalError(asyncResp->res);
1855 return;
1856 }
1857 if (!translateUserGroup(*userGroups, asyncResp->res))
1858 {
Ed Tanous62598e32023-07-17 17:06:25 -07001859 BMCWEB_LOG_ERROR("userGroups mapping failed");
Abhishek Patelc7229812022-02-01 10:07:15 -06001860 messages::internalError(asyncResp->res);
1861 return;
1862 }
1863 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07001864 }
1865 }
1866 }
1867
Ed Tanous3b327802023-08-14 09:23:43 -07001868 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
1869 "/redfish/v1/AccountService/Accounts/{}", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001870 asyncResp->res.jsonValue["Id"] = accountName;
1871 asyncResp->res.jsonValue["UserName"] = accountName;
Patrick Williams5a39f772023-10-20 11:20:21 -05001872 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001873}
1874
1875inline void
Gunnar Mills20fc3072023-01-27 15:13:36 -06001876 handleAccountDelete(App& app, const crow::Request& req,
1877 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1878 const std::string& username)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001879{
1880 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1881 {
1882 return;
1883 }
1884
1885#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1886 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001887 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001888 return;
1889
1890#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1891 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1892 tempObjPath /= username;
1893 const std::string userPath(tempObjPath);
1894
1895 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001896 [asyncResp, username](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001897 if (ec)
1898 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001899 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
Ed Tanous1ef4c342022-05-12 16:12:36 -07001900 username);
1901 return;
1902 }
1903
1904 messages::accountRemoved(asyncResp->res);
Patrick Williams5a39f772023-10-20 11:20:21 -05001905 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07001906 "xyz.openbmc_project.User.Manager", userPath,
1907 "xyz.openbmc_project.Object.Delete", "Delete");
1908}
1909
1910inline void
1911 handleAccountPatch(App& app, const crow::Request& req,
1912 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1913 const std::string& username)
1914{
1915 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1916 {
1917 return;
1918 }
1919#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1920 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001921 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001922 return;
1923
1924#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1925 std::optional<std::string> newUserName;
1926 std::optional<std::string> password;
1927 std::optional<bool> enabled;
1928 std::optional<std::string> roleId;
1929 std::optional<bool> locked;
Abhishek Patel58345852022-02-02 08:54:25 -06001930 std::optional<std::vector<std::string>> accountTypes;
1931
Ed Tanous1ef4c342022-05-12 16:12:36 -07001932 if (req.session == nullptr)
1933 {
1934 messages::internalError(asyncResp->res);
1935 return;
1936 }
1937
Ed Tanous2b9c1df2024-04-06 13:52:01 -07001938 bool userSelf = (username == req.session->username);
1939
Ed Tanous1ef4c342022-05-12 16:12:36 -07001940 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001941 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001942 Privileges configureUsers = {"ConfigureUsers"};
1943 bool userHasConfigureUsers =
1944 effectiveUserPrivileges.isSupersetOf(configureUsers);
1945 if (userHasConfigureUsers)
1946 {
1947 // Users with ConfigureUsers can modify for all users
Abhishek Patel58345852022-02-02 08:54:25 -06001948 if (!json_util::readJsonPatch(
1949 req, asyncResp->res, "UserName", newUserName, "Password",
1950 password, "RoleId", roleId, "Enabled", enabled, "Locked",
1951 locked, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001952 {
1953 return;
1954 }
1955 }
1956 else
1957 {
1958 // ConfigureSelf accounts can only modify their own account
Abhishek Patel58345852022-02-02 08:54:25 -06001959 if (!userSelf)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001960 {
1961 messages::insufficientPrivilege(asyncResp->res);
1962 return;
1963 }
1964
1965 // ConfigureSelf accounts can only modify their password
1966 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
1967 password))
1968 {
1969 return;
1970 }
1971 }
1972
1973 // if user name is not provided in the patch method or if it
1974 // matches the user name in the URI, then we are treating it as
1975 // updating user properties other then username. If username
1976 // provided doesn't match the URI, then we are treating this as
1977 // user rename request.
1978 if (!newUserName || (newUserName.value() == username))
1979 {
1980 updateUserProperties(asyncResp, username, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06001981 locked, accountTypes, userSelf);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001982 return;
1983 }
1984 crow::connections::systemBus->async_method_call(
1985 [asyncResp, username, password(std::move(password)),
1986 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
Abhishek Patel58345852022-02-02 08:54:25 -06001987 locked, userSelf, accountTypes(std::move(accountTypes))](
Ed Tanouse81de512023-06-27 17:07:00 -07001988 const boost::system::error_code& ec, sdbusplus::message_t& m) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001989 if (ec)
1990 {
1991 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
1992 username);
1993 return;
1994 }
1995
1996 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06001997 locked, accountTypes, userSelf);
Patrick Williams5a39f772023-10-20 11:20:21 -05001998 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07001999 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2000 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2001 *newUserName);
2002}
2003
Ed Tanous6c51eab2021-06-03 12:30:29 -07002004inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07002005{
Ed Tanous6c51eab2021-06-03 12:30:29 -07002006 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002007 .privileges(redfish::privileges::headAccountService)
2008 .methods(boost::beast::http::verb::head)(
2009 std::bind_front(handleAccountServiceHead, std::ref(app)));
2010
2011 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -07002012 .privileges(redfish::privileges::getAccountService)
Ed Tanous002d39b2022-05-31 08:59:27 -07002013 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002014 std::bind_front(handleAccountServiceGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002015
Ed Tanousf5ffd802021-07-19 10:55:33 -07002016 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -06002017 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -07002018 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002019 std::bind_front(handleAccountServicePatch, std::ref(app)));
Ed Tanousf5ffd802021-07-19 10:55:33 -07002020
Ed Tanous6c51eab2021-06-03 12:30:29 -07002021 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002022 .privileges(redfish::privileges::headManagerAccountCollection)
2023 .methods(boost::beast::http::verb::head)(
2024 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2025
2026 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002027 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002028 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002029 std::bind_front(handleAccountCollectionGet, std::ref(app)));
Ed Tanous06e086d2018-09-19 17:19:52 -07002030
Ed Tanous6c51eab2021-06-03 12:30:29 -07002031 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002032 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous002d39b2022-05-31 08:59:27 -07002033 .methods(boost::beast::http::verb::post)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002034 std::bind_front(handleAccountCollectionPost, std::ref(app)));
Ed Tanous002d39b2022-05-31 08:59:27 -07002035
2036 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002037 .privileges(redfish::privileges::headManagerAccount)
2038 .methods(boost::beast::http::verb::head)(
2039 std::bind_front(handleAccountHead, std::ref(app)));
2040
2041 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous002d39b2022-05-31 08:59:27 -07002042 .privileges(redfish::privileges::getManagerAccount)
2043 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002044 std::bind_front(handleAccountGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002045
2046 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002047 // TODO this privilege should be using the generated endpoints, but
2048 // because of the special handling of ConfigureSelf, it's not able to
2049 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -07002050 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2051 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002052 std::bind_front(handleAccountPatch, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002053
2054 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002055 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002056 .methods(boost::beast::http::verb::delete_)(
Gunnar Mills20fc3072023-01-27 15:13:36 -06002057 std::bind_front(handleAccountDelete, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002058}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01002059
Ed Tanous1abe55e2018-09-05 08:30:59 -07002060} // namespace redfish