Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / e7b1b62b39ba31ba368c42cb6f4fa7af43c65961 / . / redfish-core / lib / account_service.hpp
blob: 6e7cf288be868e20c14bd2917466eb696431b51e [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17
John Edward Broadbent7e860f12021-04-08 15:57:16 -0700[diff] [blame]18#include <app.hpp>
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]19#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]20#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]21#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]22#include <persistent_data.hpp>
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]23#include <registries/privilege_registry.hpp>
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]24#include <sdbusplus/asio/property.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]25#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]26
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]27namespace redfish
28{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]29
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]30constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]31 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]32constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]33 "/xyz/openbmc_project/user/ldap/active_directory";
34
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]35constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]36constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
37constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
38constexpr const char* ldapConfigInterface =
39 "xyz.openbmc_project.User.Ldap.Config";
40constexpr const char* ldapCreateInterface =
41 "xyz.openbmc_project.User.Ldap.Create";
42constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]43constexpr const char* ldapPrivMapperInterface =
44 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]45constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
46constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
47constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
48constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
49constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
50
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]51struct LDAPRoleMapData
52{
53 std::string groupName;
54 std::string privilege;
55};
56
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]57struct LDAPConfigData
58{
59 std::string uri{};
60 std::string bindDN{};
61 std::string baseDN{};
62 std::string searchScope{};
63 std::string serverType{};
64 bool serviceEnabled = false;
65 std::string userNameAttribute{};
66 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]67 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]68};
69
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]70inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]71{
72 if (role == "priv-admin")
73 {
74 return "Administrator";
75 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]76 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]77 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]78 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]79 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]80 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]81 {
82 return "Operator";
83 }
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]84 if (role.empty() || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]85 {
86 return "NoAccess";
87 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]88 return "";
89}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]90inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]91{
92 if (role == "Administrator")
93 {
94 return "priv-admin";
95 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]96 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]97 {
98 return "priv-user";
99 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]100 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]101 {
102 return "priv-operator";
103 }
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]104 if ((role == "NoAccess") || (role.empty()))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]105 {
106 return "priv-noaccess";
107 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]108 return "";
109}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]110
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]111inline void userErrorMessageHandler(
112 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
113 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]114{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]115 if (e == nullptr)
116 {
117 messages::internalError(asyncResp->res);
118 return;
119 }
120
Manojkiran Eda055806b2020-11-03 09:36:28 +0530[diff] [blame]121 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]122 if (strcmp(errorMessage,
123 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
124 {
125 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]126 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]127 "UserName", newUser);
128 }
129 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
130 "UserNameDoesNotExist") == 0)
131 {
132 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]133 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]134 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]135 else if ((strcmp(errorMessage,
136 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
137 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]138 (strcmp(
139 errorMessage,
140 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
141 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]142 {
143 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
144 }
145 else if (strcmp(errorMessage,
146 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
147 {
148 messages::createLimitReachedForResource(asyncResp->res);
149 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]150 else
151 {
152 messages::internalError(asyncResp->res);
153 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]154}
155
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]156inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]157 const LDAPConfigData& confData,
158 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]159{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]160 std::string service =
161 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]162 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]163 {"ServiceEnabled", confData.serviceEnabled},
164 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
165 {"Authentication",
166 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]167 {"Username", confData.bindDN},
168 {"Password", nullptr}}},
169 {"LDAPService",
170 {{"SearchSettings",
171 {{"BaseDistinguishedNames",
172 nlohmann::json::array({confData.baseDN})},
173 {"UsernameAttribute", confData.userNameAttribute},
174 {"GroupsAttribute", confData.groupAttribute}}}}},
175 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]176
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]177 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]178
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]179 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]180 roleMapArray = nlohmann::json::array();
Ed Tanous9eb808c2022-01-25 10:19:23 -0800[diff] [blame]181 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]182 {
183 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
184 << obj.second.groupName << "\n";
185 roleMapArray.push_back(
186 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
187 nlohmann::json::array(
188 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
189 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]190}
191
192/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]193 * @brief validates given JSON input and then calls appropriate method to
194 * create, to delete or to set Rolemapping object based on the given input.
195 *
196 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]197inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]198 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]199 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]200 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]201{
202 for (size_t index = 0; index < input.size(); index++)
203 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]204 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]205
206 if (thisJson.is_null())
207 {
208 // delete the existing object
209 if (index < roleMapObjData.size())
210 {
211 crow::connections::systemBus->async_method_call(
212 [asyncResp, roleMapObjData, serverType,
213 index](const boost::system::error_code ec) {
214 if (ec)
215 {
216 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
217 messages::internalError(asyncResp->res);
218 return;
219 }
220 asyncResp->res
221 .jsonValue[serverType]["RemoteRoleMapping"][index] =
222 nullptr;
223 },
224 ldapDbusService, roleMapObjData[index].first,
225 "xyz.openbmc_project.Object.Delete", "Delete");
226 }
227 else
228 {
229 BMCWEB_LOG_ERROR << "Can't delete the object";
230 messages::propertyValueTypeError(
Ed Tanous71f52d92021-02-19 08:51:17 -0800[diff] [blame]231 asyncResp->res,
232 thisJson.dump(2, ' ', true,
233 nlohmann::json::error_handler_t::replace),
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]234 "RemoteRoleMapping/" + std::to_string(index));
235 return;
236 }
237 }
238 else if (thisJson.empty())
239 {
240 // Don't do anything for the empty objects,parse next json
241 // eg {"RemoteRoleMapping",[{}]}
242 }
243 else
244 {
245 // update/create the object
246 std::optional<std::string> remoteGroup;
247 std::optional<std::string> localRole;
248
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]249 // This is a copy, but it's required in this case because of how
250 // readJson is structured
251 nlohmann::json thisJsonCopy = thisJson;
252 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
253 "RemoteGroup", remoteGroup, "LocalRole",
254 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]255 {
256 continue;
257 }
258
259 // Update existing RoleMapping Object
260 if (index < roleMapObjData.size())
261 {
262 BMCWEB_LOG_DEBUG << "Update Role Map Object";
263 // If "RemoteGroup" info is provided
264 if (remoteGroup)
265 {
266 crow::connections::systemBus->async_method_call(
267 [asyncResp, roleMapObjData, serverType, index,
268 remoteGroup](const boost::system::error_code ec) {
269 if (ec)
270 {
271 BMCWEB_LOG_ERROR << "DBUS response error: "
272 << ec;
273 messages::internalError(asyncResp->res);
274 return;
275 }
276 asyncResp->res
277 .jsonValue[serverType]["RemoteRoleMapping"]
278 [index]["RemoteGroup"] = *remoteGroup;
279 },
280 ldapDbusService, roleMapObjData[index].first,
281 propertyInterface, "Set",
282 "xyz.openbmc_project.User.PrivilegeMapperEntry",
283 "GroupName",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]284 dbus::utility::DbusVariantType(
285 std::move(*remoteGroup)));
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]286 }
287
288 // If "LocalRole" info is provided
289 if (localRole)
290 {
291 crow::connections::systemBus->async_method_call(
292 [asyncResp, roleMapObjData, serverType, index,
293 localRole](const boost::system::error_code ec) {
294 if (ec)
295 {
296 BMCWEB_LOG_ERROR << "DBUS response error: "
297 << ec;
298 messages::internalError(asyncResp->res);
299 return;
300 }
301 asyncResp->res
302 .jsonValue[serverType]["RemoteRoleMapping"]
303 [index]["LocalRole"] = *localRole;
304 },
305 ldapDbusService, roleMapObjData[index].first,
306 propertyInterface, "Set",
307 "xyz.openbmc_project.User.PrivilegeMapperEntry",
308 "Privilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]309 dbus::utility::DbusVariantType(
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]310 getPrivilegeFromRoleId(std::move(*localRole))));
311 }
312 }
313 // Create a new RoleMapping Object.
314 else
315 {
316 BMCWEB_LOG_DEBUG
317 << "setRoleMappingProperties: Creating new Object";
318 std::string pathString =
319 "RemoteRoleMapping/" + std::to_string(index);
320
321 if (!localRole)
322 {
323 messages::propertyMissing(asyncResp->res,
324 pathString + "/LocalRole");
325 continue;
326 }
327 if (!remoteGroup)
328 {
329 messages::propertyMissing(asyncResp->res,
330 pathString + "/RemoteGroup");
331 continue;
332 }
333
334 std::string dbusObjectPath;
335 if (serverType == "ActiveDirectory")
336 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]337 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]338 }
339 else if (serverType == "LDAP")
340 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]341 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]342 }
343
344 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
345 << ",LocalRole=" << *localRole;
346
347 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]348 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]349 remoteGroup](const boost::system::error_code ec) {
350 if (ec)
351 {
352 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
353 messages::internalError(asyncResp->res);
354 return;
355 }
356 nlohmann::json& remoteRoleJson =
357 asyncResp->res
358 .jsonValue[serverType]["RemoteRoleMapping"];
359 remoteRoleJson.push_back(
360 {{"LocalRole", *localRole},
361 {"RemoteGroup", *remoteGroup}});
362 },
363 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]364 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]365 getPrivilegeFromRoleId(std::move(*localRole)));
366 }
367 }
368 }
369}
370
371/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]372 * Function that retrieves all properties for LDAP config object
373 * into JSON
374 */
375template <typename CallbackFunc>
376inline void getLDAPConfigData(const std::string& ldapType,
377 CallbackFunc&& callback)
378{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]379
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]380 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]381 ldapConfigInterface};
382
383 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]384 [callback, ldapType](const boost::system::error_code ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800[diff] [blame]385 const dbus::utility::MapperGetObject& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]386 if (ec || resp.empty())
387 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]388 BMCWEB_LOG_ERROR
389 << "DBUS response error during getting of service name: "
390 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]391 LDAPConfigData empty{};
392 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]393 return;
394 }
395 std::string service = resp.begin()->first;
396 crow::connections::systemBus->async_method_call(
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]397 [callback, ldapType](
398 const boost::system::error_code errorCode,
399 const dbus::utility::ManagedObjectType& ldapObjects) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]400 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]401 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]402 {
403 callback(false, confData, ldapType);
404 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]405 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]406 return;
407 }
408
409 std::string ldapDbusType;
410 std::string searchString;
411
412 if (ldapType == "LDAP")
413 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]414 ldapDbusType =
415 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]416 searchString = "openldap";
417 }
418 else if (ldapType == "ActiveDirectory")
419 {
420 ldapDbusType =
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]421 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]422 searchString = "active_directory";
423 }
424 else
425 {
426 BMCWEB_LOG_ERROR
427 << "Can't get the DbusType for the given type="
428 << ldapType;
429 callback(false, confData, ldapType);
430 return;
431 }
432
433 std::string ldapEnableInterfaceStr = ldapEnableInterface;
434 std::string ldapConfigInterfaceStr = ldapConfigInterface;
435
436 for (const auto& object : ldapObjects)
437 {
438 // let's find the object whose ldap type is equal to the
439 // given type
440 if (object.first.str.find(searchString) ==
441 std::string::npos)
442 {
443 continue;
444 }
445
446 for (const auto& interface : object.second)
447 {
448 if (interface.first == ldapEnableInterfaceStr)
449 {
450 // rest of the properties are string.
451 for (const auto& property : interface.second)
452 {
453 if (property.first == "Enabled")
454 {
455 const bool* value =
456 std::get_if<bool>(&property.second);
457 if (value == nullptr)
458 {
459 continue;
460 }
461 confData.serviceEnabled = *value;
462 break;
463 }
464 }
465 }
466 else if (interface.first == ldapConfigInterfaceStr)
467 {
468
469 for (const auto& property : interface.second)
470 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]471 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]472 std::get_if<std::string>(
473 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]474 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]475 {
476 continue;
477 }
478 if (property.first == "LDAPServerURI")
479 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]480 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]481 }
482 else if (property.first == "LDAPBindDN")
483 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]484 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]485 }
486 else if (property.first == "LDAPBaseDN")
487 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]488 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]489 }
490 else if (property.first ==
491 "LDAPSearchScope")
492 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]493 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]494 }
495 else if (property.first ==
496 "GroupNameAttribute")
497 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]498 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]499 }
500 else if (property.first ==
501 "UserNameAttribute")
502 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]503 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]504 }
505 else if (property.first == "LDAPType")
506 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]507 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]508 }
509 }
510 }
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]511 else if (
512 interface.first ==
513 "xyz.openbmc_project.User.PrivilegeMapperEntry")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]514 {
515 LDAPRoleMapData roleMapData{};
516 for (const auto& property : interface.second)
517 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]518 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]519 std::get_if<std::string>(
520 &property.second);
521
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]522 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]523 {
524 continue;
525 }
526
527 if (property.first == "GroupName")
528 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]529 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]530 }
531 else if (property.first == "Privilege")
532 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]533 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]534 }
535 }
536
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]537 confData.groupRoleList.emplace_back(
538 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]539 }
540 }
541 }
542 callback(true, confData, ldapType);
543 },
544 service, ldapRootObject, dbusObjManagerIntf,
545 "GetManagedObjects");
546 },
547 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]548 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]549}
550
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]551/**
552 * @brief parses the authentication section under the LDAP
553 * @param input JSON data
554 * @param asyncResp pointer to the JSON response
555 * @param userName userName to be filled from the given JSON.
556 * @param password password to be filled from the given JSON.
557 */
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]558inline void parseLDAPAuthenticationJson(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]559 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
560 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]561{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]562 std::optional<std::string> authType;
563
564 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
565 authType, "Username", username, "Password",
566 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]567 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]568 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]569 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]570 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]571 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]572 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]573 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]574 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]575 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]576 messages::propertyValueNotInList(asyncResp->res, *authType,
577 "AuthenticationType");
578 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]579 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]580}
581/**
582 * @brief parses the LDAPService section under the LDAP
583 * @param input JSON data
584 * @param asyncResp pointer to the JSON response
585 * @param baseDNList baseDN to be filled from the given JSON.
586 * @param userNameAttribute userName to be filled from the given JSON.
587 * @param groupaAttribute password to be filled from the given JSON.
588 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]589
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]590inline void
591 parseLDAPServiceJson(nlohmann::json input,
592 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
593 std::optional<std::vector<std::string>>& baseDNList,
594 std::optional<std::string>& userNameAttribute,
595 std::optional<std::string>& groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]596{
597 std::optional<nlohmann::json> searchSettings;
598
599 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
600 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]601 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]602 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]603 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]604 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]605 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]606 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]607 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]608 if (!json_util::readJson(*searchSettings, asyncResp->res,
609 "BaseDistinguishedNames", baseDNList,
610 "UsernameAttribute", userNameAttribute,
611 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]612 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]613 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]614 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]615}
616/**
617 * @brief updates the LDAP server address and updates the
618 json response with the new value.
619 * @param serviceAddressList address to be updated.
620 * @param asyncResp pointer to the JSON response
621 * @param ldapServerElementName Type of LDAP
622 server(openLDAP/ActiveDirectory)
623 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]624
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]625inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]626 const std::vector<std::string>& serviceAddressList,
627 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
628 const std::string& ldapServerElementName,
629 const std::string& ldapConfigObject)
630{
631 crow::connections::systemBus->async_method_call(
632 [asyncResp, ldapServerElementName,
633 serviceAddressList](const boost::system::error_code ec) {
634 if (ec)
635 {
636 BMCWEB_LOG_DEBUG
637 << "Error Occurred in updating the service address";
638 messages::internalError(asyncResp->res);
639 return;
640 }
641 std::vector<std::string> modifiedserviceAddressList = {
642 serviceAddressList.front()};
643 asyncResp->res
644 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
645 modifiedserviceAddressList;
646 if ((serviceAddressList).size() > 1)
647 {
648 messages::propertyValueModified(asyncResp->res,
649 "ServiceAddresses",
650 serviceAddressList.front());
651 }
652 BMCWEB_LOG_DEBUG << "Updated the service address";
653 },
654 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
655 ldapConfigInterface, "LDAPServerURI",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]656 dbus::utility::DbusVariantType(serviceAddressList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]657}
658/**
659 * @brief updates the LDAP Bind DN and updates the
660 json response with the new value.
661 * @param username name of the user which needs to be updated.
662 * @param asyncResp pointer to the JSON response
663 * @param ldapServerElementName Type of LDAP
664 server(openLDAP/ActiveDirectory)
665 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]666
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]667inline void
668 handleUserNamePatch(const std::string& username,
669 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
670 const std::string& ldapServerElementName,
671 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]672{
673 crow::connections::systemBus->async_method_call(
674 [asyncResp, username,
675 ldapServerElementName](const boost::system::error_code ec) {
676 if (ec)
677 {
678 BMCWEB_LOG_DEBUG << "Error occurred in updating the username";
679 messages::internalError(asyncResp->res);
680 return;
681 }
682 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
683 ["Username"] = username;
684 BMCWEB_LOG_DEBUG << "Updated the username";
685 },
686 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]687 ldapConfigInterface, "LDAPBindDN",
688 dbus::utility::DbusVariantType(username));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]689}
690
691/**
692 * @brief updates the LDAP password
693 * @param password : ldap password which needs to be updated.
694 * @param asyncResp pointer to the JSON response
695 * @param ldapServerElementName Type of LDAP
696 * server(openLDAP/ActiveDirectory)
697 */
698
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]699inline void
700 handlePasswordPatch(const std::string& password,
701 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
702 const std::string& ldapServerElementName,
703 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]704{
705 crow::connections::systemBus->async_method_call(
706 [asyncResp, password,
707 ldapServerElementName](const boost::system::error_code ec) {
708 if (ec)
709 {
710 BMCWEB_LOG_DEBUG << "Error occurred in updating the password";
711 messages::internalError(asyncResp->res);
712 return;
713 }
714 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
715 ["Password"] = "";
716 BMCWEB_LOG_DEBUG << "Updated the password";
717 },
718 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
719 ldapConfigInterface, "LDAPBindDNPassword",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]720 dbus::utility::DbusVariantType(password));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]721}
722
723/**
724 * @brief updates the LDAP BaseDN and updates the
725 json response with the new value.
726 * @param baseDNList baseDN list which needs to be updated.
727 * @param asyncResp pointer to the JSON response
728 * @param ldapServerElementName Type of LDAP
729 server(openLDAP/ActiveDirectory)
730 */
731
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]732inline void
733 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
734 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
735 const std::string& ldapServerElementName,
736 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]737{
738 crow::connections::systemBus->async_method_call(
739 [asyncResp, baseDNList,
740 ldapServerElementName](const boost::system::error_code ec) {
741 if (ec)
742 {
743 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN";
744 messages::internalError(asyncResp->res);
745 return;
746 }
747 auto& serverTypeJson =
748 asyncResp->res.jsonValue[ldapServerElementName];
749 auto& searchSettingsJson =
750 serverTypeJson["LDAPService"]["SearchSettings"];
751 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
752 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
753 if (baseDNList.size() > 1)
754 {
755 messages::propertyValueModified(asyncResp->res,
756 "BaseDistinguishedNames",
757 baseDNList.front());
758 }
759 BMCWEB_LOG_DEBUG << "Updated the base DN";
760 },
761 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
762 ldapConfigInterface, "LDAPBaseDN",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]763 dbus::utility::DbusVariantType(baseDNList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]764}
765/**
766 * @brief updates the LDAP user name attribute and updates the
767 json response with the new value.
768 * @param userNameAttribute attribute to be updated.
769 * @param asyncResp pointer to the JSON response
770 * @param ldapServerElementName Type of LDAP
771 server(openLDAP/ActiveDirectory)
772 */
773
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]774inline void
775 handleUserNameAttrPatch(const std::string& userNameAttribute,
776 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
777 const std::string& ldapServerElementName,
778 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]779{
780 crow::connections::systemBus->async_method_call(
781 [asyncResp, userNameAttribute,
782 ldapServerElementName](const boost::system::error_code ec) {
783 if (ec)
784 {
785 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
786 "username attribute";
787 messages::internalError(asyncResp->res);
788 return;
789 }
790 auto& serverTypeJson =
791 asyncResp->res.jsonValue[ldapServerElementName];
792 auto& searchSettingsJson =
793 serverTypeJson["LDAPService"]["SearchSettings"];
794 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
795 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
796 },
797 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
798 ldapConfigInterface, "UserNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]799 dbus::utility::DbusVariantType(userNameAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]800}
801/**
802 * @brief updates the LDAP group attribute and updates the
803 json response with the new value.
804 * @param groupsAttribute attribute to be updated.
805 * @param asyncResp pointer to the JSON response
806 * @param ldapServerElementName Type of LDAP
807 server(openLDAP/ActiveDirectory)
808 */
809
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]810inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]811 const std::string& groupsAttribute,
812 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
813 const std::string& ldapServerElementName,
814 const std::string& ldapConfigObject)
815{
816 crow::connections::systemBus->async_method_call(
817 [asyncResp, groupsAttribute,
818 ldapServerElementName](const boost::system::error_code ec) {
819 if (ec)
820 {
821 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
822 "groupname attribute";
823 messages::internalError(asyncResp->res);
824 return;
825 }
826 auto& serverTypeJson =
827 asyncResp->res.jsonValue[ldapServerElementName];
828 auto& searchSettingsJson =
829 serverTypeJson["LDAPService"]["SearchSettings"];
830 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
831 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
832 },
833 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
834 ldapConfigInterface, "GroupNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]835 dbus::utility::DbusVariantType(groupsAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]836}
837/**
838 * @brief updates the LDAP service enable and updates the
839 json response with the new value.
840 * @param input JSON data.
841 * @param asyncResp pointer to the JSON response
842 * @param ldapServerElementName Type of LDAP
843 server(openLDAP/ActiveDirectory)
844 */
845
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]846inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]847 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
848 const std::string& ldapServerElementName,
849 const std::string& ldapConfigObject)
850{
851 crow::connections::systemBus->async_method_call(
852 [asyncResp, serviceEnabled,
853 ldapServerElementName](const boost::system::error_code ec) {
854 if (ec)
855 {
856 BMCWEB_LOG_DEBUG
857 << "Error Occurred in Updating the service enable";
858 messages::internalError(asyncResp->res);
859 return;
860 }
861 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
862 serviceEnabled;
863 BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled;
864 },
865 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]866 ldapEnableInterface, "Enabled",
867 dbus::utility::DbusVariantType(serviceEnabled));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]868}
869
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]870inline void
871 handleAuthMethodsPatch(nlohmann::json& input,
872 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]873{
874 std::optional<bool> basicAuth;
875 std::optional<bool> cookie;
876 std::optional<bool> sessionToken;
877 std::optional<bool> xToken;
878 std::optional<bool> tls;
879
880 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
881 "Cookie", cookie, "SessionToken", sessionToken,
882 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]883 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]884 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
885 return;
886 }
887
888 // Make a copy of methods configuration
889 persistent_data::AuthConfigMethods authMethodsConfig =
890 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
891
892 if (basicAuth)
893 {
894#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
895 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]896 asyncResp->res,
897 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]898 return;
899#endif
900 authMethodsConfig.basic = *basicAuth;
901 }
902
903 if (cookie)
904 {
905#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]906 messages::actionNotSupported(
907 asyncResp->res,
908 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]909 return;
910#endif
911 authMethodsConfig.cookie = *cookie;
912 }
913
914 if (sessionToken)
915 {
916#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
917 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]918 asyncResp->res,
919 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]920 return;
921#endif
922 authMethodsConfig.sessionToken = *sessionToken;
923 }
924
925 if (xToken)
926 {
927#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]928 messages::actionNotSupported(
929 asyncResp->res,
930 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]931 return;
932#endif
933 authMethodsConfig.xtoken = *xToken;
934 }
935
936 if (tls)
937 {
938#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]939 messages::actionNotSupported(
940 asyncResp->res,
941 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]942 return;
943#endif
944 authMethodsConfig.tls = *tls;
945 }
946
947 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
948 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
949 !authMethodsConfig.tls)
950 {
951 // Do not allow user to disable everything
952 messages::actionNotSupported(asyncResp->res,
953 "of disabling all available methods");
954 return;
955 }
956
957 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
958 authMethodsConfig);
959 // Save configuration immediately
960 persistent_data::getConfig().writeData();
961
962 messages::success(asyncResp->res);
963}
964
965/**
966 * @brief Get the required values from the given JSON, validates the
967 * value and create the LDAP config object.
968 * @param input JSON data
969 * @param asyncResp pointer to the JSON response
970 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
971 */
972
973inline void handleLDAPPatch(nlohmann::json& input,
974 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
975 const std::string& serverType)
976{
977 std::string dbusObjectPath;
978 if (serverType == "ActiveDirectory")
979 {
980 dbusObjectPath = adConfigObject;
981 }
982 else if (serverType == "LDAP")
983 {
984 dbusObjectPath = ldapConfigObjectName;
985 }
986 else
987 {
988 return;
989 }
990
991 std::optional<nlohmann::json> authentication;
992 std::optional<nlohmann::json> ldapService;
993 std::optional<std::vector<std::string>> serviceAddressList;
994 std::optional<bool> serviceEnabled;
995 std::optional<std::vector<std::string>> baseDNList;
996 std::optional<std::string> userNameAttribute;
997 std::optional<std::string> groupsAttribute;
998 std::optional<std::string> userName;
999 std::optional<std::string> password;
1000 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1001
1002 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1003 authentication, "LDAPService", ldapService,
1004 "ServiceAddresses", serviceAddressList,
1005 "ServiceEnabled", serviceEnabled,
1006 "RemoteRoleMapping", remoteRoleMapData))
1007 {
1008 return;
1009 }
1010
1011 if (authentication)
1012 {
1013 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1014 password);
1015 }
1016 if (ldapService)
1017 {
1018 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1019 userNameAttribute, groupsAttribute);
1020 }
1021 if (serviceAddressList)
1022 {
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]1023 if (serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1024 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1025 messages::propertyValueNotInList(asyncResp->res, "[]",
1026 "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1027 return;
1028 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1029 }
1030 if (baseDNList)
1031 {
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]1032 if (baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1033 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1034 messages::propertyValueNotInList(asyncResp->res, "[]",
1035 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1036 return;
1037 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1038 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1039
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1040 // nothing to update, then return
1041 if (!userName && !password && !serviceAddressList && !baseDNList &&
1042 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1043 !remoteRoleMapData)
1044 {
1045 return;
1046 }
1047
1048 // Get the existing resource first then keep modifying
1049 // whenever any property gets updated.
1050 getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList,
1051 userNameAttribute, groupsAttribute,
1052 serviceAddressList, serviceEnabled,
1053 dbusObjectPath, remoteRoleMapData](
1054 bool success,
1055 const LDAPConfigData& confData,
1056 const std::string& serverT) {
1057 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1058 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1059 messages::internalError(asyncResp->res);
1060 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1061 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1062 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1063 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1064 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1065 // Disable the service first and update the rest of
1066 // the properties.
1067 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1068 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1069
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1070 if (serviceAddressList)
1071 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1072 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1073 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1074 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1075 if (userName)
1076 {
1077 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1078 }
1079 if (password)
1080 {
1081 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1082 }
1083
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1084 if (baseDNList)
1085 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1086 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1087 }
1088 if (userNameAttribute)
1089 {
1090 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1091 dbusObjectPath);
1092 }
1093 if (groupsAttribute)
1094 {
1095 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1096 dbusObjectPath);
1097 }
1098 if (serviceEnabled)
1099 {
1100 // if user has given the value as true then enable
1101 // the service. if user has given false then no-op
1102 // as service is already stopped.
1103 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1104 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1105 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1106 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1107 }
1108 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1109 else
1110 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1111 // if user has not given the service enabled value
1112 // then revert it to the same state as it was
1113 // before.
1114 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1115 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1116 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1117
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1118 if (remoteRoleMapData)
1119 {
1120 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1121 *remoteRoleMapData);
1122 }
1123 });
1124}
1125
1126inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,
1127 const std::string& username,
1128 std::optional<std::string> password,
1129 std::optional<bool> enabled,
1130 std::optional<std::string> roleId,
1131 std::optional<bool> locked)
1132{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1133 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1134 tempObjPath /= username;
1135 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1136
1137 dbus::utility::checkDbusPathExists(
1138 dbusObjectPath,
Ed Tanous11063332021-09-24 11:55:44 -0700[diff] [blame]1139 [dbusObjectPath, username, password(std::move(password)),
1140 roleId(std::move(roleId)), enabled, locked,
1141 asyncResp{std::move(asyncResp)}](int rc) {
Ed Tanouse662eae2022-01-25 10:39:19 -0800[diff] [blame]1142 if (rc <= 0)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1143 {
1144 messages::resourceNotFound(
1145 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1146 username);
1147 return;
1148 }
1149
1150 if (password)
1151 {
1152 int retval = pamUpdatePassword(username, *password);
1153
1154 if (retval == PAM_USER_UNKNOWN)
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1155 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1156 messages::resourceNotFound(
1157 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1158 username);
1159 }
1160 else if (retval == PAM_AUTHTOK_ERR)
1161 {
1162 // If password is invalid
1163 messages::propertyValueFormatError(asyncResp->res,
1164 *password, "Password");
1165 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1166 }
1167 else if (retval != PAM_SUCCESS)
1168 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1169 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1170 return;
1171 }
Ed Tanouse7b1b622022-03-24 19:14:03 -0700[diff] [blame^]1172 else
1173 {
1174 messages::success(asyncResp->res);
1175 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1176 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1177
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1178 if (enabled)
1179 {
1180 crow::connections::systemBus->async_method_call(
1181 [asyncResp](const boost::system::error_code ec) {
1182 if (ec)
1183 {
1184 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1185 messages::internalError(asyncResp->res);
1186 return;
1187 }
1188 messages::success(asyncResp->res);
1189 return;
1190 },
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]1191 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1192 "org.freedesktop.DBus.Properties", "Set",
1193 "xyz.openbmc_project.User.Attributes", "UserEnabled",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1194 dbus::utility::DbusVariantType{*enabled});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1195 }
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1196
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1197 if (roleId)
1198 {
1199 std::string priv = getPrivilegeFromRoleId(*roleId);
1200 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1201 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1202 messages::propertyValueNotInList(asyncResp->res, *roleId,
1203 "RoleId");
1204 return;
1205 }
1206 if (priv == "priv-noaccess")
1207 {
1208 priv = "";
1209 }
1210
1211 crow::connections::systemBus->async_method_call(
1212 [asyncResp](const boost::system::error_code ec) {
1213 if (ec)
1214 {
1215 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1216 messages::internalError(asyncResp->res);
1217 return;
1218 }
1219 messages::success(asyncResp->res);
1220 },
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]1221 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1222 "org.freedesktop.DBus.Properties", "Set",
1223 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1224 dbus::utility::DbusVariantType{priv});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1225 }
1226
1227 if (locked)
1228 {
1229 // admin can unlock the account which is locked by
1230 // successive authentication failures but admin should
1231 // not be allowed to lock an account.
1232 if (*locked)
1233 {
1234 messages::propertyValueNotInList(asyncResp->res, "true",
1235 "Locked");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1236 return;
1237 }
1238
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1239 crow::connections::systemBus->async_method_call(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1240 [asyncResp](const boost::system::error_code ec) {
1241 if (ec)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1242 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1243 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1244 messages::internalError(asyncResp->res);
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1245 return;
1246 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1247 messages::success(asyncResp->res);
1248 return;
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1249 },
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]1250 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1251 "org.freedesktop.DBus.Properties", "Set",
1252 "xyz.openbmc_project.User.Attributes",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1253 "UserLockedForFailedAttempt",
1254 dbus::utility::DbusVariantType{*locked});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1255 }
1256 });
1257}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1258
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1259inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1260{
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1261
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1262 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1263 .privileges(redfish::privileges::getAccountService)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1264 .methods(
Abhishek Patel72048782021-06-02 09:53:24 -0500[diff] [blame]1265 boost::beast::http::verb::get)([](const crow::Request& req,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1266 const std::shared_ptr<
1267 bmcweb::AsyncResp>& asyncResp)
1268 -> void {
1269 const persistent_data::AuthConfigMethods& authMethodsConfig =
1270 persistent_data::SessionStore::getInstance()
1271 .getAuthMethodsConfig();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1272
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1273 asyncResp->res.jsonValue = {
1274 {"@odata.id", "/redfish/v1/AccountService"},
1275 {"@odata.type", "#AccountService."
1276 "v1_5_0.AccountService"},
1277 {"Id", "AccountService"},
1278 {"Name", "Account Service"},
1279 {"Description", "Account Service"},
1280 {"ServiceEnabled", true},
1281 {"MaxPasswordLength", 20},
1282 {"Accounts",
1283 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
1284 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
1285 {"Oem",
1286 {{"OpenBMC",
1287 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
Ed Tanousd8e3c292021-09-21 18:01:43 -0700[diff] [blame]1288 {"@odata.id", "/redfish/v1/AccountService#/Oem/OpenBMC"},
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1289 {"AuthMethods",
1290 {
1291 {"BasicAuth", authMethodsConfig.basic},
1292 {"SessionToken", authMethodsConfig.sessionToken},
1293 {"XToken", authMethodsConfig.xtoken},
1294 {"Cookie", authMethodsConfig.cookie},
1295 {"TLS", authMethodsConfig.tls},
Abhishek Patel72048782021-06-02 09:53:24 -0500[diff] [blame]1296 }}}}}}};
1297 // /redfish/v1/AccountService/LDAP/Certificates is something only
1298 // ConfigureManager can access then only display when the user has
1299 // permissions ConfigureManager
1300 Privileges effectiveUserPrivileges =
1301 redfish::getUserPrivileges(req.userRole);
1302
1303 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1304 effectiveUserPrivileges))
1305 {
1306 asyncResp->res.jsonValue["LDAP"] = {
1307 {"Certificates",
1308 {{"@odata.id",
1309 "/redfish/v1/AccountService/LDAP/Certificates"}}}};
1310 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1311 crow::connections::systemBus->async_method_call(
1312 [asyncResp](
1313 const boost::system::error_code ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800[diff] [blame]1314 const dbus::utility::DBusPropertiesMap& propertiesList) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1315 if (ec)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1316 {
1317 messages::internalError(asyncResp->res);
1318 return;
1319 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1320 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1321 << "properties for AccountService";
1322 for (const std::pair<std::string,
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1323 dbus::utility::DbusVariantType>&
1324 property : propertiesList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1325 {
1326 if (property.first == "MinPasswordLength")
1327 {
1328 const uint8_t* value =
1329 std::get_if<uint8_t>(&property.second);
1330 if (value != nullptr)
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1331 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1332 asyncResp->res.jsonValue["MinPasswordLength"] =
1333 *value;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1334 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1335 }
1336 if (property.first == "AccountUnlockTimeout")
1337 {
1338 const uint32_t* value =
1339 std::get_if<uint32_t>(&property.second);
1340 if (value != nullptr)
1341 {
1342 asyncResp->res
1343 .jsonValue["AccountLockoutDuration"] =
1344 *value;
1345 }
1346 }
1347 if (property.first == "MaxLoginAttemptBeforeLockout")
1348 {
1349 const uint16_t* value =
1350 std::get_if<uint16_t>(&property.second);
1351 if (value != nullptr)
1352 {
1353 asyncResp->res
1354 .jsonValue["AccountLockoutThreshold"] =
1355 *value;
1356 }
1357 }
1358 }
1359 },
1360 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1361 "org.freedesktop.DBus.Properties", "GetAll",
1362 "xyz.openbmc_project.User.AccountPolicy");
1363
1364 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1365 const std::string& ldapType) {
1366 if (!success)
1367 {
1368 return;
1369 }
1370 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1371 ldapType);
1372 };
1373
1374 getLDAPConfigData("LDAP", callback);
1375 getLDAPConfigData("ActiveDirectory", callback);
1376 });
1377
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1378 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -0600[diff] [blame]1379 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1380 .methods(boost::beast::http::verb::patch)(
1381 [](const crow::Request& req,
1382 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1383 std::optional<uint32_t> unlockTimeout;
1384 std::optional<uint16_t> lockoutThreshold;
Paul Fertseref73ad02022-01-21 19:44:40 +0000[diff] [blame]1385 std::optional<uint8_t> minPasswordLength;
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1386 std::optional<uint16_t> maxPasswordLength;
1387 std::optional<nlohmann::json> ldapObject;
1388 std::optional<nlohmann::json> activeDirectoryObject;
1389 std::optional<nlohmann::json> oemObject;
1390
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1391 if (!json_util::readJsonPatch(
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1392 req, asyncResp->res, "AccountLockoutDuration",
1393 unlockTimeout, "AccountLockoutThreshold",
1394 lockoutThreshold, "MaxPasswordLength",
1395 maxPasswordLength, "MinPasswordLength",
1396 minPasswordLength, "LDAP", ldapObject,
1397 "ActiveDirectory", activeDirectoryObject, "Oem",
1398 oemObject))
1399 {
1400 return;
1401 }
1402
1403 if (minPasswordLength)
1404 {
Paul Fertseref73ad02022-01-21 19:44:40 +0000[diff] [blame]1405 crow::connections::systemBus->async_method_call(
1406 [asyncResp](const boost::system::error_code ec) {
1407 if (ec)
1408 {
1409 messages::internalError(asyncResp->res);
1410 return;
1411 }
1412 messages::success(asyncResp->res);
1413 },
1414 "xyz.openbmc_project.User.Manager",
1415 "/xyz/openbmc_project/user",
1416 "org.freedesktop.DBus.Properties", "Set",
1417 "xyz.openbmc_project.User.AccountPolicy",
1418 "MinPasswordLength",
1419 dbus::utility::DbusVariantType(*minPasswordLength));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1420 }
1421
1422 if (maxPasswordLength)
1423 {
1424 messages::propertyNotWritable(asyncResp->res,
1425 "MaxPasswordLength");
1426 }
1427
1428 if (ldapObject)
1429 {
1430 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1431 }
1432
1433 if (std::optional<nlohmann::json> oemOpenBMCObject;
1434 oemObject &&
1435 json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1436 oemOpenBMCObject))
1437 {
1438 if (std::optional<nlohmann::json> authMethodsObject;
1439 oemOpenBMCObject &&
1440 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1441 "AuthMethods", authMethodsObject))
1442 {
1443 if (authMethodsObject)
1444 {
1445 handleAuthMethodsPatch(*authMethodsObject,
1446 asyncResp);
1447 }
1448 }
1449 }
1450
1451 if (activeDirectoryObject)
1452 {
1453 handleLDAPPatch(*activeDirectoryObject, asyncResp,
1454 "ActiveDirectory");
1455 }
1456
1457 if (unlockTimeout)
1458 {
1459 crow::connections::systemBus->async_method_call(
1460 [asyncResp](const boost::system::error_code ec) {
1461 if (ec)
1462 {
1463 messages::internalError(asyncResp->res);
1464 return;
1465 }
1466 messages::success(asyncResp->res);
1467 },
1468 "xyz.openbmc_project.User.Manager",
1469 "/xyz/openbmc_project/user",
1470 "org.freedesktop.DBus.Properties", "Set",
1471 "xyz.openbmc_project.User.AccountPolicy",
1472 "AccountUnlockTimeout",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1473 dbus::utility::DbusVariantType(*unlockTimeout));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1474 }
1475 if (lockoutThreshold)
1476 {
1477 crow::connections::systemBus->async_method_call(
1478 [asyncResp](const boost::system::error_code ec) {
1479 if (ec)
1480 {
1481 messages::internalError(asyncResp->res);
1482 return;
1483 }
1484 messages::success(asyncResp->res);
1485 },
1486 "xyz.openbmc_project.User.Manager",
1487 "/xyz/openbmc_project/user",
1488 "org.freedesktop.DBus.Properties", "Set",
1489 "xyz.openbmc_project.User.AccountPolicy",
1490 "MaxLoginAttemptBeforeLockout",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1491 dbus::utility::DbusVariantType(*lockoutThreshold));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1492 }
1493 });
1494
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1495 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1496 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1497 .methods(boost::beast::http::verb::get)(
1498 [](const crow::Request& req,
1499 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1500 asyncResp->res.jsonValue = {
1501 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1502 {"@odata.type", "#ManagerAccountCollection."
1503 "ManagerAccountCollection"},
1504 {"Name", "Accounts Collection"},
1505 {"Description", "BMC User Accounts"}};
1506
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1507 Privileges effectiveUserPrivileges =
1508 redfish::getUserPrivileges(req.userRole);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1509
JunLin Chenf5e29f32021-12-08 16:47:04 +0800[diff] [blame]1510 std::string thisUser;
1511 if (req.session)
1512 {
1513 thisUser = req.session->username;
1514 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1515 crow::connections::systemBus->async_method_call(
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1516 [asyncResp, thisUser, effectiveUserPrivileges](
1517 const boost::system::error_code ec,
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1518 const dbus::utility::ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1519 if (ec)
1520 {
1521 messages::internalError(asyncResp->res);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1522 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1523 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1524
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1525 bool userCanSeeAllAccounts =
1526 effectiveUserPrivileges.isSupersetOf(
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1527 {"ConfigureUsers"});
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1528
1529 bool userCanSeeSelf =
1530 effectiveUserPrivileges.isSupersetOf(
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1531 {"ConfigureSelf"});
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1532
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1533 nlohmann::json& memberArray =
1534 asyncResp->res.jsonValue["Members"];
1535 memberArray = nlohmann::json::array();
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1536
Ed Tanous9eb808c2022-01-25 10:19:23 -0800[diff] [blame]1537 for (const auto& userpath : users)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1538 {
1539 std::string user = userpath.first.filename();
1540 if (user.empty())
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1541 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1542 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1543 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1544
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1545 return;
1546 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1547
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1548 // As clarified by Redfish here:
1549 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1550 // Users without ConfigureUsers, only see their own
1551 // account. Users with ConfigureUsers, see all
1552 // accounts.
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1553 if (userCanSeeAllAccounts ||
1554 (thisUser == user && userCanSeeSelf))
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1555 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1556 memberArray.push_back(
1557 {{"@odata.id",
1558 "/redfish/v1/AccountService/Accounts/" +
1559 user}});
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1560 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1561 }
1562 asyncResp->res.jsonValue["Members@odata.count"] =
1563 memberArray.size();
1564 },
1565 "xyz.openbmc_project.User.Manager",
1566 "/xyz/openbmc_project/user",
1567 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1568 });
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1569
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1570 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1571 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1572 .methods(boost::beast::http::verb::post)([](const crow::Request& req,
1573 const std::shared_ptr<
1574 bmcweb::AsyncResp>&
1575 asyncResp) -> void {
1576 std::string username;
1577 std::string password;
1578 std::optional<std::string> roleId("User");
1579 std::optional<bool> enabled = true;
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1580 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName",
1581 username, "Password", password,
1582 "RoleId", roleId, "Enabled", enabled))
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1583 {
1584 return;
1585 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1586
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1587 std::string priv = getPrivilegeFromRoleId(*roleId);
1588 if (priv.empty())
1589 {
1590 messages::propertyValueNotInList(asyncResp->res, *roleId,
1591 "RoleId");
1592 return;
1593 }
1594 // TODO: Following override will be reverted once support in
1595 // phosphor-user-manager is added. In order to avoid dependency
1596 // issues, this is added in bmcweb, which will removed, once
1597 // phosphor-user-manager supports priv-noaccess.
1598 if (priv == "priv-noaccess")
1599 {
1600 roleId = "";
1601 }
1602 else
1603 {
1604 roleId = priv;
1605 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1606
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1607 // Reading AllGroups property
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1608 sdbusplus::asio::getProperty<std::vector<std::string>>(
1609 *crow::connections::systemBus,
1610 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1611 "xyz.openbmc_project.User.Manager", "AllGroups",
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1612 [asyncResp, username, password{std::move(password)}, roleId,
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1613 enabled](const boost::system::error_code ec,
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1614 const std::vector<std::string>& allGroupsList) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1615 if (ec)
1616 {
1617 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1618 messages::internalError(asyncResp->res);
1619 return;
1620 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1621
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1622 if (allGroupsList.empty())
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1623 {
1624 messages::internalError(asyncResp->res);
1625 return;
1626 }
1627
1628 crow::connections::systemBus->async_method_call(
1629 [asyncResp, username,
1630 password](const boost::system::error_code ec2,
1631 sdbusplus::message::message& m) {
1632 if (ec2)
1633 {
1634 userErrorMessageHandler(
1635 m.get_error(), asyncResp, username, "");
1636 return;
1637 }
1638
1639 if (pamUpdatePassword(username, password) !=
1640 PAM_SUCCESS)
1641 {
1642 // At this point we have a user that's been
1643 // created, but the password set
1644 // failed.Something is wrong, so delete the user
1645 // that we've already created
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1646 sdbusplus::message::object_path tempObjPath(
1647 rootUserDbusPath);
1648 tempObjPath /= username;
1649 const std::string userPath(tempObjPath);
1650
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1651 crow::connections::systemBus->async_method_call(
1652 [asyncResp, password](
1653 const boost::system::error_code ec3) {
1654 if (ec3)
1655 {
1656 messages::internalError(
1657 asyncResp->res);
1658 return;
1659 }
1660
1661 // If password is invalid
1662 messages::propertyValueFormatError(
1663 asyncResp->res, password,
1664 "Password");
1665 },
1666 "xyz.openbmc_project.User.Manager",
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1667 userPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1668 "xyz.openbmc_project.Object.Delete",
1669 "Delete");
1670
1671 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1672 return;
1673 }
1674
1675 messages::created(asyncResp->res);
1676 asyncResp->res.addHeader(
1677 "Location",
1678 "/redfish/v1/AccountService/Accounts/" +
1679 username);
1680 },
1681 "xyz.openbmc_project.User.Manager",
1682 "/xyz/openbmc_project/user",
1683 "xyz.openbmc_project.User.Manager", "CreateUser",
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1684 username, allGroupsList, *roleId, *enabled);
1685 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1686 });
1687
1688 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1689 .privileges(redfish::privileges::getManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1690 .methods(
1691 boost::beast::http::verb::
1692 get)([](const crow::Request& req,
1693 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1694 const std::string& accountName) -> void {
1695 if (req.session->username != accountName)
1696 {
1697 // At this point we've determined that the user is trying to
1698 // modify a user that isn't them. We need to verify that they
1699 // have permissions to modify other users, so re-run the auth
1700 // check with the same permissions, minus ConfigureSelf.
1701 Privileges effectiveUserPrivileges =
1702 redfish::getUserPrivileges(req.userRole);
1703 Privileges requiredPermissionsToChangeNonSelf = {
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1704 "ConfigureUsers", "ConfigureManager"};
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1705 if (!effectiveUserPrivileges.isSupersetOf(
1706 requiredPermissionsToChangeNonSelf))
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1707 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1708 BMCWEB_LOG_DEBUG << "GET Account denied access";
1709 messages::insufficientPrivilege(asyncResp->res);
1710 return;
1711 }
1712 }
1713
1714 crow::connections::systemBus->async_method_call(
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1715 [asyncResp,
1716 accountName](const boost::system::error_code ec,
1717 const dbus::utility::ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1718 if (ec)
1719 {
1720 messages::internalError(asyncResp->res);
1721 return;
1722 }
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1723 const auto userIt = std::find_if(
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1724 users.begin(), users.end(),
1725 [accountName](
1726 const std::pair<sdbusplus::message::object_path,
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1727 dbus::utility::DBusInteracesMap>&
1728 user) {
Ed Tanous55f79e62022-01-25 11:26:16 -0800[diff] [blame]1729 return accountName == user.first.filename();
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1730 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1731
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1732 if (userIt == users.end())
1733 {
1734 messages::resourceNotFound(
1735 asyncResp->res, "ManagerAccount", accountName);
1736 return;
1737 }
1738
1739 asyncResp->res.jsonValue = {
1740 {"@odata.type",
1741 "#ManagerAccount.v1_4_0.ManagerAccount"},
1742 {"Name", "User Account"},
1743 {"Description", "User Account"},
1744 {"Password", nullptr},
1745 {"AccountTypes", {"Redfish"}}};
1746
1747 for (const auto& interface : userIt->second)
1748 {
1749 if (interface.first ==
1750 "xyz.openbmc_project.User.Attributes")
1751 {
1752 for (const auto& property : interface.second)
1753 {
1754 if (property.first == "UserEnabled")
1755 {
1756 const bool* userEnabled =
1757 std::get_if<bool>(&property.second);
1758 if (userEnabled == nullptr)
1759 {
1760 BMCWEB_LOG_ERROR
1761 << "UserEnabled wasn't a bool";
1762 messages::internalError(asyncResp->res);
1763 return;
1764 }
1765 asyncResp->res.jsonValue["Enabled"] =
1766 *userEnabled;
1767 }
1768 else if (property.first ==
1769 "UserLockedForFailedAttempt")
1770 {
1771 const bool* userLocked =
1772 std::get_if<bool>(&property.second);
1773 if (userLocked == nullptr)
1774 {
1775 BMCWEB_LOG_ERROR << "UserLockedForF"
1776 "ailedAttempt "
1777 "wasn't a bool";
1778 messages::internalError(asyncResp->res);
1779 return;
1780 }
1781 asyncResp->res.jsonValue["Locked"] =
1782 *userLocked;
1783 asyncResp->res.jsonValue
1784 ["Locked@Redfish.AllowableValues"] = {
1785 "false"}; // can only unlock accounts
1786 }
1787 else if (property.first == "UserPrivilege")
1788 {
1789 const std::string* userPrivPtr =
1790 std::get_if<std::string>(
1791 &property.second);
1792 if (userPrivPtr == nullptr)
1793 {
1794 BMCWEB_LOG_ERROR
1795 << "UserPrivilege wasn't a "
1796 "string";
1797 messages::internalError(asyncResp->res);
1798 return;
1799 }
1800 std::string role =
1801 getRoleIdFromPrivilege(*userPrivPtr);
1802 if (role.empty())
1803 {
1804 BMCWEB_LOG_ERROR << "Invalid user role";
1805 messages::internalError(asyncResp->res);
1806 return;
1807 }
1808 asyncResp->res.jsonValue["RoleId"] = role;
1809
1810 asyncResp->res.jsonValue["Links"]["Role"] =
1811 {{"@odata.id",
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]1812 "/redfish/v1/AccountService/Roles/" +
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1813 role}};
1814 }
1815 else if (property.first ==
1816 "UserPasswordExpired")
1817 {
1818 const bool* userPasswordExpired =
1819 std::get_if<bool>(&property.second);
1820 if (userPasswordExpired == nullptr)
1821 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]1822 BMCWEB_LOG_ERROR
1823 << "UserPasswordExpired wasn't a bool";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1824 messages::internalError(asyncResp->res);
1825 return;
1826 }
1827 asyncResp->res
1828 .jsonValue["PasswordChangeRequired"] =
1829 *userPasswordExpired;
1830 }
1831 }
1832 }
1833 }
1834
1835 asyncResp->res.jsonValue["@odata.id"] =
1836 "/redfish/v1/AccountService/Accounts/" + accountName;
1837 asyncResp->res.jsonValue["Id"] = accountName;
1838 asyncResp->res.jsonValue["UserName"] = accountName;
1839 },
1840 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1841 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1842 });
1843
1844 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1845 // TODO this privilege should be using the generated endpoints, but
1846 // because of the special handling of ConfigureSelf, it's not able to
1847 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1848 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
1849 .methods(boost::beast::http::verb::patch)(
1850 [](const crow::Request& req,
1851 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1852 const std::string& username) -> void {
1853 std::optional<std::string> newUserName;
1854 std::optional<std::string> password;
1855 std::optional<bool> enabled;
1856 std::optional<std::string> roleId;
1857 std::optional<bool> locked;
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1858
1859 Privileges effectiveUserPrivileges =
1860 redfish::getUserPrivileges(req.userRole);
1861 Privileges configureUsers = {"ConfigureUsers"};
1862 bool userHasConfigureUsers =
1863 effectiveUserPrivileges.isSupersetOf(configureUsers);
1864 if (userHasConfigureUsers)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1865 {
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1866 // Users with ConfigureUsers can modify for all users
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1867 if (!json_util::readJsonPatch(
1868 req, asyncResp->res, "UserName", newUserName,
1869 "Password", password, "RoleId", roleId, "Enabled",
1870 enabled, "Locked", locked))
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1871 {
1872 return;
1873 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1874 }
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1875 else
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1876 {
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1877 // ConfigureSelf accounts can only modify their own account
1878 if (username != req.session->username)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1879 {
1880 messages::insufficientPrivilege(asyncResp->res);
1881 return;
1882 }
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1883 // ConfigureSelf accounts can only modify their password
Willy Tu15ed6782021-12-14 11:03:16 -0800[diff] [blame]1884 if (!json_util::readJsonPatch(req, asyncResp->res,
1885 "Password", password))
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1886 {
1887 return;
1888 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1889 }
1890
1891 // if user name is not provided in the patch method or if it
1892 // matches the user name in the URI, then we are treating it as
1893 // updating user properties other then username. If username
1894 // provided doesn't match the URI, then we are treating this as
1895 // user rename request.
1896 if (!newUserName || (newUserName.value() == username))
1897 {
1898 updateUserProperties(asyncResp, username, password, enabled,
1899 roleId, locked);
1900 return;
1901 }
1902 crow::connections::systemBus->async_method_call(
1903 [asyncResp, username, password(std::move(password)),
1904 roleId(std::move(roleId)), enabled,
1905 newUser{std::string(*newUserName)},
1906 locked](const boost::system::error_code ec,
1907 sdbusplus::message::message& m) {
1908 if (ec)
1909 {
1910 userErrorMessageHandler(m.get_error(), asyncResp,
1911 newUser, username);
1912 return;
1913 }
1914
1915 updateUserProperties(asyncResp, newUser, password,
1916 enabled, roleId, locked);
1917 },
1918 "xyz.openbmc_project.User.Manager",
1919 "/xyz/openbmc_project/user",
1920 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1921 *newUserName);
1922 });
1923
1924 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1925 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1926 .methods(boost::beast::http::verb::delete_)(
1927 [](const crow::Request& /*req*/,
1928 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1929 const std::string& username) -> void {
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1930 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1931 tempObjPath /= username;
1932 const std::string userPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1933
1934 crow::connections::systemBus->async_method_call(
1935 [asyncResp, username](const boost::system::error_code ec) {
1936 if (ec)
1937 {
1938 messages::resourceNotFound(
1939 asyncResp->res,
1940 "#ManagerAccount.v1_4_0.ManagerAccount",
1941 username);
1942 return;
1943 }
1944
1945 messages::accountRemoved(asyncResp->res);
1946 },
1947 "xyz.openbmc_project.User.Manager", userPath,
1948 "xyz.openbmc_project.Object.Delete", "Delete");
1949 });
1950}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1951
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1952} // namespace redfish