Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 2dfd18ef79d3b0a2995ba731983479d492be5949 / . / redfish-core / lib / account_service.hpp
blob: 3b6062ab2172ac7063e90d9c7197a48828208460 [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17#include "node.hpp"
18
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]19#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]20#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]21#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]22#include <persistent_data.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]23#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]24
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]25#include <variant>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]26
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]27namespace redfish
28{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]29
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]30constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]31 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]32constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]33 "/xyz/openbmc_project/user/ldap/active_directory";
34
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]35constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
36constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
37constexpr const char* ldapConfigInterface =
38 "xyz.openbmc_project.User.Ldap.Config";
39constexpr const char* ldapCreateInterface =
40 "xyz.openbmc_project.User.Ldap.Create";
41constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]42constexpr const char* ldapPrivMapperInterface =
43 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]44constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
45constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
46constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
47constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
48constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
49
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]50struct LDAPRoleMapData
51{
52 std::string groupName;
53 std::string privilege;
54};
55
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]56struct LDAPConfigData
57{
58 std::string uri{};
59 std::string bindDN{};
60 std::string baseDN{};
61 std::string searchScope{};
62 std::string serverType{};
63 bool serviceEnabled = false;
64 std::string userNameAttribute{};
65 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]66 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]67};
68
Patrick Williams19bd78d2020-05-13 17:38:24 -0500[diff] [blame]69using DbusVariantType = std::variant<bool, int32_t, std::string>;
Przemyslaw Czarnowski107077d2019-07-11 10:16:43 +0200[diff] [blame]70
71using DbusInterfaceType = boost::container::flat_map<
72 std::string, boost::container::flat_map<std::string, DbusVariantType>>;
73
74using ManagedObjectType =
75 std::vector<std::pair<sdbusplus::message::object_path, DbusInterfaceType>>;
76
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]77using GetObjectType =
78 std::vector<std::pair<std::string, std::vector<std::string>>>;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]79
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]80inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]81{
82 if (role == "priv-admin")
83 {
84 return "Administrator";
85 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]86 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]87 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]88 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]89 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]90 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]91 {
92 return "Operator";
93 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]94 if ((role == "") || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]95 {
96 return "NoAccess";
97 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]98 return "";
99}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]100inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]101{
102 if (role == "Administrator")
103 {
104 return "priv-admin";
105 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]106 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]107 {
108 return "priv-user";
109 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]110 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]111 {
112 return "priv-operator";
113 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]114 if ((role == "NoAccess") || (role == ""))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]115 {
116 return "priv-noaccess";
117 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]118 return "";
119}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]120
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]121inline void userErrorMessageHandler(const sd_bus_error* e,
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]122 const std::shared_ptr<AsyncResp>& asyncResp,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]123 const std::string& newUser,
124 const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]125{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]126 if (e == nullptr)
127 {
128 messages::internalError(asyncResp->res);
129 return;
130 }
131
Manojkiran Eda055806b2020-11-03 09:36:28 +0530[diff] [blame]132 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]133 if (strcmp(errorMessage,
134 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
135 {
136 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]137 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]138 "UserName", newUser);
139 }
140 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
141 "UserNameDoesNotExist") == 0)
142 {
143 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]144 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]145 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]146 else if ((strcmp(errorMessage,
147 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
148 0) ||
149 (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
150 "UserNameGroupFail") == 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]151 {
152 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
153 }
154 else if (strcmp(errorMessage,
155 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
156 {
157 messages::createLimitReachedForResource(asyncResp->res);
158 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]159 else
160 {
161 messages::internalError(asyncResp->res);
162 }
163
164 return;
165}
166
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]167inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]168 const LDAPConfigData& confData,
169 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]170{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]171 std::string service =
172 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]173 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]174 {"ServiceEnabled", confData.serviceEnabled},
175 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
176 {"Authentication",
177 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]178 {"Username", confData.bindDN},
179 {"Password", nullptr}}},
180 {"LDAPService",
181 {{"SearchSettings",
182 {{"BaseDistinguishedNames",
183 nlohmann::json::array({confData.baseDN})},
184 {"UsernameAttribute", confData.userNameAttribute},
185 {"GroupsAttribute", confData.groupAttribute}}}}},
186 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]187
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]188 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]189
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]190 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]191 roleMapArray = nlohmann::json::array();
192 for (auto& obj : confData.groupRoleList)
193 {
194 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
195 << obj.second.groupName << "\n";
196 roleMapArray.push_back(
197 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
198 nlohmann::json::array(
199 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
200 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]201}
202
203/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]204 * @brief validates given JSON input and then calls appropriate method to
205 * create, to delete or to set Rolemapping object based on the given input.
206 *
207 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]208inline void handleRoleMapPatch(
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]209 const std::shared_ptr<AsyncResp>& asyncResp,
210 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]211 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]212{
213 for (size_t index = 0; index < input.size(); index++)
214 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]215 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]216
217 if (thisJson.is_null())
218 {
219 // delete the existing object
220 if (index < roleMapObjData.size())
221 {
222 crow::connections::systemBus->async_method_call(
223 [asyncResp, roleMapObjData, serverType,
224 index](const boost::system::error_code ec) {
225 if (ec)
226 {
227 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
228 messages::internalError(asyncResp->res);
229 return;
230 }
231 asyncResp->res
232 .jsonValue[serverType]["RemoteRoleMapping"][index] =
233 nullptr;
234 },
235 ldapDbusService, roleMapObjData[index].first,
236 "xyz.openbmc_project.Object.Delete", "Delete");
237 }
238 else
239 {
240 BMCWEB_LOG_ERROR << "Can't delete the object";
241 messages::propertyValueTypeError(
242 asyncResp->res, thisJson.dump(),
243 "RemoteRoleMapping/" + std::to_string(index));
244 return;
245 }
246 }
247 else if (thisJson.empty())
248 {
249 // Don't do anything for the empty objects,parse next json
250 // eg {"RemoteRoleMapping",[{}]}
251 }
252 else
253 {
254 // update/create the object
255 std::optional<std::string> remoteGroup;
256 std::optional<std::string> localRole;
257
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]258 // This is a copy, but it's required in this case because of how
259 // readJson is structured
260 nlohmann::json thisJsonCopy = thisJson;
261 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
262 "RemoteGroup", remoteGroup, "LocalRole",
263 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]264 {
265 continue;
266 }
267
268 // Update existing RoleMapping Object
269 if (index < roleMapObjData.size())
270 {
271 BMCWEB_LOG_DEBUG << "Update Role Map Object";
272 // If "RemoteGroup" info is provided
273 if (remoteGroup)
274 {
275 crow::connections::systemBus->async_method_call(
276 [asyncResp, roleMapObjData, serverType, index,
277 remoteGroup](const boost::system::error_code ec) {
278 if (ec)
279 {
280 BMCWEB_LOG_ERROR << "DBUS response error: "
281 << ec;
282 messages::internalError(asyncResp->res);
283 return;
284 }
285 asyncResp->res
286 .jsonValue[serverType]["RemoteRoleMapping"]
287 [index]["RemoteGroup"] = *remoteGroup;
288 },
289 ldapDbusService, roleMapObjData[index].first,
290 propertyInterface, "Set",
291 "xyz.openbmc_project.User.PrivilegeMapperEntry",
292 "GroupName",
293 std::variant<std::string>(std::move(*remoteGroup)));
294 }
295
296 // If "LocalRole" info is provided
297 if (localRole)
298 {
299 crow::connections::systemBus->async_method_call(
300 [asyncResp, roleMapObjData, serverType, index,
301 localRole](const boost::system::error_code ec) {
302 if (ec)
303 {
304 BMCWEB_LOG_ERROR << "DBUS response error: "
305 << ec;
306 messages::internalError(asyncResp->res);
307 return;
308 }
309 asyncResp->res
310 .jsonValue[serverType]["RemoteRoleMapping"]
311 [index]["LocalRole"] = *localRole;
312 },
313 ldapDbusService, roleMapObjData[index].first,
314 propertyInterface, "Set",
315 "xyz.openbmc_project.User.PrivilegeMapperEntry",
316 "Privilege",
317 std::variant<std::string>(
318 getPrivilegeFromRoleId(std::move(*localRole))));
319 }
320 }
321 // Create a new RoleMapping Object.
322 else
323 {
324 BMCWEB_LOG_DEBUG
325 << "setRoleMappingProperties: Creating new Object";
326 std::string pathString =
327 "RemoteRoleMapping/" + std::to_string(index);
328
329 if (!localRole)
330 {
331 messages::propertyMissing(asyncResp->res,
332 pathString + "/LocalRole");
333 continue;
334 }
335 if (!remoteGroup)
336 {
337 messages::propertyMissing(asyncResp->res,
338 pathString + "/RemoteGroup");
339 continue;
340 }
341
342 std::string dbusObjectPath;
343 if (serverType == "ActiveDirectory")
344 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]345 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]346 }
347 else if (serverType == "LDAP")
348 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]349 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]350 }
351
352 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
353 << ",LocalRole=" << *localRole;
354
355 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]356 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]357 remoteGroup](const boost::system::error_code ec) {
358 if (ec)
359 {
360 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
361 messages::internalError(asyncResp->res);
362 return;
363 }
364 nlohmann::json& remoteRoleJson =
365 asyncResp->res
366 .jsonValue[serverType]["RemoteRoleMapping"];
367 remoteRoleJson.push_back(
368 {{"LocalRole", *localRole},
369 {"RemoteGroup", *remoteGroup}});
370 },
371 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]372 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]373 getPrivilegeFromRoleId(std::move(*localRole)));
374 }
375 }
376 }
377}
378
379/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]380 * Function that retrieves all properties for LDAP config object
381 * into JSON
382 */
383template <typename CallbackFunc>
384inline void getLDAPConfigData(const std::string& ldapType,
385 CallbackFunc&& callback)
386{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]387
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]388 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]389 ldapConfigInterface};
390
391 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]392 [callback, ldapType](const boost::system::error_code ec,
393 const GetObjectType& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]394 if (ec || resp.empty())
395 {
396 BMCWEB_LOG_ERROR << "DBUS response error during getting of "
397 "service name: "
398 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]399 LDAPConfigData empty{};
400 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]401 return;
402 }
403 std::string service = resp.begin()->first;
404 crow::connections::systemBus->async_method_call(
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]405 [callback, ldapType](const boost::system::error_code errorCode,
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]406 const ManagedObjectType& ldapObjects) {
407 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]408 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]409 {
410 callback(false, confData, ldapType);
411 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]412 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]413 return;
414 }
415
416 std::string ldapDbusType;
417 std::string searchString;
418
419 if (ldapType == "LDAP")
420 {
421 ldapDbusType = "xyz.openbmc_project.User.Ldap.Config."
422 "Type.OpenLdap";
423 searchString = "openldap";
424 }
425 else if (ldapType == "ActiveDirectory")
426 {
427 ldapDbusType =
428 "xyz.openbmc_project.User.Ldap.Config.Type."
429 "ActiveDirectory";
430 searchString = "active_directory";
431 }
432 else
433 {
434 BMCWEB_LOG_ERROR
435 << "Can't get the DbusType for the given type="
436 << ldapType;
437 callback(false, confData, ldapType);
438 return;
439 }
440
441 std::string ldapEnableInterfaceStr = ldapEnableInterface;
442 std::string ldapConfigInterfaceStr = ldapConfigInterface;
443
444 for (const auto& object : ldapObjects)
445 {
446 // let's find the object whose ldap type is equal to the
447 // given type
448 if (object.first.str.find(searchString) ==
449 std::string::npos)
450 {
451 continue;
452 }
453
454 for (const auto& interface : object.second)
455 {
456 if (interface.first == ldapEnableInterfaceStr)
457 {
458 // rest of the properties are string.
459 for (const auto& property : interface.second)
460 {
461 if (property.first == "Enabled")
462 {
463 const bool* value =
464 std::get_if<bool>(&property.second);
465 if (value == nullptr)
466 {
467 continue;
468 }
469 confData.serviceEnabled = *value;
470 break;
471 }
472 }
473 }
474 else if (interface.first == ldapConfigInterfaceStr)
475 {
476
477 for (const auto& property : interface.second)
478 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]479 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]480 std::get_if<std::string>(
481 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]482 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]483 {
484 continue;
485 }
486 if (property.first == "LDAPServerURI")
487 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]488 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]489 }
490 else if (property.first == "LDAPBindDN")
491 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]492 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]493 }
494 else if (property.first == "LDAPBaseDN")
495 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]496 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]497 }
498 else if (property.first ==
499 "LDAPSearchScope")
500 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]501 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]502 }
503 else if (property.first ==
504 "GroupNameAttribute")
505 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]506 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]507 }
508 else if (property.first ==
509 "UserNameAttribute")
510 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]511 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]512 }
513 else if (property.first == "LDAPType")
514 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]515 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]516 }
517 }
518 }
519 else if (interface.first ==
520 "xyz.openbmc_project.User."
521 "PrivilegeMapperEntry")
522 {
523 LDAPRoleMapData roleMapData{};
524 for (const auto& property : interface.second)
525 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]526 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]527 std::get_if<std::string>(
528 &property.second);
529
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]530 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]531 {
532 continue;
533 }
534
535 if (property.first == "GroupName")
536 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]537 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]538 }
539 else if (property.first == "Privilege")
540 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]541 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]542 }
543 }
544
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]545 confData.groupRoleList.emplace_back(
546 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]547 }
548 }
549 }
550 callback(true, confData, ldapType);
551 },
552 service, ldapRootObject, dbusObjManagerIntf,
553 "GetManagedObjects");
554 },
555 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]556 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]557}
558
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]559class AccountService : public Node
560{
561 public:
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]562 AccountService(App& app) : Node(app, "/redfish/v1/AccountService/")
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]563 {
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]564 entityPrivileges = {
Gunnar Mills3c5a3762020-01-29 15:21:30 -0600[diff] [blame]565 {boost::beast::http::verb::get, {{"Login"}}},
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]566 {boost::beast::http::verb::head, {{"Login"}}},
567 {boost::beast::http::verb::patch, {{"ConfigureUsers"}}},
568 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
569 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
570 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
571 }
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]572
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]573 private:
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]574 /**
575 * @brief parses the authentication section under the LDAP
576 * @param input JSON data
577 * @param asyncResp pointer to the JSON response
578 * @param userName userName to be filled from the given JSON.
579 * @param password password to be filled from the given JSON.
580 */
581 void
582 parseLDAPAuthenticationJson(nlohmann::json input,
583 const std::shared_ptr<AsyncResp>& asyncResp,
584 std::optional<std::string>& username,
585 std::optional<std::string>& password)
586 {
587 std::optional<std::string> authType;
588
589 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
590 authType, "Username", username, "Password",
591 password))
592 {
593 return;
594 }
595 if (!authType)
596 {
597 return;
598 }
599 if (*authType != "UsernameAndPassword")
600 {
601 messages::propertyValueNotInList(asyncResp->res, *authType,
602 "AuthenticationType");
603 return;
604 }
605 }
606 /**
607 * @brief parses the LDAPService section under the LDAP
608 * @param input JSON data
609 * @param asyncResp pointer to the JSON response
610 * @param baseDNList baseDN to be filled from the given JSON.
611 * @param userNameAttribute userName to be filled from the given JSON.
612 * @param groupaAttribute password to be filled from the given JSON.
613 */
614
615 void parseLDAPServiceJson(
616 nlohmann::json input, const std::shared_ptr<AsyncResp>& asyncResp,
617 std::optional<std::vector<std::string>>& baseDNList,
618 std::optional<std::string>& userNameAttribute,
619 std::optional<std::string>& groupsAttribute)
620 {
621 std::optional<nlohmann::json> searchSettings;
622
623 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
624 searchSettings))
625 {
626 return;
627 }
628 if (!searchSettings)
629 {
630 return;
631 }
632 if (!json_util::readJson(*searchSettings, asyncResp->res,
633 "BaseDistinguishedNames", baseDNList,
634 "UsernameAttribute", userNameAttribute,
635 "GroupsAttribute", groupsAttribute))
636 {
637 return;
638 }
639 }
640 /**
641 * @brief updates the LDAP server address and updates the
642 json response with the new value.
643 * @param serviceAddressList address to be updated.
644 * @param asyncResp pointer to the JSON response
645 * @param ldapServerElementName Type of LDAP
646 server(openLDAP/ActiveDirectory)
647 */
648
649 void handleServiceAddressPatch(
650 const std::vector<std::string>& serviceAddressList,
651 const std::shared_ptr<AsyncResp>& asyncResp,
652 const std::string& ldapServerElementName,
653 const std::string& ldapConfigObject)
654 {
655 crow::connections::systemBus->async_method_call(
656 [asyncResp, ldapServerElementName,
657 serviceAddressList](const boost::system::error_code ec) {
658 if (ec)
659 {
660 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]661 << "Error Occurred in updating the service address";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]662 messages::internalError(asyncResp->res);
663 return;
664 }
665 std::vector<std::string> modifiedserviceAddressList = {
666 serviceAddressList.front()};
667 asyncResp->res
668 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
669 modifiedserviceAddressList;
670 if ((serviceAddressList).size() > 1)
671 {
672 messages::propertyValueModified(asyncResp->res,
673 "ServiceAddresses",
674 serviceAddressList.front());
675 }
676 BMCWEB_LOG_DEBUG << "Updated the service address";
677 },
678 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
679 ldapConfigInterface, "LDAPServerURI",
680 std::variant<std::string>(serviceAddressList.front()));
681 }
682 /**
683 * @brief updates the LDAP Bind DN and updates the
684 json response with the new value.
685 * @param username name of the user which needs to be updated.
686 * @param asyncResp pointer to the JSON response
687 * @param ldapServerElementName Type of LDAP
688 server(openLDAP/ActiveDirectory)
689 */
690
691 void handleUserNamePatch(const std::string& username,
692 const std::shared_ptr<AsyncResp>& asyncResp,
693 const std::string& ldapServerElementName,
694 const std::string& ldapConfigObject)
695 {
696 crow::connections::systemBus->async_method_call(
697 [asyncResp, username,
698 ldapServerElementName](const boost::system::error_code ec) {
699 if (ec)
700 {
701 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]702 << "Error occurred in updating the username";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]703 messages::internalError(asyncResp->res);
704 return;
705 }
706 asyncResp->res.jsonValue[ldapServerElementName]
707 ["Authentication"]["Username"] =
708 username;
709 BMCWEB_LOG_DEBUG << "Updated the username";
710 },
711 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
712 ldapConfigInterface, "LDAPBindDN",
713 std::variant<std::string>(username));
714 }
715
716 /**
717 * @brief updates the LDAP password
718 * @param password : ldap password which needs to be updated.
719 * @param asyncResp pointer to the JSON response
720 * @param ldapServerElementName Type of LDAP
721 * server(openLDAP/ActiveDirectory)
722 */
723
724 void handlePasswordPatch(const std::string& password,
725 const std::shared_ptr<AsyncResp>& asyncResp,
726 const std::string& ldapServerElementName,
727 const std::string& ldapConfigObject)
728 {
729 crow::connections::systemBus->async_method_call(
730 [asyncResp, password,
731 ldapServerElementName](const boost::system::error_code ec) {
732 if (ec)
733 {
734 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]735 << "Error occurred in updating the password";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]736 messages::internalError(asyncResp->res);
737 return;
738 }
739 asyncResp->res.jsonValue[ldapServerElementName]
740 ["Authentication"]["Password"] = "";
741 BMCWEB_LOG_DEBUG << "Updated the password";
742 },
743 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
744 ldapConfigInterface, "LDAPBindDNPassword",
745 std::variant<std::string>(password));
746 }
747
748 /**
749 * @brief updates the LDAP BaseDN and updates the
750 json response with the new value.
751 * @param baseDNList baseDN list which needs to be updated.
752 * @param asyncResp pointer to the JSON response
753 * @param ldapServerElementName Type of LDAP
754 server(openLDAP/ActiveDirectory)
755 */
756
757 void handleBaseDNPatch(const std::vector<std::string>& baseDNList,
758 const std::shared_ptr<AsyncResp>& asyncResp,
759 const std::string& ldapServerElementName,
760 const std::string& ldapConfigObject)
761 {
762 crow::connections::systemBus->async_method_call(
763 [asyncResp, baseDNList,
764 ldapServerElementName](const boost::system::error_code ec) {
765 if (ec)
766 {
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]767 BMCWEB_LOG_DEBUG
768 << "Error Occurred in Updating the base DN";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]769 messages::internalError(asyncResp->res);
770 return;
771 }
772 auto& serverTypeJson =
773 asyncResp->res.jsonValue[ldapServerElementName];
774 auto& searchSettingsJson =
775 serverTypeJson["LDAPService"]["SearchSettings"];
776 std::vector<std::string> modifiedBaseDNList = {
777 baseDNList.front()};
778 searchSettingsJson["BaseDistinguishedNames"] =
779 modifiedBaseDNList;
780 if (baseDNList.size() > 1)
781 {
782 messages::propertyValueModified(asyncResp->res,
783 "BaseDistinguishedNames",
784 baseDNList.front());
785 }
786 BMCWEB_LOG_DEBUG << "Updated the base DN";
787 },
788 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
789 ldapConfigInterface, "LDAPBaseDN",
790 std::variant<std::string>(baseDNList.front()));
791 }
792 /**
793 * @brief updates the LDAP user name attribute and updates the
794 json response with the new value.
795 * @param userNameAttribute attribute to be updated.
796 * @param asyncResp pointer to the JSON response
797 * @param ldapServerElementName Type of LDAP
798 server(openLDAP/ActiveDirectory)
799 */
800
801 void handleUserNameAttrPatch(const std::string& userNameAttribute,
802 const std::shared_ptr<AsyncResp>& asyncResp,
803 const std::string& ldapServerElementName,
804 const std::string& ldapConfigObject)
805 {
806 crow::connections::systemBus->async_method_call(
807 [asyncResp, userNameAttribute,
808 ldapServerElementName](const boost::system::error_code ec) {
809 if (ec)
810 {
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]811 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]812 "username attribute";
813 messages::internalError(asyncResp->res);
814 return;
815 }
816 auto& serverTypeJson =
817 asyncResp->res.jsonValue[ldapServerElementName];
818 auto& searchSettingsJson =
819 serverTypeJson["LDAPService"]["SearchSettings"];
820 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
821 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
822 },
823 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
824 ldapConfigInterface, "UserNameAttribute",
825 std::variant<std::string>(userNameAttribute));
826 }
827 /**
828 * @brief updates the LDAP group attribute and updates the
829 json response with the new value.
830 * @param groupsAttribute attribute to be updated.
831 * @param asyncResp pointer to the JSON response
832 * @param ldapServerElementName Type of LDAP
833 server(openLDAP/ActiveDirectory)
834 */
835
836 void handleGroupNameAttrPatch(const std::string& groupsAttribute,
837 const std::shared_ptr<AsyncResp>& asyncResp,
838 const std::string& ldapServerElementName,
839 const std::string& ldapConfigObject)
840 {
841 crow::connections::systemBus->async_method_call(
842 [asyncResp, groupsAttribute,
843 ldapServerElementName](const boost::system::error_code ec) {
844 if (ec)
845 {
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]846 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]847 "groupname attribute";
848 messages::internalError(asyncResp->res);
849 return;
850 }
851 auto& serverTypeJson =
852 asyncResp->res.jsonValue[ldapServerElementName];
853 auto& searchSettingsJson =
854 serverTypeJson["LDAPService"]["SearchSettings"];
855 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
856 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
857 },
858 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
859 ldapConfigInterface, "GroupNameAttribute",
860 std::variant<std::string>(groupsAttribute));
861 }
862 /**
863 * @brief updates the LDAP service enable and updates the
864 json response with the new value.
865 * @param input JSON data.
866 * @param asyncResp pointer to the JSON response
867 * @param ldapServerElementName Type of LDAP
868 server(openLDAP/ActiveDirectory)
869 */
870
871 void handleServiceEnablePatch(bool serviceEnabled,
872 const std::shared_ptr<AsyncResp>& asyncResp,
873 const std::string& ldapServerElementName,
874 const std::string& ldapConfigObject)
875 {
876 crow::connections::systemBus->async_method_call(
877 [asyncResp, serviceEnabled,
878 ldapServerElementName](const boost::system::error_code ec) {
879 if (ec)
880 {
881 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]882 << "Error Occurred in Updating the service enable";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]883 messages::internalError(asyncResp->res);
884 return;
885 }
886 asyncResp->res
887 .jsonValue[ldapServerElementName]["ServiceEnabled"] =
888 serviceEnabled;
889 BMCWEB_LOG_DEBUG << "Updated Service enable = "
890 << serviceEnabled;
891 },
892 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
893 ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
894 }
895
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]896 void handleAuthMethodsPatch(nlohmann::json& input,
897 const std::shared_ptr<AsyncResp>& asyncResp)
898 {
899 std::optional<bool> basicAuth;
900 std::optional<bool> cookie;
901 std::optional<bool> sessionToken;
902 std::optional<bool> xToken;
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]903 std::optional<bool> tls;
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]904
905 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
906 "Cookie", cookie, "SessionToken", sessionToken,
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]907 "XToken", xToken, "TLS", tls))
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]908 {
909 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
910 return;
911 }
912
913 // Make a copy of methods configuration
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]914 persistent_data::AuthConfigMethods authMethodsConfig =
915 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]916
917 if (basicAuth)
918 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]919#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
920 messages::actionNotSupported(
921 asyncResp->res, "Setting BasicAuth when basic-auth feature "
922 "is disabled");
923 return;
924#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]925 authMethodsConfig.basic = *basicAuth;
926 }
927
928 if (cookie)
929 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]930#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
931 messages::actionNotSupported(
932 asyncResp->res, "Setting Cookie when cookie-auth feature "
933 "is disabled");
934 return;
935#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]936 authMethodsConfig.cookie = *cookie;
937 }
938
939 if (sessionToken)
940 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]941#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
942 messages::actionNotSupported(
943 asyncResp->res,
944 "Setting SessionToken when session-auth feature "
945 "is disabled");
946 return;
947#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]948 authMethodsConfig.sessionToken = *sessionToken;
949 }
950
951 if (xToken)
952 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]953#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
954 messages::actionNotSupported(
955 asyncResp->res, "Setting XToken when xtoken-auth feature "
956 "is disabled");
957 return;
958#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]959 authMethodsConfig.xtoken = *xToken;
960 }
961
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]962 if (tls)
963 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]964#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
965 messages::actionNotSupported(
966 asyncResp->res, "Setting TLS when mutual-tls-auth feature "
967 "is disabled");
968 return;
969#endif
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]970 authMethodsConfig.tls = *tls;
971 }
972
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]973 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]974 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
975 !authMethodsConfig.tls)
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]976 {
977 // Do not allow user to disable everything
978 messages::actionNotSupported(asyncResp->res,
979 "of disabling all available methods");
980 return;
981 }
982
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]983 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
984 authMethodsConfig);
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]985 // Save configuration immediately
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]986 persistent_data::getConfig().writeData();
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]987
988 messages::success(asyncResp->res);
989 }
990
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]991 /**
992 * @brief Get the required values from the given JSON, validates the
993 * value and create the LDAP config object.
994 * @param input JSON data
995 * @param asyncResp pointer to the JSON response
996 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
997 */
998
999 void handleLDAPPatch(nlohmann::json& input,
1000 const std::shared_ptr<AsyncResp>& asyncResp,
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1001 const std::string& serverType)
1002 {
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1003 std::string dbusObjectPath;
1004 if (serverType == "ActiveDirectory")
1005 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]1006 dbusObjectPath = adConfigObject;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1007 }
1008 else if (serverType == "LDAP")
1009 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1010 dbusObjectPath = ldapConfigObjectName;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1011 }
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1012 else
1013 {
1014 return;
1015 }
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1016
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1017 std::optional<nlohmann::json> authentication;
1018 std::optional<nlohmann::json> ldapService;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1019 std::optional<std::vector<std::string>> serviceAddressList;
1020 std::optional<bool> serviceEnabled;
1021 std::optional<std::vector<std::string>> baseDNList;
1022 std::optional<std::string> userNameAttribute;
1023 std::optional<std::string> groupsAttribute;
1024 std::optional<std::string> userName;
1025 std::optional<std::string> password;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1026 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1027
1028 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1029 authentication, "LDAPService", ldapService,
1030 "ServiceAddresses", serviceAddressList,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1031 "ServiceEnabled", serviceEnabled,
1032 "RemoteRoleMapping", remoteRoleMapData))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1033 {
1034 return;
1035 }
1036
1037 if (authentication)
1038 {
1039 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1040 password);
1041 }
1042 if (ldapService)
1043 {
1044 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1045 userNameAttribute, groupsAttribute);
1046 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1047 if (serviceAddressList)
1048 {
1049 if ((*serviceAddressList).size() == 0)
1050 {
1051 messages::propertyValueNotInList(asyncResp->res, "[]",
1052 "ServiceAddress");
1053 return;
1054 }
1055 }
1056 if (baseDNList)
1057 {
1058 if ((*baseDNList).size() == 0)
1059 {
1060 messages::propertyValueNotInList(asyncResp->res, "[]",
1061 "BaseDistinguishedNames");
1062 return;
1063 }
1064 }
1065
1066 // nothing to update, then return
1067 if (!userName && !password && !serviceAddressList && !baseDNList &&
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1068 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1069 !remoteRoleMapData)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1070 {
1071 return;
1072 }
1073
1074 // Get the existing resource first then keep modifying
1075 // whenever any property gets updated.
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1076 getLDAPConfigData(
1077 serverType, [this, asyncResp, userName, password, baseDNList,
1078 userNameAttribute, groupsAttribute, serviceAddressList,
1079 serviceEnabled, dbusObjectPath, remoteRoleMapData](
1080 bool success, const LDAPConfigData& confData,
1081 const std::string& serverT) {
1082 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1083 {
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1084 messages::internalError(asyncResp->res);
1085 return;
1086 }
1087 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1088 serverT);
1089 if (confData.serviceEnabled)
1090 {
1091 // Disable the service first and update the rest of
1092 // the properties.
1093 handleServiceEnablePatch(false, asyncResp, serverT,
1094 dbusObjectPath);
1095 }
1096
1097 if (serviceAddressList)
1098 {
1099 handleServiceAddressPatch(*serviceAddressList, asyncResp,
1100 serverT, dbusObjectPath);
1101 }
1102 if (userName)
1103 {
1104 handleUserNamePatch(*userName, asyncResp, serverT,
1105 dbusObjectPath);
1106 }
1107 if (password)
1108 {
1109 handlePasswordPatch(*password, asyncResp, serverT,
1110 dbusObjectPath);
1111 }
1112
1113 if (baseDNList)
1114 {
1115 handleBaseDNPatch(*baseDNList, asyncResp, serverT,
1116 dbusObjectPath);
1117 }
1118 if (userNameAttribute)
1119 {
1120 handleUserNameAttrPatch(*userNameAttribute, asyncResp,
1121 serverT, dbusObjectPath);
1122 }
1123 if (groupsAttribute)
1124 {
1125 handleGroupNameAttrPatch(*groupsAttribute, asyncResp,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1126 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1127 }
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1128 if (serviceEnabled)
1129 {
1130 // if user has given the value as true then enable
1131 // the service. if user has given false then no-op
1132 // as service is already stopped.
1133 if (*serviceEnabled)
1134 {
1135 handleServiceEnablePatch(*serviceEnabled, asyncResp,
1136 serverT, dbusObjectPath);
1137 }
1138 }
1139 else
1140 {
1141 // if user has not given the service enabled value
1142 // then revert it to the same state as it was
1143 // before.
1144 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1145 serverT, dbusObjectPath);
1146 }
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1147
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1148 if (remoteRoleMapData)
1149 {
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1150 handleRoleMapPatch(asyncResp, confData.groupRoleList,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1151 serverT, *remoteRoleMapData);
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1152 }
1153 });
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1154 }
Ed Tanousd4b54432019-07-17 22:51:55 +0000[diff] [blame]1155
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1156 void doGet(crow::Response& res, const crow::Request&,
1157 const std::vector<std::string>&) override
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1158 {
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1159 const persistent_data::AuthConfigMethods& authMethodsConfig =
1160 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1161
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1162 auto asyncResp = std::make_shared<AsyncResp>(res);
1163 res.jsonValue = {
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1164 {"@odata.id", "/redfish/v1/AccountService"},
1165 {"@odata.type", "#AccountService."
Gunnar Millsba9dd4a2020-02-20 10:40:18 -0600[diff] [blame]1166 "v1_5_0.AccountService"},
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1167 {"Id", "AccountService"},
1168 {"Name", "Account Service"},
1169 {"Description", "Account Service"},
1170 {"ServiceEnabled", true},
AppaRao Puli343ff2e2019-03-24 00:42:13 +0530[diff] [blame]1171 {"MaxPasswordLength", 20},
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1172 {"Accounts",
1173 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1174 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1175 {"Oem",
1176 {{"OpenBMC",
1177 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
1178 {"AuthMethods",
1179 {
1180 {"BasicAuth", authMethodsConfig.basic},
1181 {"SessionToken", authMethodsConfig.sessionToken},
1182 {"XToken", authMethodsConfig.xtoken},
1183 {"Cookie", authMethodsConfig.cookie},
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]1184 {"TLS", authMethodsConfig.tls},
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1185 }}}}}},
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1186 {"LDAP",
1187 {{"Certificates",
1188 {{"@odata.id",
1189 "/redfish/v1/AccountService/LDAP/Certificates"}}}}}};
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1190 crow::connections::systemBus->async_method_call(
1191 [asyncResp](
1192 const boost::system::error_code ec,
1193 const std::vector<std::pair<
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1194 std::string, std::variant<uint32_t, uint16_t, uint8_t>>>&
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1195 propertiesList) {
1196 if (ec)
1197 {
1198 messages::internalError(asyncResp->res);
1199 return;
1200 }
1201 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1202 << "properties for AccountService";
1203 for (const std::pair<std::string,
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1204 std::variant<uint32_t, uint16_t, uint8_t>>&
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1205 property : propertiesList)
1206 {
1207 if (property.first == "MinPasswordLength")
1208 {
1209 const uint8_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1210 std::get_if<uint8_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1211 if (value != nullptr)
1212 {
1213 asyncResp->res.jsonValue["MinPasswordLength"] =
1214 *value;
1215 }
1216 }
1217 if (property.first == "AccountUnlockTimeout")
1218 {
1219 const uint32_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1220 std::get_if<uint32_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1221 if (value != nullptr)
1222 {
1223 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1224 *value;
1225 }
1226 }
1227 if (property.first == "MaxLoginAttemptBeforeLockout")
1228 {
1229 const uint16_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1230 std::get_if<uint16_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1231 if (value != nullptr)
1232 {
1233 asyncResp->res
1234 .jsonValue["AccountLockoutThreshold"] = *value;
1235 }
1236 }
1237 }
1238 },
1239 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1240 "org.freedesktop.DBus.Properties", "GetAll",
1241 "xyz.openbmc_project.User.AccountPolicy");
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]1242
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1243 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1244 const std::string& ldapType) {
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1245 if (!success)
1246 {
1247 return;
1248 }
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1249 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1250 };
1251
1252 getLDAPConfigData("LDAP", callback);
1253 getLDAPConfigData("ActiveDirectory", callback);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1254 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]1255
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1256 void doPatch(crow::Response& res, const crow::Request& req,
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1257 const std::vector<std::string>&) override
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1258 {
1259 auto asyncResp = std::make_shared<AsyncResp>(res);
1260
1261 std::optional<uint32_t> unlockTimeout;
1262 std::optional<uint16_t> lockoutThreshold;
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1263 std::optional<uint16_t> minPasswordLength;
1264 std::optional<uint16_t> maxPasswordLength;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1265 std::optional<nlohmann::json> ldapObject;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1266 std::optional<nlohmann::json> activeDirectoryObject;
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1267 std::optional<nlohmann::json> oemObject;
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1268
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1269 if (!json_util::readJson(
1270 req, res, "AccountLockoutDuration", unlockTimeout,
1271 "AccountLockoutThreshold", lockoutThreshold,
1272 "MaxPasswordLength", maxPasswordLength, "MinPasswordLength",
1273 minPasswordLength, "LDAP", ldapObject, "ActiveDirectory",
1274 activeDirectoryObject, "Oem", oemObject))
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1275 {
1276 return;
1277 }
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1278
1279 if (minPasswordLength)
1280 {
1281 messages::propertyNotWritable(asyncResp->res, "MinPasswordLength");
1282 }
1283
1284 if (maxPasswordLength)
1285 {
1286 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1287 }
1288
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1289 if (ldapObject)
1290 {
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1291 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1292 }
1293
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1294 if (std::optional<nlohmann::json> oemOpenBMCObject;
1295 oemObject &&
1296 json_util::readJson(*oemObject, res, "OpenBMC", oemOpenBMCObject))
1297 {
1298 if (std::optional<nlohmann::json> authMethodsObject;
1299 oemOpenBMCObject &&
1300 json_util::readJson(*oemOpenBMCObject, res, "AuthMethods",
1301 authMethodsObject))
1302 {
1303 if (authMethodsObject)
1304 {
1305 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1306 }
1307 }
1308 }
1309
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1310 if (activeDirectoryObject)
1311 {
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1312 handleLDAPPatch(*activeDirectoryObject, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1313 "ActiveDirectory");
1314 }
1315
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1316 if (unlockTimeout)
1317 {
1318 crow::connections::systemBus->async_method_call(
1319 [asyncResp](const boost::system::error_code ec) {
1320 if (ec)
1321 {
1322 messages::internalError(asyncResp->res);
1323 return;
1324 }
Ratan Guptaadd61332019-02-13 20:49:16 +0530[diff] [blame]1325 messages::success(asyncResp->res);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1326 },
1327 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1328 "org.freedesktop.DBus.Properties", "Set",
1329 "xyz.openbmc_project.User.AccountPolicy",
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1330 "AccountUnlockTimeout", std::variant<uint32_t>(*unlockTimeout));
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1331 }
1332 if (lockoutThreshold)
1333 {
1334 crow::connections::systemBus->async_method_call(
1335 [asyncResp](const boost::system::error_code ec) {
1336 if (ec)
1337 {
1338 messages::internalError(asyncResp->res);
1339 return;
1340 }
Ratan Guptaadd61332019-02-13 20:49:16 +0530[diff] [blame]1341 messages::success(asyncResp->res);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1342 },
1343 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1344 "org.freedesktop.DBus.Properties", "Set",
1345 "xyz.openbmc_project.User.AccountPolicy",
1346 "MaxLoginAttemptBeforeLockout",
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1347 std::variant<uint16_t>(*lockoutThreshold));
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1348 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1349 }
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1350};
Tanousf00032d2018-11-05 01:18:10 -0300[diff] [blame]1351
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1352class AccountsCollection : public Node
1353{
1354 public:
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1355 AccountsCollection(App& app) :
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1356 Node(app, "/redfish/v1/AccountService/Accounts/")
1357 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1358 entityPrivileges = {
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1359 // According to the PrivilegeRegistry, GET should actually be
1360 // "Login". A "Login" only privilege would return an empty "Members"
1361 // list. Not going to worry about this since none of the defined
1362 // roles are just "Login". E.g. Readonly is {"Login",
1363 // "ConfigureSelf"}. In the rare event anyone defines a role that
1364 // has Login but not ConfigureSelf, implement this.
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1365 {boost::beast::http::verb::get,
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1366 {{"ConfigureUsers"}, {"ConfigureSelf"}}},
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1367 {boost::beast::http::verb::head, {{"Login"}}},
1368 {boost::beast::http::verb::patch, {{"ConfigureUsers"}}},
1369 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
1370 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
1371 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
1372 }
1373
1374 private:
1375 void doGet(crow::Response& res, const crow::Request& req,
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1376 const std::vector<std::string>&) override
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1377 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1378 auto asyncResp = std::make_shared<AsyncResp>(res);
Gunnar Mills94400962020-02-14 11:56:41 -0600[diff] [blame]1379 res.jsonValue = {{"@odata.id", "/redfish/v1/AccountService/Accounts"},
Ed Tanous0f74e642018-11-12 15:17:05 -0800[diff] [blame]1380 {"@odata.type", "#ManagerAccountCollection."
1381 "ManagerAccountCollection"},
1382 {"Name", "Accounts Collection"},
1383 {"Description", "BMC User Accounts"}};
1384
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1385 crow::connections::systemBus->async_method_call(
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1386 [asyncResp, &req, this](const boost::system::error_code ec,
1387 const ManagedObjectType& users) {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1388 if (ec)
1389 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1390 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1391 return;
1392 }
1393
1394 nlohmann::json& memberArray =
1395 asyncResp->res.jsonValue["Members"];
1396 memberArray = nlohmann::json::array();
1397
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame^]1398 for (auto& userpath : users)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1399 {
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame^]1400 std::string user = userpath.first.filename();
1401 if (user.empty())
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1402 {
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame^]1403 messages::internalError(asyncResp->res);
1404 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1405
1406 return;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1407 }
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1408
1409 // As clarified by Redfish here:
1410 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1411 // Users without ConfigureUsers, only see their own account.
1412 // Users with ConfigureUsers, see all accounts.
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame^]1413 if (req.session->username == user ||
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1414 isAllowedWithoutConfigureSelf(req))
1415 {
1416 memberArray.push_back(
1417 {{"@odata.id",
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame^]1418 "/redfish/v1/AccountService/Accounts/" + user}});
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1419 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1420 }
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1421 asyncResp->res.jsonValue["Members@odata.count"] =
1422 memberArray.size();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1423 },
1424 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1425 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1426 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1427 void doPost(crow::Response& res, const crow::Request& req,
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1428 const std::vector<std::string>&) override
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1429 {
1430 auto asyncResp = std::make_shared<AsyncResp>(res);
1431
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1432 std::string username;
1433 std::string password;
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1434 std::optional<std::string> roleId("User");
1435 std::optional<bool> enabled = true;
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1436 if (!json_util::readJson(req, res, "UserName", username, "Password",
1437 password, "RoleId", roleId, "Enabled",
1438 enabled))
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1439 {
1440 return;
1441 }
1442
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1443 std::string priv = getPrivilegeFromRoleId(*roleId);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1444 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1445 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1446 messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1447 return;
1448 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1449 // TODO: Following override will be reverted once support in
1450 // phosphor-user-manager is added. In order to avoid dependency issues,
1451 // this is added in bmcweb, which will removed, once
1452 // phosphor-user-manager supports priv-noaccess.
1453 if (priv == "priv-noaccess")
1454 {
1455 roleId = "";
1456 }
1457 else
1458 {
1459 roleId = priv;
1460 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1461
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1462 // Reading AllGroups property
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1463 crow::connections::systemBus->async_method_call(
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1464 [asyncResp, username, password{std::move(password)}, roleId,
1465 enabled](const boost::system::error_code ec,
1466 const std::variant<std::vector<std::string>>& allGroups) {
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1467 if (ec)
1468 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1469 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1470 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1471 return;
1472 }
1473
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1474 const std::vector<std::string>* allGroupsList =
1475 std::get_if<std::vector<std::string>>(&allGroups);
1476
1477 if (allGroupsList == nullptr || allGroupsList->empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1478 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1479 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1480 return;
1481 }
1482
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1483 crow::connections::systemBus->async_method_call(
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1484 [asyncResp, username,
1485 password](const boost::system::error_code ec2,
1486 sdbusplus::message::message& m) {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1487 if (ec2)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1488 {
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1489 userErrorMessageHandler(m.get_error(), asyncResp,
1490 username, "");
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1491 return;
1492 }
1493
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1494 if (pamUpdatePassword(username, password) !=
1495 PAM_SUCCESS)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1496 {
1497 // At this point we have a user that's been created,
1498 // but the password set failed.Something is wrong,
1499 // so delete the user that we've already created
1500 crow::connections::systemBus->async_method_call(
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1501 [asyncResp, password](
1502 const boost::system::error_code ec3) {
1503 if (ec3)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1504 {
1505 messages::internalError(asyncResp->res);
1506 return;
1507 }
1508
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1509 // If password is invalid
1510 messages::propertyValueFormatError(
1511 asyncResp->res, password, "Password");
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1512 },
1513 "xyz.openbmc_project.User.Manager",
1514 "/xyz/openbmc_project/user/" + username,
1515 "xyz.openbmc_project.Object.Delete", "Delete");
1516
1517 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1518 return;
1519 }
1520
1521 messages::created(asyncResp->res);
1522 asyncResp->res.addHeader(
1523 "Location",
1524 "/redfish/v1/AccountService/Accounts/" + username);
1525 },
1526 "xyz.openbmc_project.User.Manager",
1527 "/xyz/openbmc_project/user",
1528 "xyz.openbmc_project.User.Manager", "CreateUser", username,
1529 *allGroupsList, *roleId, *enabled);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1530 },
1531 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1532 "org.freedesktop.DBus.Properties", "Get",
1533 "xyz.openbmc_project.User.Manager", "AllGroups");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1534 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1535};
1536
1537class ManagerAccount : public Node
1538{
1539 public:
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1540 ManagerAccount(App& app) :
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1541 Node(app, "/redfish/v1/AccountService/Accounts/<str>/", std::string())
1542 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1543 entityPrivileges = {
1544 {boost::beast::http::verb::get,
1545 {{"ConfigureUsers"}, {"ConfigureManager"}, {"ConfigureSelf"}}},
1546 {boost::beast::http::verb::head, {{"Login"}}},
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1547 {boost::beast::http::verb::patch,
1548 {{"ConfigureUsers"}, {"ConfigureSelf"}}},
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1549 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
1550 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
1551 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
1552 }
1553
1554 private:
1555 void doGet(crow::Response& res, const crow::Request& req,
1556 const std::vector<std::string>& params) override
1557 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1558 auto asyncResp = std::make_shared<AsyncResp>(res);
1559
1560 if (params.size() != 1)
1561 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1562 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1563 return;
1564 }
1565
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1566 // Perform a proper ConfigureSelf authority check. If the
1567 // user is operating on an account not their own, then their
1568 // ConfigureSelf privilege does not apply. In this case,
1569 // perform the authority check again without the user's
1570 // ConfigureSelf privilege.
1571 if (req.session->username != params[0])
1572 {
1573 if (!isAllowedWithoutConfigureSelf(req))
1574 {
1575 BMCWEB_LOG_DEBUG << "GET Account denied access";
1576 messages::insufficientPrivilege(asyncResp->res);
1577 return;
1578 }
1579 }
1580
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1581 crow::connections::systemBus->async_method_call(
1582 [asyncResp, accountName{std::string(params[0])}](
1583 const boost::system::error_code ec,
1584 const ManagedObjectType& users) {
1585 if (ec)
1586 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1587 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1588 return;
1589 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1590 auto userIt = users.begin();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1591
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1592 for (; userIt != users.end(); userIt++)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1593 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1594 if (boost::ends_with(userIt->first.str, "/" + accountName))
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1595 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1596 break;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1597 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1598 }
1599 if (userIt == users.end())
1600 {
1601 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1602 accountName);
1603 return;
1604 }
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1605
1606 asyncResp->res.jsonValue = {
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1607 {"@odata.type", "#ManagerAccount.v1_4_0.ManagerAccount"},
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1608 {"Name", "User Account"},
1609 {"Description", "User Account"},
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1610 {"Password", nullptr},
1611 {"AccountTypes", {"Redfish"}}};
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1612
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1613 for (const auto& interface : userIt->second)
1614 {
1615 if (interface.first ==
1616 "xyz.openbmc_project.User.Attributes")
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1617 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1618 for (const auto& property : interface.second)
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1619 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1620 if (property.first == "UserEnabled")
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1621 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1622 const bool* userEnabled =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1623 std::get_if<bool>(&property.second);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1624 if (userEnabled == nullptr)
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1625 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1626 BMCWEB_LOG_ERROR
1627 << "UserEnabled wasn't a bool";
1628 messages::internalError(asyncResp->res);
1629 return;
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1630 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1631 asyncResp->res.jsonValue["Enabled"] =
1632 *userEnabled;
1633 }
1634 else if (property.first ==
1635 "UserLockedForFailedAttempt")
1636 {
1637 const bool* userLocked =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1638 std::get_if<bool>(&property.second);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1639 if (userLocked == nullptr)
1640 {
1641 BMCWEB_LOG_ERROR << "UserLockedForF"
1642 "ailedAttempt "
1643 "wasn't a bool";
1644 messages::internalError(asyncResp->res);
1645 return;
1646 }
1647 asyncResp->res.jsonValue["Locked"] =
1648 *userLocked;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1649 asyncResp->res.jsonValue
1650 ["Locked@Redfish.AllowableValues"] = {
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]1651 "false"}; // can only unlock accounts
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1652 }
1653 else if (property.first == "UserPrivilege")
1654 {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1655 const std::string* userPrivPtr =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1656 std::get_if<std::string>(&property.second);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1657 if (userPrivPtr == nullptr)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1658 {
1659 BMCWEB_LOG_ERROR
1660 << "UserPrivilege wasn't a "
1661 "string";
1662 messages::internalError(asyncResp->res);
1663 return;
1664 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1665 std::string role =
1666 getRoleIdFromPrivilege(*userPrivPtr);
1667 if (role.empty())
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1668 {
1669 BMCWEB_LOG_ERROR << "Invalid user role";
1670 messages::internalError(asyncResp->res);
1671 return;
1672 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1673 asyncResp->res.jsonValue["RoleId"] = role;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1674
1675 asyncResp->res.jsonValue["Links"]["Role"] = {
1676 {"@odata.id", "/redfish/v1/AccountService/"
1677 "Roles/" +
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1678 role}};
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1679 }
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]1680 else if (property.first == "UserPasswordExpired")
1681 {
1682 const bool* userPasswordExpired =
1683 std::get_if<bool>(&property.second);
1684 if (userPasswordExpired == nullptr)
1685 {
1686 BMCWEB_LOG_ERROR << "UserPassword"
1687 "Expired "
1688 "wasn't a bool";
1689 messages::internalError(asyncResp->res);
1690 return;
1691 }
1692 asyncResp->res
1693 .jsonValue["PasswordChangeRequired"] =
1694 *userPasswordExpired;
1695 }
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1696 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1697 }
1698 }
1699
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1700 asyncResp->res.jsonValue["@odata.id"] =
1701 "/redfish/v1/AccountService/Accounts/" + accountName;
1702 asyncResp->res.jsonValue["Id"] = accountName;
1703 asyncResp->res.jsonValue["UserName"] = accountName;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1704 },
1705 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1706 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1707 }
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1708
1709 void doPatch(crow::Response& res, const crow::Request& req,
1710 const std::vector<std::string>& params) override
1711 {
1712 auto asyncResp = std::make_shared<AsyncResp>(res);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1713 if (params.size() != 1)
1714 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1715 messages::internalError(asyncResp->res);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1716 return;
1717 }
1718
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1719 std::optional<std::string> newUserName;
1720 std::optional<std::string> password;
1721 std::optional<bool> enabled;
1722 std::optional<std::string> roleId;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1723 std::optional<bool> locked;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1724 if (!json_util::readJson(req, res, "UserName", newUserName, "Password",
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1725 password, "RoleId", roleId, "Enabled", enabled,
1726 "Locked", locked))
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1727 {
1728 return;
1729 }
1730
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1731 const std::string& username = params[0];
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1732
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1733 // Perform a proper ConfigureSelf authority check. If the
1734 // session is being used to PATCH a property other than
1735 // Password, then the ConfigureSelf privilege does not apply.
1736 // If the user is operating on an account not their own, then
1737 // their ConfigureSelf privilege does not apply. In either
1738 // case, perform the authority check again without the user's
1739 // ConfigureSelf privilege.
1740 if ((username != req.session->username) ||
1741 (newUserName || enabled || roleId || locked))
1742 {
1743 if (!isAllowedWithoutConfigureSelf(req))
1744 {
1745 BMCWEB_LOG_WARNING << "PATCH Password denied access";
1746 asyncResp->res.clear();
1747 messages::insufficientPrivilege(asyncResp->res);
1748 return;
1749 }
1750 }
1751
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1752 // if user name is not provided in the patch method or if it
1753 // matches the user name in the URI, then we are treating it as updating
1754 // user properties other then username. If username provided doesn't
1755 // match the URI, then we are treating this as user rename request.
1756 if (!newUserName || (newUserName.value() == username))
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1757 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1758 updateUserProperties(asyncResp, username, password, enabled, roleId,
1759 locked);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1760 return;
1761 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1762 crow::connections::systemBus->async_method_call(
1763 [this, asyncResp, username, password(std::move(password)),
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1764 roleId(std::move(roleId)), enabled,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1765 newUser{std::string(*newUserName)},
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1766 locked](const boost::system::error_code ec,
1767 sdbusplus::message::message& m) {
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1768 if (ec)
1769 {
1770 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
1771 username);
1772 return;
1773 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1774
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1775 updateUserProperties(asyncResp, newUser, password, enabled,
1776 roleId, locked);
1777 },
1778 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1779 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1780 *newUserName);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1781 }
1782
1783 void updateUserProperties(std::shared_ptr<AsyncResp> asyncResp,
1784 const std::string& username,
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1785 std::optional<std::string> password,
1786 std::optional<bool> enabled,
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1787 std::optional<std::string> roleId,
1788 std::optional<bool> locked)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1789 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1790 std::string dbusObjectPath = "/xyz/openbmc_project/user/" + username;
1791 dbus::utility::escapePathForDbus(dbusObjectPath);
1792
Ratan Gupta22c33712019-05-03 21:50:28 +0530[diff] [blame]1793 dbus::utility::checkDbusPathExists(
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1794 dbusObjectPath,
1795 [dbusObjectPath(std::move(dbusObjectPath)), username,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1796 password(std::move(password)), roleId(std::move(roleId)), enabled,
1797 locked, asyncResp{std::move(asyncResp)}](int rc) {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1798 if (!rc)
1799 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1800 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1801 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1802 username);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1803 return;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1804 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1805
1806 if (password)
1807 {
1808 int retval = pamUpdatePassword(username, *password);
1809
1810 if (retval == PAM_USER_UNKNOWN)
1811 {
1812 messages::resourceNotFound(
1813 asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1814 "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1815 }
1816 else if (retval == PAM_AUTHTOK_ERR)
1817 {
1818 // If password is invalid
1819 messages::propertyValueFormatError(
1820 asyncResp->res, *password, "Password");
1821 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1822 }
1823 else if (retval != PAM_SUCCESS)
1824 {
1825 messages::internalError(asyncResp->res);
1826 return;
1827 }
1828 }
1829
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1830 if (enabled)
1831 {
1832 crow::connections::systemBus->async_method_call(
1833 [asyncResp](const boost::system::error_code ec) {
1834 if (ec)
1835 {
1836 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1837 << ec;
1838 messages::internalError(asyncResp->res);
1839 return;
1840 }
1841 messages::success(asyncResp->res);
1842 return;
1843 },
1844 "xyz.openbmc_project.User.Manager",
1845 dbusObjectPath.c_str(),
1846 "org.freedesktop.DBus.Properties", "Set",
1847 "xyz.openbmc_project.User.Attributes", "UserEnabled",
1848 std::variant<bool>{*enabled});
1849 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1850
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1851 if (roleId)
1852 {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1853 std::string priv = getPrivilegeFromRoleId(*roleId);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1854 if (priv.empty())
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1855 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1856 messages::propertyValueNotInList(asyncResp->res,
1857 *roleId, "RoleId");
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1858 return;
1859 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1860 if (priv == "priv-noaccess")
1861 {
1862 priv = "";
1863 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1864
1865 crow::connections::systemBus->async_method_call(
1866 [asyncResp](const boost::system::error_code ec) {
1867 if (ec)
1868 {
1869 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1870 << ec;
1871 messages::internalError(asyncResp->res);
1872 return;
1873 }
1874 messages::success(asyncResp->res);
1875 },
1876 "xyz.openbmc_project.User.Manager",
1877 dbusObjectPath.c_str(),
1878 "org.freedesktop.DBus.Properties", "Set",
1879 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
1880 std::variant<std::string>{priv});
1881 }
1882
1883 if (locked)
1884 {
1885 // admin can unlock the account which is locked by
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1886 // successive authentication failures but admin should
1887 // not be allowed to lock an account.
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1888 if (*locked)
1889 {
1890 messages::propertyValueNotInList(asyncResp->res, "true",
1891 "Locked");
1892 return;
1893 }
1894
1895 crow::connections::systemBus->async_method_call(
1896 [asyncResp](const boost::system::error_code ec) {
1897 if (ec)
1898 {
1899 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1900 << ec;
1901 messages::internalError(asyncResp->res);
1902 return;
1903 }
1904 messages::success(asyncResp->res);
1905 return;
1906 },
1907 "xyz.openbmc_project.User.Manager",
1908 dbusObjectPath.c_str(),
1909 "org.freedesktop.DBus.Properties", "Set",
1910 "xyz.openbmc_project.User.Attributes",
1911 "UserLockedForFailedAttempt",
Patrick Williams19bd78d2020-05-13 17:38:24 -0500[diff] [blame]1912 std::variant<bool>{*locked});
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1913 }
1914 });
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1915 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1916
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1917 void doDelete(crow::Response& res, const crow::Request&,
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1918 const std::vector<std::string>& params) override
1919 {
1920 auto asyncResp = std::make_shared<AsyncResp>(res);
1921
1922 if (params.size() != 1)
1923 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1924 messages::internalError(asyncResp->res);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1925 return;
1926 }
1927
1928 const std::string userPath = "/xyz/openbmc_project/user/" + params[0];
1929
1930 crow::connections::systemBus->async_method_call(
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1931 [asyncResp,
1932 username{params[0]}](const boost::system::error_code ec) {
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1933 if (ec)
1934 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1935 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1936 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1937 username);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1938 return;
1939 }
1940
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1941 messages::accountRemoved(asyncResp->res);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1942 },
1943 "xyz.openbmc_project.User.Manager", userPath,
1944 "xyz.openbmc_project.Object.Delete", "Delete");
1945 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1946};
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1947
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1948} // namespace redfish