blob: b3b848fd5c24aa099f88957488ed99e3d608819b [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080018#include "app.hpp"
Ed Tanous1aa375b2024-04-13 11:51:10 -070019#include "certificate_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080020#include "dbus_utility.hpp"
21#include "error_messages.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070022#include "generated/enums/account_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080023#include "persistent_data.hpp"
24#include "query.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070025#include "registries/privilege_registry.hpp"
Ed Tanous1aa375b2024-04-13 11:51:10 -070026#include "utils/collection.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080027#include "utils/dbus_utils.hpp"
28#include "utils/json_utils.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070029
Ed Tanous1aa375b2024-04-13 11:51:10 -070030#include <boost/url/format.hpp>
31#include <boost/url/url.hpp>
Jonathan Doman1e1e5982021-06-11 09:36:17 -070032#include <sdbusplus/asio/property.hpp>
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +020033#include <sdbusplus/unpack_properties.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050034
George Liu2b731192023-01-11 16:27:13 +080035#include <array>
Ed Tanous1aa375b2024-04-13 11:51:10 -070036#include <memory>
Abhishek Patelc7229812022-02-01 10:07:15 -060037#include <optional>
Ed Tanous3544d2a2023-08-06 18:12:20 -070038#include <ranges>
Abhishek Patelc7229812022-02-01 10:07:15 -060039#include <string>
George Liu2b731192023-01-11 16:27:13 +080040#include <string_view>
Ed Tanous20fa6a22024-05-20 18:02:58 -070041#include <utility>
Abhishek Patelc7229812022-02-01 10:07:15 -060042#include <vector>
43
Ed Tanous1abe55e2018-09-05 08:30:59 -070044namespace redfish
45{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010046
Ed Tanous23a21a12020-07-25 04:45:05 +000047constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053048 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070049constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053050 "/xyz/openbmc_project/user/ldap/active_directory";
51
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +053052constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +053053constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
54constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
55constexpr const char* ldapConfigInterface =
56 "xyz.openbmc_project.User.Ldap.Config";
57constexpr const char* ldapCreateInterface =
58 "xyz.openbmc_project.User.Ldap.Create";
59constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053060constexpr const char* ldapPrivMapperInterface =
61 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053062
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060063struct LDAPRoleMapData
64{
65 std::string groupName;
66 std::string privilege;
67};
68
Ratan Gupta6973a582018-12-13 18:25:44 +053069struct LDAPConfigData
70{
Ed Tanous47f29342024-03-19 12:18:06 -070071 std::string uri;
72 std::string bindDN;
73 std::string baseDN;
74 std::string searchScope;
75 std::string serverType;
Ratan Gupta6973a582018-12-13 18:25:44 +053076 bool serviceEnabled = false;
Ed Tanous47f29342024-03-19 12:18:06 -070077 std::string userNameAttribute;
78 std::string groupAttribute;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060079 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053080};
81
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060082inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053083{
84 if (role == "priv-admin")
85 {
86 return "Administrator";
87 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070088 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053089 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053090 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053091 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070092 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053093 {
94 return "Operator";
95 }
96 return "";
97}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060098inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053099{
100 if (role == "Administrator")
101 {
102 return "priv-admin";
103 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700104 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530105 {
106 return "priv-user";
107 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700108 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530109 {
110 return "priv-operator";
111 }
112 return "";
113}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700114
Abhishek Patelc7229812022-02-01 10:07:15 -0600115/**
116 * @brief Maps user group names retrieved from D-Bus object to
117 * Account Types.
118 *
119 * @param[in] userGroups List of User groups
120 * @param[out] res AccountTypes populated
121 *
122 * @return true in case of success, false if UserGroups contains
123 * invalid group name(s).
124 */
125inline bool translateUserGroup(const std::vector<std::string>& userGroups,
126 crow::Response& res)
127{
128 std::vector<std::string> accountTypes;
129 for (const auto& userGroup : userGroups)
130 {
131 if (userGroup == "redfish")
132 {
133 accountTypes.emplace_back("Redfish");
134 accountTypes.emplace_back("WebUI");
135 }
136 else if (userGroup == "ipmi")
137 {
138 accountTypes.emplace_back("IPMI");
139 }
140 else if (userGroup == "ssh")
141 {
Abhishek Patelc7229812022-02-01 10:07:15 -0600142 accountTypes.emplace_back("ManagerConsole");
143 }
Ninad Palsule3e72c202023-03-27 17:19:55 -0500144 else if (userGroup == "hostconsole")
145 {
146 // The hostconsole group controls who can access the host console
147 // port via ssh and websocket.
148 accountTypes.emplace_back("HostConsole");
149 }
Abhishek Patelc7229812022-02-01 10:07:15 -0600150 else if (userGroup == "web")
151 {
152 // 'web' is one of the valid groups in the UserGroups property of
153 // the user account in the D-Bus object. This group is currently not
154 // doing anything, and is considered to be equivalent to 'redfish'.
155 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
156 // AccountTypes, so do nothing here...
157 }
158 else
159 {
Ed Tanous8ece0e42024-01-02 13:16:50 -0800160 // Invalid user group name. Caller throws an exception.
Abhishek Patelc7229812022-02-01 10:07:15 -0600161 return false;
162 }
163 }
164
165 res.jsonValue["AccountTypes"] = std::move(accountTypes);
166 return true;
167}
168
Abhishek Patel58345852022-02-02 08:54:25 -0600169/**
170 * @brief Builds User Groups from the Account Types
171 *
172 * @param[in] asyncResp Async Response
173 * @param[in] accountTypes List of Account Types
174 * @param[out] userGroups List of User Groups mapped from Account Types
175 *
176 * @return true if Account Types mapped to User Groups, false otherwise.
177 */
178inline bool
179 getUserGroupFromAccountType(crow::Response& res,
180 const std::vector<std::string>& accountTypes,
181 std::vector<std::string>& userGroups)
182{
183 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
184 bool redfishType = false;
185 bool webUIType = false;
186
187 for (const auto& accountType : accountTypes)
188 {
189 if (accountType == "Redfish")
190 {
191 redfishType = true;
192 }
193 else if (accountType == "WebUI")
194 {
195 webUIType = true;
196 }
197 else if (accountType == "IPMI")
198 {
199 userGroups.emplace_back("ipmi");
200 }
201 else if (accountType == "HostConsole")
202 {
203 userGroups.emplace_back("hostconsole");
204 }
205 else if (accountType == "ManagerConsole")
206 {
207 userGroups.emplace_back("ssh");
208 }
209 else
210 {
211 // Invalid Account Type
212 messages::propertyValueNotInList(res, "AccountTypes", accountType);
213 return false;
214 }
215 }
216
217 // Both Redfish and WebUI Account Types are needed to PATCH
218 if (redfishType ^ webUIType)
219 {
Ed Tanous62598e32023-07-17 17:06:25 -0700220 BMCWEB_LOG_ERROR(
221 "Missing Redfish or WebUI Account Type to set redfish User Group");
Abhishek Patel58345852022-02-02 08:54:25 -0600222 messages::strictAccountTypes(res, "AccountTypes");
223 return false;
224 }
225
226 if (redfishType && webUIType)
227 {
228 userGroups.emplace_back("redfish");
229 }
230
231 return true;
232}
233
234/**
235 * @brief Sets UserGroups property of the user based on the Account Types
236 *
237 * @param[in] accountTypes List of User Account Types
238 * @param[in] asyncResp Async Response
239 * @param[in] dbusObjectPath D-Bus Object Path
240 * @param[in] userSelf true if User is updating OWN Account Types
241 */
242inline void
243 patchAccountTypes(const std::vector<std::string>& accountTypes,
244 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
245 const std::string& dbusObjectPath, bool userSelf)
246{
247 // Check if User is disabling own Redfish Account Type
248 if (userSelf &&
249 (accountTypes.cend() ==
250 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
251 {
Ed Tanous62598e32023-07-17 17:06:25 -0700252 BMCWEB_LOG_ERROR(
253 "User disabling OWN Redfish Account Type is not allowed");
Abhishek Patel58345852022-02-02 08:54:25 -0600254 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
255 return;
256 }
257
258 std::vector<std::string> updatedUserGroups;
259 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
260 updatedUserGroups))
261 {
262 // Problem in mapping Account Types to User Groups, Error already
263 // logged.
264 return;
265 }
Ginu Georgee93abac2024-06-14 17:35:27 +0530266 setDbusProperty(asyncResp, "AccountTypes",
267 "xyz.openbmc_project.User.Manager", dbusObjectPath,
268 "xyz.openbmc_project.User.Attributes", "UserGroups",
269 updatedUserGroups);
Abhishek Patel58345852022-02-02 08:54:25 -0600270}
271
zhanghch058d1b46d2021-04-01 11:18:24 +0800272inline void userErrorMessageHandler(
273 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
274 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000275{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000276 if (e == nullptr)
277 {
278 messages::internalError(asyncResp->res);
279 return;
280 }
281
Manojkiran Eda055806b2020-11-03 09:36:28 +0530282 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000283 if (strcmp(errorMessage,
284 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
285 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800286 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000287 "UserName", newUser);
288 }
289 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
290 "UserNameDoesNotExist") == 0)
291 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800292 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000293 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700294 else if ((strcmp(errorMessage,
295 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
296 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800297 (strcmp(
298 errorMessage,
299 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
300 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000301 {
302 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
303 }
304 else if (strcmp(errorMessage,
305 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
306 {
307 messages::createLimitReachedForResource(asyncResp->res);
308 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000309 else
310 {
Gunnar Millsb8ad5832023-10-02 16:26:07 -0500311 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000312 messages::internalError(asyncResp->res);
313 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000314}
315
Ed Tanous81ce6092020-12-17 16:54:55 +0000316inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000317 const LDAPConfigData& confData,
318 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530319{
Ed Tanous49cc2632024-03-20 12:49:15 -0700320 nlohmann::json::object_t ldap;
Ed Tanous14766872022-03-15 10:44:42 -0700321 ldap["ServiceEnabled"] = confData.serviceEnabled;
Ed Tanous49cc2632024-03-20 12:49:15 -0700322 nlohmann::json::array_t serviceAddresses;
323 serviceAddresses.emplace_back(confData.uri);
324 ldap["ServiceAddresses"] = std::move(serviceAddresses);
325
326 nlohmann::json::object_t authentication;
327 authentication["AuthenticationType"] =
Ed Tanous0ec8b832022-03-14 14:56:47 -0700328 account_service::AuthenticationTypes::UsernameAndPassword;
Ed Tanous49cc2632024-03-20 12:49:15 -0700329 authentication["Username"] = confData.bindDN;
330 authentication["Password"] = nullptr;
331 ldap["Authentication"] = std::move(authentication);
Ed Tanous14766872022-03-15 10:44:42 -0700332
Ed Tanous49cc2632024-03-20 12:49:15 -0700333 nlohmann::json::object_t ldapService;
334 nlohmann::json::object_t searchSettings;
335 nlohmann::json::array_t baseDistinguishedNames;
336 baseDistinguishedNames.emplace_back(confData.baseDN);
Ed Tanous14766872022-03-15 10:44:42 -0700337
Ed Tanous49cc2632024-03-20 12:49:15 -0700338 searchSettings["BaseDistinguishedNames"] =
339 std::move(baseDistinguishedNames);
340 searchSettings["UsernameAttribute"] = confData.userNameAttribute;
341 searchSettings["GroupsAttribute"] = confData.groupAttribute;
342 ldapService["SearchSettings"] = std::move(searchSettings);
343 ldap["LDAPService"] = std::move(ldapService);
344
345 nlohmann::json::array_t roleMapArray;
Ed Tanous9eb808c2022-01-25 10:19:23 -0800346 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600347 {
Ed Tanous62598e32023-07-17 17:06:25 -0700348 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
Ed Tanous613dabe2022-07-09 11:17:36 -0700349
Ed Tanous613dabe2022-07-09 11:17:36 -0700350 nlohmann::json::object_t remoteGroup;
351 remoteGroup["RemoteGroup"] = obj.second.groupName;
Jorge Cisneros329f0342022-11-04 16:26:25 +0000352 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
353 roleMapArray.emplace_back(std::move(remoteGroup));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600354 }
Ed Tanous49cc2632024-03-20 12:49:15 -0700355
356 ldap["RemoteRoleMapping"] = std::move(roleMapArray);
357
358 jsonResponse[ldapType].update(ldap);
Ratan Gupta6973a582018-12-13 18:25:44 +0530359}
360
361/**
Ratan Gupta06785242019-07-26 22:30:16 +0530362 * @brief validates given JSON input and then calls appropriate method to
363 * create, to delete or to set Rolemapping object based on the given input.
364 *
365 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000366inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800367 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530368 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousc1019822024-03-06 12:54:38 -0800369 const std::string& serverType,
370 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530371{
372 for (size_t index = 0; index < input.size(); index++)
373 {
Ed Tanousc1019822024-03-06 12:54:38 -0800374 std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson =
375 input[index];
376 nlohmann::json::object_t* obj =
377 std::get_if<nlohmann::json::object_t>(&thisJson);
378 if (obj == nullptr)
Ratan Gupta06785242019-07-26 22:30:16 +0530379 {
380 // delete the existing object
381 if (index < roleMapObjData.size())
382 {
383 crow::connections::systemBus->async_method_call(
384 [asyncResp, roleMapObjData, serverType,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800385 index](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700386 if (ec)
387 {
Ed Tanous62598e32023-07-17 17:06:25 -0700388 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700389 messages::internalError(asyncResp->res);
390 return;
391 }
Patrick Williams89492a12023-05-10 07:51:34 -0500392 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
393 [index] = nullptr;
Patrick Williams5a39f772023-10-20 11:20:21 -0500394 },
Ratan Gupta06785242019-07-26 22:30:16 +0530395 ldapDbusService, roleMapObjData[index].first,
396 "xyz.openbmc_project.Object.Delete", "Delete");
397 }
398 else
399 {
Ed Tanous62598e32023-07-17 17:06:25 -0700400 BMCWEB_LOG_ERROR("Can't delete the object");
Ed Tanousc1019822024-03-06 12:54:38 -0800401 messages::propertyValueTypeError(asyncResp->res, "null",
Ed Tanous2e8c4bd2022-06-27 12:59:12 -0700402 "RemoteRoleMapping/" +
403 std::to_string(index));
Ratan Gupta06785242019-07-26 22:30:16 +0530404 return;
405 }
406 }
Ed Tanousc1019822024-03-06 12:54:38 -0800407 else if (obj->empty())
Ratan Gupta06785242019-07-26 22:30:16 +0530408 {
409 // Don't do anything for the empty objects,parse next json
410 // eg {"RemoteRoleMapping",[{}]}
411 }
412 else
413 {
414 // update/create the object
415 std::optional<std::string> remoteGroup;
416 std::optional<std::string> localRole;
417
Ed Tanousc1019822024-03-06 12:54:38 -0800418 if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup",
419 remoteGroup, "LocalRole", localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530420 {
421 continue;
422 }
423
424 // Update existing RoleMapping Object
425 if (index < roleMapObjData.size())
426 {
Ed Tanous62598e32023-07-17 17:06:25 -0700427 BMCWEB_LOG_DEBUG("Update Role Map Object");
Ratan Gupta06785242019-07-26 22:30:16 +0530428 // If "RemoteGroup" info is provided
429 if (remoteGroup)
430 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800431 setDbusProperty(
Ginu Georgee93abac2024-06-14 17:35:27 +0530432 asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800433 std::format("RemoteRoleMapping/{}/RemoteGroup", index),
Ginu Georgee93abac2024-06-14 17:35:27 +0530434 ldapDbusService, roleMapObjData[index].first,
435 "xyz.openbmc_project.User.PrivilegeMapperEntry",
436 "GroupName", *remoteGroup);
Ratan Gupta06785242019-07-26 22:30:16 +0530437 }
438
439 // If "LocalRole" info is provided
440 if (localRole)
441 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800442 setDbusProperty(
Ginu Georgee93abac2024-06-14 17:35:27 +0530443 asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800444 std::format("RemoteRoleMapping/{}/LocalRole", index),
Ginu Georgee93abac2024-06-14 17:35:27 +0530445 ldapDbusService, roleMapObjData[index].first,
446 "xyz.openbmc_project.User.PrivilegeMapperEntry",
447 "Privilege", *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530448 }
449 }
450 // Create a new RoleMapping Object.
451 else
452 {
Ed Tanous62598e32023-07-17 17:06:25 -0700453 BMCWEB_LOG_DEBUG(
454 "setRoleMappingProperties: Creating new Object");
Patrick Williams89492a12023-05-10 07:51:34 -0500455 std::string pathString = "RemoteRoleMapping/" +
456 std::to_string(index);
Ratan Gupta06785242019-07-26 22:30:16 +0530457
458 if (!localRole)
459 {
460 messages::propertyMissing(asyncResp->res,
461 pathString + "/LocalRole");
462 continue;
463 }
464 if (!remoteGroup)
465 {
466 messages::propertyMissing(asyncResp->res,
467 pathString + "/RemoteGroup");
468 continue;
469 }
470
471 std::string dbusObjectPath;
472 if (serverType == "ActiveDirectory")
473 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700474 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530475 }
476 else if (serverType == "LDAP")
477 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000478 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530479 }
480
Ed Tanous62598e32023-07-17 17:06:25 -0700481 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
482 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530483
484 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700485 [asyncResp, serverType, localRole,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800486 remoteGroup](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700487 if (ec)
488 {
Ed Tanous62598e32023-07-17 17:06:25 -0700489 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700490 messages::internalError(asyncResp->res);
491 return;
492 }
493 nlohmann::json& remoteRoleJson =
494 asyncResp->res
495 .jsonValue[serverType]["RemoteRoleMapping"];
496 nlohmann::json::object_t roleMapEntry;
497 roleMapEntry["LocalRole"] = *localRole;
498 roleMapEntry["RemoteGroup"] = *remoteGroup;
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500499 remoteRoleJson.emplace_back(std::move(roleMapEntry));
Patrick Williams5a39f772023-10-20 11:20:21 -0500500 },
Ratan Gupta06785242019-07-26 22:30:16 +0530501 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700502 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530503 getPrivilegeFromRoleId(std::move(*localRole)));
504 }
505 }
506 }
507}
508
509/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530510 * Function that retrieves all properties for LDAP config object
511 * into JSON
512 */
513template <typename CallbackFunc>
514inline void getLDAPConfigData(const std::string& ldapType,
515 CallbackFunc&& callback)
516{
George Liu2b731192023-01-11 16:27:13 +0800517 constexpr std::array<std::string_view, 2> interfaces = {
518 ldapEnableInterface, ldapConfigInterface};
Ratan Gupta6973a582018-12-13 18:25:44 +0530519
George Liu2b731192023-01-11 16:27:13 +0800520 dbus::utility::getDbusObject(
521 ldapConfigObjectName, interfaces,
Ed Tanous8cb2c022024-03-27 16:31:46 -0700522 [callback = std::forward<CallbackFunc>(callback),
Ed Tanousc1019822024-03-06 12:54:38 -0800523 ldapType](const boost::system::error_code& ec,
524 const dbus::utility::MapperGetObject& resp) mutable {
Ed Tanous002d39b2022-05-31 08:59:27 -0700525 if (ec || resp.empty())
526 {
Carson Labradobf2dded2023-08-10 00:37:06 +0000527 BMCWEB_LOG_WARNING(
Ed Tanous62598e32023-07-17 17:06:25 -0700528 "DBUS response error during getting of service name: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700529 LDAPConfigData empty{};
530 callback(false, empty, ldapType);
531 return;
532 }
533 std::string service = resp.begin()->first;
George Liu5eb468d2023-06-20 17:03:24 +0800534 sdbusplus::message::object_path path(ldapRootObject);
535 dbus::utility::getManagedObjects(
536 service, path,
Ed Tanousc1019822024-03-06 12:54:38 -0800537 [callback, ldapType](
538 const boost::system::error_code& ec2,
539 const dbus::utility::ManagedObjectType& ldapObjects) mutable {
Ed Tanous002d39b2022-05-31 08:59:27 -0700540 LDAPConfigData confData{};
Ed Tanous8b242752023-06-27 17:17:13 -0700541 if (ec2)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600542 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700543 callback(false, confData, ldapType);
Carson Labradobf2dded2023-08-10 00:37:06 +0000544 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600545 return;
546 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600547
Ed Tanous002d39b2022-05-31 08:59:27 -0700548 std::string ldapDbusType;
549 std::string searchString;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600550
Ed Tanous002d39b2022-05-31 08:59:27 -0700551 if (ldapType == "LDAP")
552 {
553 ldapDbusType =
554 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
555 searchString = "openldap";
556 }
557 else if (ldapType == "ActiveDirectory")
558 {
559 ldapDbusType =
560 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
561 searchString = "active_directory";
562 }
563 else
564 {
Ed Tanous62598e32023-07-17 17:06:25 -0700565 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}",
566 ldapType);
Ed Tanous002d39b2022-05-31 08:59:27 -0700567 callback(false, confData, ldapType);
568 return;
569 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600570
Ed Tanous002d39b2022-05-31 08:59:27 -0700571 std::string ldapEnableInterfaceStr = ldapEnableInterface;
572 std::string ldapConfigInterfaceStr = ldapConfigInterface;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600573
Ed Tanous002d39b2022-05-31 08:59:27 -0700574 for (const auto& object : ldapObjects)
575 {
576 // let's find the object whose ldap type is equal to the
577 // given type
578 if (object.first.str.find(searchString) == std::string::npos)
579 {
580 continue;
581 }
582
583 for (const auto& interface : object.second)
584 {
585 if (interface.first == ldapEnableInterfaceStr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600586 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700587 // rest of the properties are string.
588 for (const auto& property : interface.second)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600589 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700590 if (property.first == "Enabled")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600591 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700592 const bool* value =
593 std::get_if<bool>(&property.second);
594 if (value == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600595 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700596 continue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600597 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700598 confData.serviceEnabled = *value;
599 break;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600600 }
601 }
602 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700603 else if (interface.first == ldapConfigInterfaceStr)
604 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700605 for (const auto& property : interface.second)
606 {
607 const std::string* strValue =
608 std::get_if<std::string>(&property.second);
609 if (strValue == nullptr)
610 {
611 continue;
612 }
613 if (property.first == "LDAPServerURI")
614 {
615 confData.uri = *strValue;
616 }
617 else if (property.first == "LDAPBindDN")
618 {
619 confData.bindDN = *strValue;
620 }
621 else if (property.first == "LDAPBaseDN")
622 {
623 confData.baseDN = *strValue;
624 }
625 else if (property.first == "LDAPSearchScope")
626 {
627 confData.searchScope = *strValue;
628 }
629 else if (property.first == "GroupNameAttribute")
630 {
631 confData.groupAttribute = *strValue;
632 }
633 else if (property.first == "UserNameAttribute")
634 {
635 confData.userNameAttribute = *strValue;
636 }
637 else if (property.first == "LDAPType")
638 {
639 confData.serverType = *strValue;
640 }
641 }
642 }
643 else if (interface.first ==
644 "xyz.openbmc_project.User.PrivilegeMapperEntry")
645 {
646 LDAPRoleMapData roleMapData{};
647 for (const auto& property : interface.second)
648 {
649 const std::string* strValue =
650 std::get_if<std::string>(&property.second);
651
652 if (strValue == nullptr)
653 {
654 continue;
655 }
656
657 if (property.first == "GroupName")
658 {
659 roleMapData.groupName = *strValue;
660 }
661 else if (property.first == "Privilege")
662 {
663 roleMapData.privilege = *strValue;
664 }
665 }
666
667 confData.groupRoleList.emplace_back(object.first.str,
668 roleMapData);
669 }
670 }
671 }
672 callback(true, confData, ldapType);
George Liu2b731192023-01-11 16:27:13 +0800673 });
Patrick Williams5a39f772023-10-20 11:20:21 -0500674 });
Ratan Gupta6973a582018-12-13 18:25:44 +0530675}
676
Ed Tanous6c51eab2021-06-03 12:30:29 -0700677/**
Ed Tanous6c51eab2021-06-03 12:30:29 -0700678 * @brief updates the LDAP server address and updates the
679 json response with the new value.
680 * @param serviceAddressList address to be updated.
681 * @param asyncResp pointer to the JSON response
682 * @param ldapServerElementName Type of LDAP
683 server(openLDAP/ActiveDirectory)
684 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530685
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700686inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700687 const std::vector<std::string>& serviceAddressList,
688 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
689 const std::string& ldapServerElementName,
690 const std::string& ldapConfigObject)
691{
Ginu Georgee93abac2024-06-14 17:35:27 +0530692 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceAddress",
693 ldapDbusService, ldapConfigObject, ldapConfigInterface,
694 "LDAPServerURI", serviceAddressList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700695}
696/**
697 * @brief updates the LDAP Bind DN and updates the
698 json response with the new value.
699 * @param username name of the user which needs to be updated.
700 * @param asyncResp pointer to the JSON response
701 * @param ldapServerElementName Type of LDAP
702 server(openLDAP/ActiveDirectory)
703 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530704
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700705inline void
706 handleUserNamePatch(const std::string& username,
707 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
708 const std::string& ldapServerElementName,
709 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700710{
Ginu Georgee93abac2024-06-14 17:35:27 +0530711 setDbusProperty(asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800712 ldapServerElementName + "/Authentication/Username",
Ginu Georgee93abac2024-06-14 17:35:27 +0530713 ldapDbusService, ldapConfigObject, ldapConfigInterface,
714 "LDAPBindDN", username);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700715}
716
717/**
718 * @brief updates the LDAP password
719 * @param password : ldap password which needs to be updated.
720 * @param asyncResp pointer to the JSON response
721 * @param ldapServerElementName Type of LDAP
722 * server(openLDAP/ActiveDirectory)
723 */
724
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700725inline void
726 handlePasswordPatch(const std::string& password,
727 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
728 const std::string& ldapServerElementName,
729 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700730{
Ginu Georgee93abac2024-06-14 17:35:27 +0530731 setDbusProperty(asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800732 ldapServerElementName + "/Authentication/Password",
Ginu Georgee93abac2024-06-14 17:35:27 +0530733 ldapDbusService, ldapConfigObject, ldapConfigInterface,
734 "LDAPBindDNPassword", password);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700735}
736
737/**
738 * @brief updates the LDAP BaseDN and updates the
739 json response with the new value.
740 * @param baseDNList baseDN list which needs to be updated.
741 * @param asyncResp pointer to the JSON response
742 * @param ldapServerElementName Type of LDAP
743 server(openLDAP/ActiveDirectory)
744 */
745
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700746inline void
747 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
748 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
749 const std::string& ldapServerElementName,
750 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700751{
Ginu Georgee93abac2024-06-14 17:35:27 +0530752 setDbusProperty(asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800753 ldapServerElementName +
754 "/LDAPService/SearchSettings/BaseDistinguishedNames",
Ginu Georgee93abac2024-06-14 17:35:27 +0530755 ldapDbusService, ldapConfigObject, ldapConfigInterface,
756 "LDAPBaseDN", baseDNList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700757}
758/**
759 * @brief updates the LDAP user name attribute and updates the
760 json response with the new value.
761 * @param userNameAttribute attribute to be updated.
762 * @param asyncResp pointer to the JSON response
763 * @param ldapServerElementName Type of LDAP
764 server(openLDAP/ActiveDirectory)
765 */
766
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700767inline void
768 handleUserNameAttrPatch(const std::string& userNameAttribute,
769 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
770 const std::string& ldapServerElementName,
771 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700772{
Ginu Georgee93abac2024-06-14 17:35:27 +0530773 setDbusProperty(asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800774 ldapServerElementName +
775 "LDAPService/SearchSettings/UsernameAttribute",
Ginu Georgee93abac2024-06-14 17:35:27 +0530776 ldapDbusService, ldapConfigObject, ldapConfigInterface,
777 "UserNameAttribute", userNameAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700778}
779/**
780 * @brief updates the LDAP group attribute and updates the
781 json response with the new value.
782 * @param groupsAttribute attribute to be updated.
783 * @param asyncResp pointer to the JSON response
784 * @param ldapServerElementName Type of LDAP
785 server(openLDAP/ActiveDirectory)
786 */
787
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700788inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700789 const std::string& groupsAttribute,
790 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
791 const std::string& ldapServerElementName,
792 const std::string& ldapConfigObject)
793{
Ginu Georgee93abac2024-06-14 17:35:27 +0530794 setDbusProperty(asyncResp,
Ed Tanousd02aad32024-02-13 14:43:34 -0800795 ldapServerElementName +
796 "/LDAPService/SearchSettings/GroupsAttribute",
Ginu Georgee93abac2024-06-14 17:35:27 +0530797 ldapDbusService, ldapConfigObject, ldapConfigInterface,
798 "GroupNameAttribute", groupsAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700799}
800/**
801 * @brief updates the LDAP service enable and updates the
802 json response with the new value.
803 * @param input JSON data.
804 * @param asyncResp pointer to the JSON response
805 * @param ldapServerElementName Type of LDAP
806 server(openLDAP/ActiveDirectory)
807 */
808
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700809inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700810 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
811 const std::string& ldapServerElementName,
812 const std::string& ldapConfigObject)
813{
Ginu Georgee93abac2024-06-14 17:35:27 +0530814 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceEnabled",
815 ldapDbusService, ldapConfigObject, ldapEnableInterface,
816 "Enabled", serviceEnabled);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700817}
818
Ed Tanousc1019822024-03-06 12:54:38 -0800819struct AuthMethods
Ed Tanous6c51eab2021-06-03 12:30:29 -0700820{
821 std::optional<bool> basicAuth;
822 std::optional<bool> cookie;
823 std::optional<bool> sessionToken;
824 std::optional<bool> xToken;
825 std::optional<bool> tls;
Ed Tanousc1019822024-03-06 12:54:38 -0800826};
Ed Tanous6c51eab2021-06-03 12:30:29 -0700827
Ed Tanousc1019822024-03-06 12:54:38 -0800828inline void
829 handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
830 const AuthMethods& auth)
831{
832 persistent_data::AuthConfigMethods& authMethodsConfig =
Ed Tanous6c51eab2021-06-03 12:30:29 -0700833 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
834
Ed Tanousc1019822024-03-06 12:54:38 -0800835 if (auth.basicAuth)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700836 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700837 if constexpr (!BMCWEB_BASIC_AUTH)
838 {
839 messages::actionNotSupported(
840 asyncResp->res,
841 "Setting BasicAuth when basic-auth feature is disabled");
842 return;
843 }
844
Ed Tanousc1019822024-03-06 12:54:38 -0800845 authMethodsConfig.basic = *auth.basicAuth;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700846 }
847
Ed Tanousc1019822024-03-06 12:54:38 -0800848 if (auth.cookie)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700849 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700850 if constexpr (!BMCWEB_COOKIE_AUTH)
851 {
852 messages::actionNotSupported(
853 asyncResp->res,
854 "Setting Cookie when cookie-auth feature is disabled");
855 return;
856 }
Ed Tanousc1019822024-03-06 12:54:38 -0800857 authMethodsConfig.cookie = *auth.cookie;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700858 }
859
Ed Tanousc1019822024-03-06 12:54:38 -0800860 if (auth.sessionToken)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700861 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700862 if constexpr (!BMCWEB_SESSION_AUTH)
863 {
864 messages::actionNotSupported(
865 asyncResp->res,
866 "Setting SessionToken when session-auth feature is disabled");
867 return;
868 }
Ed Tanousc1019822024-03-06 12:54:38 -0800869 authMethodsConfig.sessionToken = *auth.sessionToken;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700870 }
871
Ed Tanousc1019822024-03-06 12:54:38 -0800872 if (auth.xToken)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700873 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700874 if constexpr (!BMCWEB_XTOKEN_AUTH)
875 {
876 messages::actionNotSupported(
877 asyncResp->res,
878 "Setting XToken when xtoken-auth feature is disabled");
879 return;
880 }
Ed Tanousc1019822024-03-06 12:54:38 -0800881 authMethodsConfig.xtoken = *auth.xToken;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700882 }
883
Ed Tanousc1019822024-03-06 12:54:38 -0800884 if (auth.tls)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700885 {
Ed Tanous25b54db2024-04-17 15:40:31 -0700886 if constexpr (!BMCWEB_MUTUAL_TLS_AUTH)
887 {
888 messages::actionNotSupported(
889 asyncResp->res,
890 "Setting TLS when mutual-tls-auth feature is disabled");
891 return;
892 }
Ed Tanousc1019822024-03-06 12:54:38 -0800893 authMethodsConfig.tls = *auth.tls;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700894 }
895
896 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
897 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
898 !authMethodsConfig.tls)
899 {
900 // Do not allow user to disable everything
901 messages::actionNotSupported(asyncResp->res,
902 "of disabling all available methods");
903 return;
904 }
905
906 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
907 authMethodsConfig);
908 // Save configuration immediately
909 persistent_data::getConfig().writeData();
910
911 messages::success(asyncResp->res);
912}
913
914/**
915 * @brief Get the required values from the given JSON, validates the
916 * value and create the LDAP config object.
917 * @param input JSON data
918 * @param asyncResp pointer to the JSON response
919 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
920 */
921
Ed Tanous10cb44f2024-04-11 13:05:20 -0700922struct LdapPatchParams
923{
924 std::optional<std::string> authType;
925 std::optional<std::vector<std::string>> serviceAddressList;
926 std::optional<bool> serviceEnabled;
927 std::optional<std::vector<std::string>> baseDNList;
928 std::optional<std::string> userNameAttribute;
929 std::optional<std::string> groupsAttribute;
930 std::optional<std::string> userName;
931 std::optional<std::string> password;
932 std::optional<
933 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>>
934 remoteRoleMapData;
935};
936
937inline void handleLDAPPatch(LdapPatchParams&& input,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700938 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
939 const std::string& serverType)
940{
941 std::string dbusObjectPath;
942 if (serverType == "ActiveDirectory")
943 {
944 dbusObjectPath = adConfigObject;
945 }
946 else if (serverType == "LDAP")
947 {
948 dbusObjectPath = ldapConfigObjectName;
949 }
950 else
951 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700952 BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????",
953 serverType);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700954 return;
955 }
956
Ed Tanous10cb44f2024-04-11 13:05:20 -0700957 if (input.authType && *input.authType != "UsernameAndPassword")
Ed Tanous6c51eab2021-06-03 12:30:29 -0700958 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700959 messages::propertyValueNotInList(asyncResp->res, *input.authType,
Ed Tanousc1019822024-03-06 12:54:38 -0800960 "AuthenticationType");
961 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700962 }
Ed Tanousc1019822024-03-06 12:54:38 -0800963
Ed Tanous10cb44f2024-04-11 13:05:20 -0700964 if (input.serviceAddressList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700965 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700966 if (input.serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530967 {
Ed Tanouse2616cc2022-06-27 12:45:55 -0700968 messages::propertyValueNotInList(
Ed Tanous10cb44f2024-04-11 13:05:20 -0700969 asyncResp->res, *input.serviceAddressList, "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000970 return;
971 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700972 }
Ed Tanous10cb44f2024-04-11 13:05:20 -0700973 if (input.baseDNList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700974 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700975 if (input.baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +0530976 {
Ed Tanous10cb44f2024-04-11 13:05:20 -0700977 messages::propertyValueNotInList(asyncResp->res, *input.baseDNList,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700978 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530979 return;
980 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700981 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530982
Ed Tanous6c51eab2021-06-03 12:30:29 -0700983 // nothing to update, then return
Ed Tanous10cb44f2024-04-11 13:05:20 -0700984 if (!input.userName && !input.password && !input.serviceAddressList &&
985 !input.baseDNList && !input.userNameAttribute &&
986 !input.groupsAttribute && !input.serviceEnabled &&
987 !input.remoteRoleMapData)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700988 {
989 return;
990 }
991
992 // Get the existing resource first then keep modifying
993 // whenever any property gets updated.
Ed Tanous10cb44f2024-04-11 13:05:20 -0700994 getLDAPConfigData(serverType,
995 [asyncResp, input = std::move(input),
996 dbusObjectPath = std::move(dbusObjectPath)](
997 bool success, const LDAPConfigData& confData,
998 const std::string& serverT) mutable {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700999 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301000 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001001 messages::internalError(asyncResp->res);
1002 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +05301003 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001004 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1005 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301006 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001007 // Disable the service first and update the rest of
1008 // the properties.
1009 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301010 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001011
Ed Tanous10cb44f2024-04-11 13:05:20 -07001012 if (input.serviceAddressList)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301013 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001014 handleServiceAddressPatch(*input.serviceAddressList, asyncResp,
1015 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301016 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001017 if (input.userName)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001018 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001019 handleUserNamePatch(*input.userName, asyncResp, serverT,
1020 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001021 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001022 if (input.password)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001023 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001024 handlePasswordPatch(*input.password, asyncResp, serverT,
1025 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001026 }
1027
Ed Tanous10cb44f2024-04-11 13:05:20 -07001028 if (input.baseDNList)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301029 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001030 handleBaseDNPatch(*input.baseDNList, asyncResp, serverT,
1031 dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001032 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001033 if (input.userNameAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001034 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001035 handleUserNameAttrPatch(*input.userNameAttribute, asyncResp,
1036 serverT, dbusObjectPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001037 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001038 if (input.groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001039 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001040 handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001041 dbusObjectPath);
1042 }
Ed Tanous10cb44f2024-04-11 13:05:20 -07001043 if (input.serviceEnabled)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001044 {
1045 // if user has given the value as true then enable
1046 // the service. if user has given false then no-op
1047 // as service is already stopped.
Ed Tanous10cb44f2024-04-11 13:05:20 -07001048 if (*input.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301049 {
Ed Tanous10cb44f2024-04-11 13:05:20 -07001050 handleServiceEnablePatch(*input.serviceEnabled, asyncResp,
1051 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301052 }
1053 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001054 else
1055 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001056 // if user has not given the service enabled value
1057 // then revert it to the same state as it was
1058 // before.
1059 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1060 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001061 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001062
Ed Tanous10cb44f2024-04-11 13:05:20 -07001063 if (input.remoteRoleMapData)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001064 {
1065 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001066 *input.remoteRoleMapData);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001067 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001068 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001069}
1070
Abhishek Patel58345852022-02-02 08:54:25 -06001071inline void updateUserProperties(
1072 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1073 const std::optional<std::string>& password,
1074 const std::optional<bool>& enabled,
1075 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
Ravi Tejae518ef32024-05-16 10:33:08 -05001076 std::optional<std::vector<std::string>> accountTypes, bool userSelf,
1077 const std::shared_ptr<persistent_data::UserSession>& session)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001078{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +05301079 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1080 tempObjPath /= username;
1081 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001082
1083 dbus::utility::checkDbusPathExists(
Ravi Tejae518ef32024-05-16 10:33:08 -05001084 dbusObjectPath,
1085 [dbusObjectPath, username, password, roleId, enabled, locked,
1086 accountTypes(std::move(accountTypes)), userSelf, session,
1087 asyncResp{std::move(asyncResp)}](int rc) {
Patrick Williams5a39f772023-10-20 11:20:21 -05001088 if (rc <= 0)
1089 {
1090 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1091 username);
1092 return;
1093 }
1094
1095 if (password)
1096 {
1097 int retval = pamUpdatePassword(username, *password);
1098
1099 if (retval == PAM_USER_UNKNOWN)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001100 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001101 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1102 username);
Patrick Williams5a39f772023-10-20 11:20:21 -05001103 }
1104 else if (retval == PAM_AUTHTOK_ERR)
1105 {
1106 // If password is invalid
1107 messages::propertyValueFormatError(asyncResp->res, nullptr,
1108 "Password");
1109 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1110 }
1111 else if (retval != PAM_SUCCESS)
1112 {
1113 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001114 return;
1115 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001116 else
Ed Tanous618c14b2022-06-30 17:44:25 -07001117 {
Ravi Tejae518ef32024-05-16 10:33:08 -05001118 // Remove existing sessions of the user when password changed
1119 persistent_data::SessionStore::getInstance()
1120 .removeSessionsByUsernameExceptSession(username, session);
Patrick Williams5a39f772023-10-20 11:20:21 -05001121 messages::success(asyncResp->res);
Ed Tanous618c14b2022-06-30 17:44:25 -07001122 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001123 }
Ed Tanous618c14b2022-06-30 17:44:25 -07001124
Patrick Williams5a39f772023-10-20 11:20:21 -05001125 if (enabled)
1126 {
Ginu Georgee93abac2024-06-14 17:35:27 +05301127 setDbusProperty(asyncResp, "Enabled",
1128 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanousd02aad32024-02-13 14:43:34 -08001129 "xyz.openbmc_project.User.Attributes",
Ginu Georgee93abac2024-06-14 17:35:27 +05301130 "UserEnabled", *enabled);
Patrick Williams5a39f772023-10-20 11:20:21 -05001131 }
1132
1133 if (roleId)
1134 {
1135 std::string priv = getPrivilegeFromRoleId(*roleId);
1136 if (priv.empty())
1137 {
1138 messages::propertyValueNotInList(asyncResp->res, true,
1139 "Locked");
1140 return;
Ed Tanous618c14b2022-06-30 17:44:25 -07001141 }
Ginu Georgee93abac2024-06-14 17:35:27 +05301142 setDbusProperty(asyncResp, "RoleId",
1143 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanousd02aad32024-02-13 14:43:34 -08001144 "xyz.openbmc_project.User.Attributes",
Ginu Georgee93abac2024-06-14 17:35:27 +05301145 "UserPrivilege", priv);
Patrick Williams5a39f772023-10-20 11:20:21 -05001146 }
1147
1148 if (locked)
1149 {
1150 // admin can unlock the account which is locked by
1151 // successive authentication failures but admin should
1152 // not be allowed to lock an account.
1153 if (*locked)
Abhishek Patel58345852022-02-02 08:54:25 -06001154 {
Patrick Williams5a39f772023-10-20 11:20:21 -05001155 messages::propertyValueNotInList(asyncResp->res, "true",
1156 "Locked");
1157 return;
Abhishek Patel58345852022-02-02 08:54:25 -06001158 }
Ginu Georgee93abac2024-06-14 17:35:27 +05301159 setDbusProperty(asyncResp, "Locked",
1160 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanousd02aad32024-02-13 14:43:34 -08001161 "xyz.openbmc_project.User.Attributes",
Ginu Georgee93abac2024-06-14 17:35:27 +05301162 "UserLockedForFailedAttempt", *locked);
Patrick Williams5a39f772023-10-20 11:20:21 -05001163 }
1164
1165 if (accountTypes)
1166 {
1167 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1168 userSelf);
1169 }
1170 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001171}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001172
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001173inline void handleAccountServiceHead(
1174 App& app, const crow::Request& req,
1175 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001176{
1177 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1178 {
1179 return;
1180 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001181 asyncResp->res.addHeader(
1182 boost::beast::http::field::link,
1183 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1184}
1185
1186inline void
Ed Tanous1aa375b2024-04-13 11:51:10 -07001187 getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1188 const nlohmann::json::json_pointer& keyLocation)
1189{
1190 boost::urls::url url(
1191 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates");
1192 std::array<std::string_view, 1> interfaces = {
1193 "xyz.openbmc_project.Certs.Certificate"};
1194 std::string path = "/xyz/openbmc_project/certs/authority/truststore";
1195
1196 collection_util::getCollectionToKey(asyncResp, url, interfaces, path,
1197 keyLocation);
1198}
1199
1200inline void handleAccountServiceClientCertificatesInstanceHead(
1201 App& app, const crow::Request& req,
1202 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1203 const std::string& /*id*/)
1204{
1205 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1206 {
1207 return;
1208 }
1209
1210 asyncResp->res.addHeader(
1211 boost::beast::http::field::link,
1212 "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby");
1213}
1214
1215inline void handleAccountServiceClientCertificatesInstanceGet(
1216 App& app, const crow::Request& req,
1217 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id)
1218{
1219 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1220 {
1221 return;
1222 }
1223 BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id);
1224 const boost::urls::url certURL = boost::urls::format(
1225 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}",
1226 id);
1227 std::string objPath =
1228 sdbusplus::message::object_path(certs::authorityObjectPath) / id;
1229 getCertificateProperties(
1230 asyncResp, objPath,
1231 "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL,
1232 "Client Certificate");
1233}
1234
1235inline void handleAccountServiceClientCertificatesHead(
1236 App& app, const crow::Request& req,
1237 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1238{
1239 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1240 {
1241 return;
1242 }
1243
1244 asyncResp->res.addHeader(
1245 boost::beast::http::field::link,
1246 "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby");
1247}
1248
1249inline void handleAccountServiceClientCertificatesGet(
1250 App& app, const crow::Request& req,
1251 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1252{
1253 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1254 {
1255 return;
1256 }
1257 getClientCertificates(asyncResp, "/Members"_json_pointer);
1258}
1259
Ed Tanous3ce36882024-06-09 10:58:16 -07001260using account_service::CertificateMappingAttribute;
1261using persistent_data::MTLSCommonNameParseMode;
1262inline CertificateMappingAttribute
1263 getCertificateMapping(MTLSCommonNameParseMode parse)
1264{
1265 switch (parse)
1266 {
1267 case MTLSCommonNameParseMode::CommonName:
1268 {
1269 return CertificateMappingAttribute::CommonName;
1270 }
1271 break;
1272 case MTLSCommonNameParseMode::Whole:
1273 {
1274 return CertificateMappingAttribute::Whole;
1275 }
1276 break;
1277 case MTLSCommonNameParseMode::UserPrincipalName:
1278 {
1279 return CertificateMappingAttribute::UserPrincipalName;
1280 }
1281 break;
1282
1283 case MTLSCommonNameParseMode::Meta:
1284 {
1285 if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
1286 {
1287 return CertificateMappingAttribute::CommonName;
1288 }
1289 }
1290 break;
1291 default:
1292 {
1293 return CertificateMappingAttribute::Invalid;
1294 }
1295 break;
1296 }
1297}
1298
Ed Tanous1aa375b2024-04-13 11:51:10 -07001299inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001300 handleAccountServiceGet(App& app, const crow::Request& req,
1301 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1302{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001303 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1304 {
1305 return;
1306 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001307
1308 if (req.session == nullptr)
1309 {
1310 messages::internalError(asyncResp->res);
1311 return;
1312 }
1313
Ed Tanousc1019822024-03-06 12:54:38 -08001314 const persistent_data::AuthConfigMethods& authMethodsConfig =
1315 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1316
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001317 asyncResp->res.addHeader(
1318 boost::beast::http::field::link,
1319 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1320
Ed Tanous1ef4c342022-05-12 16:12:36 -07001321 nlohmann::json& json = asyncResp->res.jsonValue;
1322 json["@odata.id"] = "/redfish/v1/AccountService";
Ravi Teja482a69e2024-04-22 06:56:13 -05001323 json["@odata.type"] = "#AccountService.v1_15_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001324 json["Id"] = "AccountService";
1325 json["Name"] = "Account Service";
1326 json["Description"] = "Account Service";
1327 json["ServiceEnabled"] = true;
1328 json["MaxPasswordLength"] = 20;
1329 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1330 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
Ravi Teja482a69e2024-04-22 06:56:13 -05001331 json["HTTPBasicAuth"] = authMethodsConfig.basic
1332 ? account_service::BasicAuthState::Enabled
1333 : account_service::BasicAuthState::Disabled;
1334
1335 nlohmann::json::array_t allowed;
1336 allowed.emplace_back(account_service::BasicAuthState::Enabled);
1337 allowed.emplace_back(account_service::BasicAuthState::Disabled);
1338 json["HTTPBasicAuth@AllowableValues"] = std::move(allowed);
1339
Ed Tanous1aa375b2024-04-13 11:51:10 -07001340 nlohmann::json::object_t clientCertificate;
1341 clientCertificate["Enabled"] = authMethodsConfig.tls;
1342 clientCertificate["RespondToUnauthenticatedClients"] = true;
Ed Tanous3ce36882024-06-09 10:58:16 -07001343
1344 using account_service::CertificateMappingAttribute;
1345
1346 CertificateMappingAttribute mapping =
1347 getCertificateMapping(authMethodsConfig.mTLSCommonNameParsingMode);
1348 if (mapping == CertificateMappingAttribute::Invalid)
1349 {
1350 messages::internalError(asyncResp->res);
1351 }
1352 else
1353 {
1354 clientCertificate["CertificateMappingAttribute"] = mapping;
1355 }
Ed Tanous1aa375b2024-04-13 11:51:10 -07001356 nlohmann::json::object_t certificates;
1357 certificates["@odata.id"] =
1358 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates";
1359 certificates["@odata.type"] =
1360 "#CertificateCollection.CertificateCollection";
1361 clientCertificate["Certificates"] = std::move(certificates);
1362 json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate);
1363
1364 getClientCertificates(
1365 asyncResp,
1366 "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer);
1367
Ed Tanous1ef4c342022-05-12 16:12:36 -07001368 json["Oem"]["OpenBMC"]["@odata.type"] =
Ed Tanous5b5574a2022-09-26 19:53:36 -07001369 "#OpenBMCAccountService.v1_0_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001370 json["Oem"]["OpenBMC"]["@odata.id"] =
1371 "/redfish/v1/AccountService#/Oem/OpenBMC";
1372 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1373 authMethodsConfig.basic;
1374 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1375 authMethodsConfig.sessionToken;
1376 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1377 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1378 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1379
1380 // /redfish/v1/AccountService/LDAP/Certificates is something only
1381 // ConfigureManager can access then only display when the user has
1382 // permissions ConfigureManager
1383 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001384 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001385
1386 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1387 effectiveUserPrivileges))
1388 {
1389 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1390 "/redfish/v1/AccountService/LDAP/Certificates";
1391 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001392 sdbusplus::asio::getAllProperties(
1393 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1394 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001395 [asyncResp](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001396 const dbus::utility::DBusPropertiesMap& propertiesList) {
1397 if (ec)
1398 {
1399 messages::internalError(asyncResp->res);
1400 return;
1401 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001402
Ed Tanous1aa375b2024-04-13 11:51:10 -07001403 BMCWEB_LOG_DEBUG("Got {} properties for AccountService",
Ed Tanous62598e32023-07-17 17:06:25 -07001404 propertiesList.size());
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001405
1406 const uint8_t* minPasswordLength = nullptr;
1407 const uint32_t* accountUnlockTimeout = nullptr;
1408 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1409
1410 const bool success = sdbusplus::unpackPropertiesNoThrow(
1411 dbus_utils::UnpackErrorPrinter(), propertiesList,
1412 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1413 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1414 maxLoginAttemptBeforeLockout);
1415
1416 if (!success)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001417 {
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001418 messages::internalError(asyncResp->res);
1419 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001420 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001421
1422 if (minPasswordLength != nullptr)
1423 {
1424 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1425 }
1426
1427 if (accountUnlockTimeout != nullptr)
1428 {
1429 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1430 *accountUnlockTimeout;
1431 }
1432
1433 if (maxLoginAttemptBeforeLockout != nullptr)
1434 {
1435 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1436 *maxLoginAttemptBeforeLockout;
1437 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001438 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001439
Ed Tanous02cad962022-06-30 16:50:15 -07001440 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001441 const std::string& ldapType) {
1442 if (!success)
1443 {
1444 return;
1445 }
1446 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1447 };
1448
1449 getLDAPConfigData("LDAP", callback);
1450 getLDAPConfigData("ActiveDirectory", callback);
1451}
1452
Ed Tanous3ce36882024-06-09 10:58:16 -07001453inline void
1454 handleCertificateMappingAttributePatch(crow::Response& res,
1455 const std::string& certMapAttribute)
1456{
1457 MTLSCommonNameParseMode parseMode =
1458 persistent_data::getMTLSCommonNameParseMode(certMapAttribute);
1459 if (parseMode == MTLSCommonNameParseMode::Invalid)
1460 {
1461 messages::propertyValueNotInList(res, "CertificateMappingAttribute",
1462 certMapAttribute);
1463 return;
1464 }
1465
1466 persistent_data::AuthConfigMethods& authMethodsConfig =
1467 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1468 authMethodsConfig.mTLSCommonNameParsingMode = parseMode;
1469}
1470
Ed Tanous1ef4c342022-05-12 16:12:36 -07001471inline void handleAccountServicePatch(
1472 App& app, const crow::Request& req,
1473 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1474{
1475 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1476 {
1477 return;
1478 }
1479 std::optional<uint32_t> unlockTimeout;
1480 std::optional<uint16_t> lockoutThreshold;
1481 std::optional<uint8_t> minPasswordLength;
1482 std::optional<uint16_t> maxPasswordLength;
Ed Tanous10cb44f2024-04-11 13:05:20 -07001483 LdapPatchParams ldapObject;
Ed Tanous3ce36882024-06-09 10:58:16 -07001484 std::optional<std::string> certificateMappingAttribute;
Ed Tanous10cb44f2024-04-11 13:05:20 -07001485 LdapPatchParams activeDirectoryObject;
Ed Tanousc1019822024-03-06 12:54:38 -08001486 AuthMethods auth;
Ravi Teja482a69e2024-04-22 06:56:13 -05001487 std::optional<std::string> httpBasicAuth;
Ed Tanous3ce36882024-06-09 10:58:16 -07001488
Ed Tanousc1019822024-03-06 12:54:38 -08001489 // clang-format off
Ed Tanous1ef4c342022-05-12 16:12:36 -07001490 if (!json_util::readJsonPatch(
Ed Tanousc1019822024-03-06 12:54:38 -08001491 req, asyncResp->res,
1492 "AccountLockoutDuration", unlockTimeout,
1493 "AccountLockoutThreshold", lockoutThreshold,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001494 "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType,
1495 "ActiveDirectory/Authentication/Password", activeDirectoryObject.password,
1496 "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName,
1497 "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList,
1498 "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute,
1499 "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute,
1500 "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData,
1501 "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList,
1502 "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled,
Ed Tanous3ce36882024-06-09 10:58:16 -07001503 "MultiFactorAuth/ClientCertificate/CertificateMappingAttribute", certificateMappingAttribute,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001504 "LDAP/Authentication/AuthenticationType", ldapObject.authType,
1505 "LDAP/Authentication/Password", ldapObject.password,
1506 "LDAP/Authentication/Username", ldapObject.userName,
1507 "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList,
1508 "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute,
1509 "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute,
1510 "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData,
1511 "LDAP/ServiceAddresses", ldapObject.serviceAddressList,
1512 "LDAP/ServiceEnabled", ldapObject.serviceEnabled,
Ed Tanousc1019822024-03-06 12:54:38 -08001513 "MaxPasswordLength", maxPasswordLength,
1514 "MinPasswordLength", minPasswordLength,
Ed Tanousc1019822024-03-06 12:54:38 -08001515 "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth,
1516 "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie,
1517 "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken,
Ed Tanous10cb44f2024-04-11 13:05:20 -07001518 "Oem/OpenBMC/AuthMethods/TLS", auth.tls,
Ravi Teja482a69e2024-04-22 06:56:13 -05001519 "Oem/OpenBMC/AuthMethods/XToken", auth.xToken,
1520 "HTTPBasicAuth", httpBasicAuth))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001521 {
1522 return;
1523 }
Ed Tanousc1019822024-03-06 12:54:38 -08001524 // clang-format on
Ed Tanous1ef4c342022-05-12 16:12:36 -07001525
Ravi Teja482a69e2024-04-22 06:56:13 -05001526 if (httpBasicAuth)
1527 {
1528 if (*httpBasicAuth == "Enabled")
1529 {
1530 auth.basicAuth = true;
1531 }
1532 else if (*httpBasicAuth == "Disabled")
1533 {
1534 auth.basicAuth = false;
1535 }
1536 else
1537 {
1538 messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth",
1539 *httpBasicAuth);
1540 }
1541 }
1542
Ed Tanous3ce36882024-06-09 10:58:16 -07001543 if (certificateMappingAttribute)
1544 {
1545 handleCertificateMappingAttributePatch(asyncResp->res,
1546 *certificateMappingAttribute);
1547 }
1548
Ed Tanous1ef4c342022-05-12 16:12:36 -07001549 if (minPasswordLength)
1550 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001551 setDbusProperty(
Ginu Georgee93abac2024-06-14 17:35:27 +05301552 asyncResp, "MinPasswordLength", "xyz.openbmc_project.User.Manager",
Ed Tanousd02aad32024-02-13 14:43:34 -08001553 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001554 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
Ginu Georgee93abac2024-06-14 17:35:27 +05301555 *minPasswordLength);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001556 }
1557
1558 if (maxPasswordLength)
1559 {
1560 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1561 }
1562
Ed Tanous10cb44f2024-04-11 13:05:20 -07001563 handleLDAPPatch(std::move(activeDirectoryObject), asyncResp,
1564 "ActiveDirectory");
1565 handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001566
Ed Tanousc1019822024-03-06 12:54:38 -08001567 handleAuthMethodsPatch(asyncResp, auth);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001568
Ed Tanous1ef4c342022-05-12 16:12:36 -07001569 if (unlockTimeout)
1570 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001571 setDbusProperty(
Ginu Georgee93abac2024-06-14 17:35:27 +05301572 asyncResp, "AccountLockoutDuration",
1573 "xyz.openbmc_project.User.Manager",
Ed Tanousd02aad32024-02-13 14:43:34 -08001574 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
Ed Tanous1ef4c342022-05-12 16:12:36 -07001575 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
Ginu Georgee93abac2024-06-14 17:35:27 +05301576 *unlockTimeout);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001577 }
1578 if (lockoutThreshold)
1579 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001580 setDbusProperty(
Ginu Georgee93abac2024-06-14 17:35:27 +05301581 asyncResp, "AccountLockoutThreshold",
1582 "xyz.openbmc_project.User.Manager",
Ed Tanousd02aad32024-02-13 14:43:34 -08001583 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001584 "xyz.openbmc_project.User.AccountPolicy",
Ginu Georgee93abac2024-06-14 17:35:27 +05301585 "MaxLoginAttemptBeforeLockout", *lockoutThreshold);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001586 }
1587}
1588
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001589inline void handleAccountCollectionHead(
Ed Tanous1ef4c342022-05-12 16:12:36 -07001590 App& app, const crow::Request& req,
1591 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1592{
1593 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1594 {
1595 return;
1596 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001597 asyncResp->res.addHeader(
1598 boost::beast::http::field::link,
1599 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1600}
1601
1602inline void handleAccountCollectionGet(
1603 App& app, const crow::Request& req,
1604 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1605{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001606 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1607 {
1608 return;
1609 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001610
1611 if (req.session == nullptr)
1612 {
1613 messages::internalError(asyncResp->res);
1614 return;
1615 }
1616
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001617 asyncResp->res.addHeader(
1618 boost::beast::http::field::link,
1619 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001620
1621 asyncResp->res.jsonValue["@odata.id"] =
1622 "/redfish/v1/AccountService/Accounts";
1623 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1624 "ManagerAccountCollection";
1625 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1626 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1627
1628 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001629 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001630
1631 std::string thisUser;
1632 if (req.session)
1633 {
1634 thisUser = req.session->username;
1635 }
George Liu5eb468d2023-06-20 17:03:24 +08001636 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1637 dbus::utility::getManagedObjects(
1638 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001639 [asyncResp, thisUser, effectiveUserPrivileges](
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001640 const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001641 const dbus::utility::ManagedObjectType& users) {
1642 if (ec)
1643 {
1644 messages::internalError(asyncResp->res);
1645 return;
1646 }
1647
1648 bool userCanSeeAllAccounts =
1649 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1650
1651 bool userCanSeeSelf =
1652 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1653
1654 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1655 memberArray = nlohmann::json::array();
1656
1657 for (const auto& userpath : users)
1658 {
1659 std::string user = userpath.first.filename();
1660 if (user.empty())
1661 {
1662 messages::internalError(asyncResp->res);
Ed Tanous62598e32023-07-17 17:06:25 -07001663 BMCWEB_LOG_ERROR("Invalid firmware ID");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001664
1665 return;
1666 }
1667
1668 // As clarified by Redfish here:
1669 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1670 // Users without ConfigureUsers, only see their own
1671 // account. Users with ConfigureUsers, see all
1672 // accounts.
1673 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1674 {
1675 nlohmann::json::object_t member;
Ed Tanous3b327802023-08-14 09:23:43 -07001676 member["@odata.id"] = boost::urls::format(
1677 "/redfish/v1/AccountService/Accounts/{}", user);
Patrick Williamsb2ba3072023-05-12 10:27:39 -05001678 memberArray.emplace_back(std::move(member));
Ed Tanous1ef4c342022-05-12 16:12:36 -07001679 }
1680 }
1681 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
Patrick Williams5a39f772023-10-20 11:20:21 -05001682 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001683}
1684
Ninad Palsule97e90da2023-05-17 14:04:52 -05001685inline void processAfterCreateUser(
1686 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1687 const std::string& username, const std::string& password,
1688 const boost::system::error_code& ec, sdbusplus::message_t& m)
1689{
1690 if (ec)
1691 {
1692 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1693 return;
1694 }
1695
1696 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1697 {
1698 // At this point we have a user that's been
1699 // created, but the password set
1700 // failed.Something is wrong, so delete the user
1701 // that we've already created
1702 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1703 tempObjPath /= username;
1704 const std::string userPath(tempObjPath);
1705
1706 crow::connections::systemBus->async_method_call(
1707 [asyncResp, password](const boost::system::error_code& ec3) {
1708 if (ec3)
1709 {
1710 messages::internalError(asyncResp->res);
1711 return;
1712 }
1713
1714 // If password is invalid
Jason M. Bills9bd80832023-08-30 15:19:41 -07001715 messages::propertyValueFormatError(asyncResp->res, nullptr,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001716 "Password");
Patrick Williams5a39f772023-10-20 11:20:21 -05001717 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001718 "xyz.openbmc_project.User.Manager", userPath,
1719 "xyz.openbmc_project.Object.Delete", "Delete");
1720
Ed Tanous62598e32023-07-17 17:06:25 -07001721 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
Ninad Palsule97e90da2023-05-17 14:04:52 -05001722 return;
1723 }
1724
1725 messages::created(asyncResp->res);
1726 asyncResp->res.addHeader("Location",
1727 "/redfish/v1/AccountService/Accounts/" + username);
1728}
1729
1730inline void processAfterGetAllGroups(
1731 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1732 const std::string& username, const std::string& password,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001733 const std::string& roleId, bool enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001734 std::optional<std::vector<std::string>> accountTypes,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001735 const std::vector<std::string>& allGroupsList)
Ninad Palsule97e90da2023-05-17 14:04:52 -05001736{
Ninad Palsule3e72c202023-03-27 17:19:55 -05001737 std::vector<std::string> userGroups;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001738 std::vector<std::string> accountTypeUserGroups;
1739
1740 // If user specified account types then convert them to unix user groups
1741 if (accountTypes)
1742 {
1743 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1744 accountTypeUserGroups))
1745 {
1746 // Problem in mapping Account Types to User Groups, Error already
1747 // logged.
1748 return;
1749 }
1750 }
1751
Ninad Palsule3e72c202023-03-27 17:19:55 -05001752 for (const auto& grp : allGroupsList)
1753 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001754 // If user specified the account type then only accept groups which are
1755 // in the account types group list.
1756 if (!accountTypeUserGroups.empty())
1757 {
1758 bool found = false;
1759 for (const auto& grp1 : accountTypeUserGroups)
1760 {
1761 if (grp == grp1)
1762 {
1763 found = true;
1764 break;
1765 }
1766 }
1767 if (!found)
1768 {
1769 continue;
1770 }
1771 }
1772
Ninad Palsule3e72c202023-03-27 17:19:55 -05001773 // Console access is provided to the user who is a member of
1774 // hostconsole group and has a administrator role. So, set
1775 // hostconsole group only for the administrator.
Ninad Palsule9ba73932023-06-01 16:38:57 -05001776 if ((grp == "hostconsole") && (roleId != "priv-admin"))
Ninad Palsule3e72c202023-03-27 17:19:55 -05001777 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001778 if (!accountTypeUserGroups.empty())
1779 {
Ed Tanous62598e32023-07-17 17:06:25 -07001780 BMCWEB_LOG_ERROR(
1781 "Only administrator can get HostConsole access");
Ninad Palsule9ba73932023-06-01 16:38:57 -05001782 asyncResp->res.result(boost::beast::http::status::bad_request);
1783 return;
1784 }
1785 continue;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001786 }
Ninad Palsule9ba73932023-06-01 16:38:57 -05001787 userGroups.emplace_back(grp);
1788 }
1789
1790 // Make sure user specified groups are valid. This is internal error because
1791 // it some inconsistencies between user manager and bmcweb.
1792 if (!accountTypeUserGroups.empty() &&
1793 accountTypeUserGroups.size() != userGroups.size())
1794 {
1795 messages::internalError(asyncResp->res);
1796 return;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001797 }
Ninad Palsule97e90da2023-05-17 14:04:52 -05001798 crow::connections::systemBus->async_method_call(
1799 [asyncResp, username, password](const boost::system::error_code& ec2,
1800 sdbusplus::message_t& m) {
1801 processAfterCreateUser(asyncResp, username, password, ec2, m);
Patrick Williams5a39f772023-10-20 11:20:21 -05001802 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001803 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ninad Palsule3e72c202023-03-27 17:19:55 -05001804 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001805 roleId, enabled);
Ninad Palsule97e90da2023-05-17 14:04:52 -05001806}
1807
Ed Tanous1ef4c342022-05-12 16:12:36 -07001808inline void handleAccountCollectionPost(
1809 App& app, const crow::Request& req,
1810 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1811{
1812 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1813 {
1814 return;
1815 }
1816 std::string username;
1817 std::string password;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001818 std::optional<std::string> roleIdJson;
1819 std::optional<bool> enabledJson;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001820 std::optional<std::vector<std::string>> accountTypes;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001821 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
1822 "Password", password, "RoleId", roleIdJson,
1823 "Enabled", enabledJson, "AccountTypes",
1824 accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001825 {
1826 return;
1827 }
1828
Ed Tanouse01d0c32023-06-30 13:21:32 -07001829 std::string roleId = roleIdJson.value_or("User");
1830 std::string priv = getPrivilegeFromRoleId(roleId);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001831 if (priv.empty())
1832 {
Ed Tanouse01d0c32023-06-30 13:21:32 -07001833 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001834 return;
1835 }
Asmitha Karunanithi239adf82022-03-25 02:59:03 -05001836 roleId = priv;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001837
Ed Tanouse01d0c32023-06-30 13:21:32 -07001838 bool enabled = enabledJson.value_or(true);
1839
Ed Tanous1ef4c342022-05-12 16:12:36 -07001840 // Reading AllGroups property
1841 sdbusplus::asio::getProperty<std::vector<std::string>>(
1842 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1843 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1844 "AllGroups",
Ninad Palsule9ba73932023-06-01 16:38:57 -05001845 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1846 accountTypes](const boost::system::error_code& ec,
1847 const std::vector<std::string>& allGroupsList) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001848 if (ec)
1849 {
Ed Tanous62598e32023-07-17 17:06:25 -07001850 BMCWEB_LOG_DEBUG("ERROR with async_method_call");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001851 messages::internalError(asyncResp->res);
1852 return;
1853 }
1854
1855 if (allGroupsList.empty())
1856 {
1857 messages::internalError(asyncResp->res);
1858 return;
1859 }
1860
Ninad Palsule97e90da2023-05-17 14:04:52 -05001861 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001862 accountTypes, allGroupsList);
Patrick Williams5a39f772023-10-20 11:20:21 -05001863 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001864}
1865
1866inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001867 handleAccountHead(App& app, const crow::Request& req,
1868 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1869 const std::string& /*accountName*/)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001870{
1871 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1872 {
1873 return;
1874 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001875 asyncResp->res.addHeader(
1876 boost::beast::http::field::link,
1877 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1878}
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001879
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001880inline void
1881 handleAccountGet(App& app, const crow::Request& req,
1882 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1883 const std::string& accountName)
1884{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001885 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1886 {
1887 return;
1888 }
1889 asyncResp->res.addHeader(
1890 boost::beast::http::field::link,
1891 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1892
Ed Tanous25b54db2024-04-17 15:40:31 -07001893 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
1894 {
1895 // If authentication is disabled, there are no user accounts
1896 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1897 accountName);
1898 return;
1899 }
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001900
Ed Tanous1ef4c342022-05-12 16:12:36 -07001901 if (req.session == nullptr)
1902 {
1903 messages::internalError(asyncResp->res);
1904 return;
1905 }
1906 if (req.session->username != accountName)
1907 {
1908 // At this point we've determined that the user is trying to
1909 // modify a user that isn't them. We need to verify that they
1910 // have permissions to modify other users, so re-run the auth
1911 // check with the same permissions, minus ConfigureSelf.
1912 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001913 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001914 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1915 "ConfigureManager"};
1916 if (!effectiveUserPrivileges.isSupersetOf(
1917 requiredPermissionsToChangeNonSelf))
1918 {
Ed Tanous62598e32023-07-17 17:06:25 -07001919 BMCWEB_LOG_DEBUG("GET Account denied access");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001920 messages::insufficientPrivilege(asyncResp->res);
1921 return;
1922 }
1923 }
1924
George Liu5eb468d2023-06-20 17:03:24 +08001925 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1926 dbus::utility::getManagedObjects(
1927 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001928 [asyncResp,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001929 accountName](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001930 const dbus::utility::ManagedObjectType& users) {
1931 if (ec)
1932 {
1933 messages::internalError(asyncResp->res);
1934 return;
1935 }
Ed Tanous3544d2a2023-08-06 18:12:20 -07001936 const auto userIt = std::ranges::find_if(
Michael Shen80f79a42023-08-24 13:41:53 +00001937 users,
1938 [accountName](
1939 const std::pair<sdbusplus::message::object_path,
1940 dbus::utility::DBusInterfacesMap>& user) {
1941 return accountName == user.first.filename();
Patrick Williams5a39f772023-10-20 11:20:21 -05001942 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001943
1944 if (userIt == users.end())
1945 {
1946 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1947 accountName);
1948 return;
1949 }
1950
1951 asyncResp->res.jsonValue["@odata.type"] =
Abhishek Patel58345852022-02-02 08:54:25 -06001952 "#ManagerAccount.v1_7_0.ManagerAccount";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001953 asyncResp->res.jsonValue["Name"] = "User Account";
1954 asyncResp->res.jsonValue["Description"] = "User Account";
1955 asyncResp->res.jsonValue["Password"] = nullptr;
Abhishek Patel58345852022-02-02 08:54:25 -06001956 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001957
1958 for (const auto& interface : userIt->second)
1959 {
1960 if (interface.first == "xyz.openbmc_project.User.Attributes")
1961 {
1962 for (const auto& property : interface.second)
1963 {
1964 if (property.first == "UserEnabled")
1965 {
1966 const bool* userEnabled =
1967 std::get_if<bool>(&property.second);
1968 if (userEnabled == nullptr)
1969 {
Ed Tanous62598e32023-07-17 17:06:25 -07001970 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001971 messages::internalError(asyncResp->res);
1972 return;
1973 }
1974 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
1975 }
1976 else if (property.first == "UserLockedForFailedAttempt")
1977 {
1978 const bool* userLocked =
1979 std::get_if<bool>(&property.second);
1980 if (userLocked == nullptr)
1981 {
Ed Tanous62598e32023-07-17 17:06:25 -07001982 BMCWEB_LOG_ERROR("UserLockedForF"
1983 "ailedAttempt "
1984 "wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001985 messages::internalError(asyncResp->res);
1986 return;
1987 }
1988 asyncResp->res.jsonValue["Locked"] = *userLocked;
Ed Tanous20fa6a22024-05-20 18:02:58 -07001989 nlohmann::json::array_t allowed;
1990 // can only unlock accounts
1991 allowed.emplace_back("false");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001992 asyncResp->res
Ed Tanous20fa6a22024-05-20 18:02:58 -07001993 .jsonValue["Locked@Redfish.AllowableValues"] =
1994 std::move(allowed);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001995 }
1996 else if (property.first == "UserPrivilege")
1997 {
1998 const std::string* userPrivPtr =
1999 std::get_if<std::string>(&property.second);
2000 if (userPrivPtr == nullptr)
2001 {
Ed Tanous62598e32023-07-17 17:06:25 -07002002 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
2003 "string");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002004 messages::internalError(asyncResp->res);
2005 return;
2006 }
2007 std::string role = getRoleIdFromPrivilege(*userPrivPtr);
2008 if (role.empty())
2009 {
Ed Tanous62598e32023-07-17 17:06:25 -07002010 BMCWEB_LOG_ERROR("Invalid user role");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002011 messages::internalError(asyncResp->res);
2012 return;
2013 }
2014 asyncResp->res.jsonValue["RoleId"] = role;
2015
2016 nlohmann::json& roleEntry =
2017 asyncResp->res.jsonValue["Links"]["Role"];
Ed Tanous3b327802023-08-14 09:23:43 -07002018 roleEntry["@odata.id"] = boost::urls::format(
2019 "/redfish/v1/AccountService/Roles/{}", role);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002020 }
2021 else if (property.first == "UserPasswordExpired")
2022 {
2023 const bool* userPasswordExpired =
2024 std::get_if<bool>(&property.second);
2025 if (userPasswordExpired == nullptr)
2026 {
Ed Tanous62598e32023-07-17 17:06:25 -07002027 BMCWEB_LOG_ERROR(
2028 "UserPasswordExpired wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002029 messages::internalError(asyncResp->res);
2030 return;
2031 }
2032 asyncResp->res.jsonValue["PasswordChangeRequired"] =
2033 *userPasswordExpired;
2034 }
Abhishek Patelc7229812022-02-01 10:07:15 -06002035 else if (property.first == "UserGroups")
2036 {
2037 const std::vector<std::string>* userGroups =
2038 std::get_if<std::vector<std::string>>(
2039 &property.second);
2040 if (userGroups == nullptr)
2041 {
Ed Tanous62598e32023-07-17 17:06:25 -07002042 BMCWEB_LOG_ERROR(
2043 "userGroups wasn't a string vector");
Abhishek Patelc7229812022-02-01 10:07:15 -06002044 messages::internalError(asyncResp->res);
2045 return;
2046 }
2047 if (!translateUserGroup(*userGroups, asyncResp->res))
2048 {
Ed Tanous62598e32023-07-17 17:06:25 -07002049 BMCWEB_LOG_ERROR("userGroups mapping failed");
Abhishek Patelc7229812022-02-01 10:07:15 -06002050 messages::internalError(asyncResp->res);
2051 return;
2052 }
2053 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002054 }
2055 }
2056 }
2057
Ed Tanous3b327802023-08-14 09:23:43 -07002058 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
2059 "/redfish/v1/AccountService/Accounts/{}", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002060 asyncResp->res.jsonValue["Id"] = accountName;
2061 asyncResp->res.jsonValue["UserName"] = accountName;
Patrick Williams5a39f772023-10-20 11:20:21 -05002062 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07002063}
2064
2065inline void
Gunnar Mills20fc3072023-01-27 15:13:36 -06002066 handleAccountDelete(App& app, const crow::Request& req,
2067 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2068 const std::string& username)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002069{
2070 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2071 {
2072 return;
2073 }
2074
Ed Tanous25b54db2024-04-17 15:40:31 -07002075 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2076 {
2077 // If authentication is disabled, there are no user accounts
2078 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2079 return;
2080 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002081 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2082 tempObjPath /= username;
2083 const std::string userPath(tempObjPath);
2084
2085 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08002086 [asyncResp, username](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002087 if (ec)
2088 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002089 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
Ed Tanous1ef4c342022-05-12 16:12:36 -07002090 username);
2091 return;
2092 }
2093
2094 messages::accountRemoved(asyncResp->res);
Patrick Williams5a39f772023-10-20 11:20:21 -05002095 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07002096 "xyz.openbmc_project.User.Manager", userPath,
2097 "xyz.openbmc_project.Object.Delete", "Delete");
2098}
2099
2100inline void
2101 handleAccountPatch(App& app, const crow::Request& req,
2102 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2103 const std::string& username)
2104{
2105 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2106 {
2107 return;
2108 }
Ed Tanous25b54db2024-04-17 15:40:31 -07002109 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2110 {
2111 // If authentication is disabled, there are no user accounts
2112 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2113 return;
2114 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002115 std::optional<std::string> newUserName;
2116 std::optional<std::string> password;
2117 std::optional<bool> enabled;
2118 std::optional<std::string> roleId;
2119 std::optional<bool> locked;
Abhishek Patel58345852022-02-02 08:54:25 -06002120 std::optional<std::vector<std::string>> accountTypes;
2121
Ed Tanous1ef4c342022-05-12 16:12:36 -07002122 if (req.session == nullptr)
2123 {
2124 messages::internalError(asyncResp->res);
2125 return;
2126 }
2127
Ed Tanous2b9c1df2024-04-06 13:52:01 -07002128 bool userSelf = (username == req.session->username);
2129
Ed Tanous1ef4c342022-05-12 16:12:36 -07002130 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05002131 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002132 Privileges configureUsers = {"ConfigureUsers"};
2133 bool userHasConfigureUsers =
2134 effectiveUserPrivileges.isSupersetOf(configureUsers);
2135 if (userHasConfigureUsers)
2136 {
2137 // Users with ConfigureUsers can modify for all users
Abhishek Patel58345852022-02-02 08:54:25 -06002138 if (!json_util::readJsonPatch(
2139 req, asyncResp->res, "UserName", newUserName, "Password",
2140 password, "RoleId", roleId, "Enabled", enabled, "Locked",
2141 locked, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07002142 {
2143 return;
2144 }
2145 }
2146 else
2147 {
2148 // ConfigureSelf accounts can only modify their own account
Abhishek Patel58345852022-02-02 08:54:25 -06002149 if (!userSelf)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002150 {
2151 messages::insufficientPrivilege(asyncResp->res);
2152 return;
2153 }
2154
2155 // ConfigureSelf accounts can only modify their password
2156 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2157 password))
2158 {
2159 return;
2160 }
2161 }
2162
2163 // if user name is not provided in the patch method or if it
2164 // matches the user name in the URI, then we are treating it as
2165 // updating user properties other then username. If username
2166 // provided doesn't match the URI, then we are treating this as
2167 // user rename request.
2168 if (!newUserName || (newUserName.value() == username))
2169 {
2170 updateUserProperties(asyncResp, username, password, enabled, roleId,
Ravi Tejae518ef32024-05-16 10:33:08 -05002171 locked, accountTypes, userSelf, req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002172 return;
2173 }
2174 crow::connections::systemBus->async_method_call(
2175 [asyncResp, username, password(std::move(password)),
2176 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
Ravi Tejae518ef32024-05-16 10:33:08 -05002177 locked, userSelf, req, accountTypes(std::move(accountTypes))](
Ed Tanouse81de512023-06-27 17:07:00 -07002178 const boost::system::error_code& ec, sdbusplus::message_t& m) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002179 if (ec)
2180 {
2181 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2182 username);
2183 return;
2184 }
2185
2186 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
Ravi Tejae518ef32024-05-16 10:33:08 -05002187 locked, accountTypes, userSelf, req.session);
Patrick Williams5a39f772023-10-20 11:20:21 -05002188 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07002189 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2190 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2191 *newUserName);
2192}
2193
Ed Tanous6c51eab2021-06-03 12:30:29 -07002194inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07002195{
Ed Tanous6c51eab2021-06-03 12:30:29 -07002196 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002197 .privileges(redfish::privileges::headAccountService)
2198 .methods(boost::beast::http::verb::head)(
2199 std::bind_front(handleAccountServiceHead, std::ref(app)));
2200
2201 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -07002202 .privileges(redfish::privileges::getAccountService)
Ed Tanous002d39b2022-05-31 08:59:27 -07002203 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002204 std::bind_front(handleAccountServiceGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002205
Ed Tanousf5ffd802021-07-19 10:55:33 -07002206 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -06002207 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -07002208 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002209 std::bind_front(handleAccountServicePatch, std::ref(app)));
Ed Tanousf5ffd802021-07-19 10:55:33 -07002210
Ed Tanous1aa375b2024-04-13 11:51:10 -07002211 BMCWEB_ROUTE(
2212 app,
2213 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates")
2214 .privileges(redfish::privileges::headCertificateCollection)
2215 .methods(boost::beast::http::verb::head)(std::bind_front(
2216 handleAccountServiceClientCertificatesHead, std::ref(app)));
2217
2218 BMCWEB_ROUTE(
2219 app,
2220 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates")
2221 .privileges(redfish::privileges::getCertificateCollection)
2222 .methods(boost::beast::http::verb::get)(std::bind_front(
2223 handleAccountServiceClientCertificatesGet, std::ref(app)));
2224
2225 BMCWEB_ROUTE(
2226 app,
2227 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>")
2228 .privileges(redfish::privileges::headCertificate)
2229 .methods(boost::beast::http::verb::head)(std::bind_front(
2230 handleAccountServiceClientCertificatesInstanceHead, std::ref(app)));
2231
2232 BMCWEB_ROUTE(
2233 app,
2234 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/")
2235 .privileges(redfish::privileges::getCertificate)
2236 .methods(boost::beast::http::verb::get)(std::bind_front(
2237 handleAccountServiceClientCertificatesInstanceGet, std::ref(app)));
2238
Ed Tanous6c51eab2021-06-03 12:30:29 -07002239 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002240 .privileges(redfish::privileges::headManagerAccountCollection)
2241 .methods(boost::beast::http::verb::head)(
2242 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2243
2244 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002245 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002246 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002247 std::bind_front(handleAccountCollectionGet, std::ref(app)));
Ed Tanous06e086d2018-09-19 17:19:52 -07002248
Ed Tanous6c51eab2021-06-03 12:30:29 -07002249 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002250 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous002d39b2022-05-31 08:59:27 -07002251 .methods(boost::beast::http::verb::post)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002252 std::bind_front(handleAccountCollectionPost, std::ref(app)));
Ed Tanous002d39b2022-05-31 08:59:27 -07002253
2254 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002255 .privileges(redfish::privileges::headManagerAccount)
2256 .methods(boost::beast::http::verb::head)(
2257 std::bind_front(handleAccountHead, std::ref(app)));
2258
2259 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous002d39b2022-05-31 08:59:27 -07002260 .privileges(redfish::privileges::getManagerAccount)
2261 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002262 std::bind_front(handleAccountGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002263
2264 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002265 // TODO this privilege should be using the generated endpoints, but
2266 // because of the special handling of ConfigureSelf, it's not able to
2267 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -07002268 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2269 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002270 std::bind_front(handleAccountPatch, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002271
2272 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002273 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002274 .methods(boost::beast::http::verb::delete_)(
Gunnar Mills20fc3072023-01-27 15:13:36 -06002275 std::bind_front(handleAccountDelete, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002276}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01002277
Ed Tanous1abe55e2018-09-05 08:30:59 -07002278} // namespace redfish