Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 2c37b4b0f465344aeea311efd61fd9a217ad8e3e / . / redfish-core / lib / account_service.hpp
blob: 2e81104a305ef3005e52cc29af52969f6dde5630 [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17#include "node.hpp"
18
John Edward Broadbent7e860f12021-04-08 15:57:16 -0700[diff] [blame]19#include <app.hpp>
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]20#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]21#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]22#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]23#include <persistent_data.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]24#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]25
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]26#include <variant>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]27
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]28namespace redfish
29{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]30
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]31constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]32 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]33constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]34 "/xyz/openbmc_project/user/ldap/active_directory";
35
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]36constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
37constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
38constexpr const char* ldapConfigInterface =
39 "xyz.openbmc_project.User.Ldap.Config";
40constexpr const char* ldapCreateInterface =
41 "xyz.openbmc_project.User.Ldap.Create";
42constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]43constexpr const char* ldapPrivMapperInterface =
44 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]45constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
46constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
47constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
48constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
49constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
50
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]51struct LDAPRoleMapData
52{
53 std::string groupName;
54 std::string privilege;
55};
56
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]57struct LDAPConfigData
58{
59 std::string uri{};
60 std::string bindDN{};
61 std::string baseDN{};
62 std::string searchScope{};
63 std::string serverType{};
64 bool serviceEnabled = false;
65 std::string userNameAttribute{};
66 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]67 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]68};
69
Patrick Williams19bd78d2020-05-13 17:38:24 -0500[diff] [blame]70using DbusVariantType = std::variant<bool, int32_t, std::string>;
Przemyslaw Czarnowski107077d2019-07-11 10:16:43 +0200[diff] [blame]71
72using DbusInterfaceType = boost::container::flat_map<
73 std::string, boost::container::flat_map<std::string, DbusVariantType>>;
74
75using ManagedObjectType =
76 std::vector<std::pair<sdbusplus::message::object_path, DbusInterfaceType>>;
77
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]78using GetObjectType =
79 std::vector<std::pair<std::string, std::vector<std::string>>>;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]80
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]81inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]82{
83 if (role == "priv-admin")
84 {
85 return "Administrator";
86 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]87 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]88 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]89 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]90 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]91 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]92 {
93 return "Operator";
94 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]95 if ((role == "") || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]96 {
97 return "NoAccess";
98 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]99 return "";
100}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]101inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]102{
103 if (role == "Administrator")
104 {
105 return "priv-admin";
106 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]107 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]108 {
109 return "priv-user";
110 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]111 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]112 {
113 return "priv-operator";
114 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]115 if ((role == "NoAccess") || (role == ""))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]116 {
117 return "priv-noaccess";
118 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]119 return "";
120}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]121
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]122inline void userErrorMessageHandler(
123 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
124 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]125{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]126 if (e == nullptr)
127 {
128 messages::internalError(asyncResp->res);
129 return;
130 }
131
Manojkiran Eda055806b2020-11-03 09:36:28 +0530[diff] [blame]132 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]133 if (strcmp(errorMessage,
134 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
135 {
136 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]137 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]138 "UserName", newUser);
139 }
140 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
141 "UserNameDoesNotExist") == 0)
142 {
143 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]144 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]145 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]146 else if ((strcmp(errorMessage,
147 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
148 0) ||
149 (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
150 "UserNameGroupFail") == 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]151 {
152 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
153 }
154 else if (strcmp(errorMessage,
155 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
156 {
157 messages::createLimitReachedForResource(asyncResp->res);
158 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]159 else
160 {
161 messages::internalError(asyncResp->res);
162 }
163
164 return;
165}
166
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]167inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]168 const LDAPConfigData& confData,
169 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]170{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]171 std::string service =
172 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]173 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]174 {"ServiceEnabled", confData.serviceEnabled},
175 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
176 {"Authentication",
177 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]178 {"Username", confData.bindDN},
179 {"Password", nullptr}}},
180 {"LDAPService",
181 {{"SearchSettings",
182 {{"BaseDistinguishedNames",
183 nlohmann::json::array({confData.baseDN})},
184 {"UsernameAttribute", confData.userNameAttribute},
185 {"GroupsAttribute", confData.groupAttribute}}}}},
186 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]187
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]188 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]189
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]190 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]191 roleMapArray = nlohmann::json::array();
192 for (auto& obj : confData.groupRoleList)
193 {
194 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
195 << obj.second.groupName << "\n";
196 roleMapArray.push_back(
197 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
198 nlohmann::json::array(
199 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
200 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]201}
202
203/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]204 * @brief validates given JSON input and then calls appropriate method to
205 * create, to delete or to set Rolemapping object based on the given input.
206 *
207 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]208inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]209 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]210 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]211 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]212{
213 for (size_t index = 0; index < input.size(); index++)
214 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]215 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]216
217 if (thisJson.is_null())
218 {
219 // delete the existing object
220 if (index < roleMapObjData.size())
221 {
222 crow::connections::systemBus->async_method_call(
223 [asyncResp, roleMapObjData, serverType,
224 index](const boost::system::error_code ec) {
225 if (ec)
226 {
227 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
228 messages::internalError(asyncResp->res);
229 return;
230 }
231 asyncResp->res
232 .jsonValue[serverType]["RemoteRoleMapping"][index] =
233 nullptr;
234 },
235 ldapDbusService, roleMapObjData[index].first,
236 "xyz.openbmc_project.Object.Delete", "Delete");
237 }
238 else
239 {
240 BMCWEB_LOG_ERROR << "Can't delete the object";
241 messages::propertyValueTypeError(
Ed Tanous71f52d92021-02-19 08:51:17 -0800[diff] [blame]242 asyncResp->res,
243 thisJson.dump(2, ' ', true,
244 nlohmann::json::error_handler_t::replace),
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]245 "RemoteRoleMapping/" + std::to_string(index));
246 return;
247 }
248 }
249 else if (thisJson.empty())
250 {
251 // Don't do anything for the empty objects,parse next json
252 // eg {"RemoteRoleMapping",[{}]}
253 }
254 else
255 {
256 // update/create the object
257 std::optional<std::string> remoteGroup;
258 std::optional<std::string> localRole;
259
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]260 // This is a copy, but it's required in this case because of how
261 // readJson is structured
262 nlohmann::json thisJsonCopy = thisJson;
263 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
264 "RemoteGroup", remoteGroup, "LocalRole",
265 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]266 {
267 continue;
268 }
269
270 // Update existing RoleMapping Object
271 if (index < roleMapObjData.size())
272 {
273 BMCWEB_LOG_DEBUG << "Update Role Map Object";
274 // If "RemoteGroup" info is provided
275 if (remoteGroup)
276 {
277 crow::connections::systemBus->async_method_call(
278 [asyncResp, roleMapObjData, serverType, index,
279 remoteGroup](const boost::system::error_code ec) {
280 if (ec)
281 {
282 BMCWEB_LOG_ERROR << "DBUS response error: "
283 << ec;
284 messages::internalError(asyncResp->res);
285 return;
286 }
287 asyncResp->res
288 .jsonValue[serverType]["RemoteRoleMapping"]
289 [index]["RemoteGroup"] = *remoteGroup;
290 },
291 ldapDbusService, roleMapObjData[index].first,
292 propertyInterface, "Set",
293 "xyz.openbmc_project.User.PrivilegeMapperEntry",
294 "GroupName",
295 std::variant<std::string>(std::move(*remoteGroup)));
296 }
297
298 // If "LocalRole" info is provided
299 if (localRole)
300 {
301 crow::connections::systemBus->async_method_call(
302 [asyncResp, roleMapObjData, serverType, index,
303 localRole](const boost::system::error_code ec) {
304 if (ec)
305 {
306 BMCWEB_LOG_ERROR << "DBUS response error: "
307 << ec;
308 messages::internalError(asyncResp->res);
309 return;
310 }
311 asyncResp->res
312 .jsonValue[serverType]["RemoteRoleMapping"]
313 [index]["LocalRole"] = *localRole;
314 },
315 ldapDbusService, roleMapObjData[index].first,
316 propertyInterface, "Set",
317 "xyz.openbmc_project.User.PrivilegeMapperEntry",
318 "Privilege",
319 std::variant<std::string>(
320 getPrivilegeFromRoleId(std::move(*localRole))));
321 }
322 }
323 // Create a new RoleMapping Object.
324 else
325 {
326 BMCWEB_LOG_DEBUG
327 << "setRoleMappingProperties: Creating new Object";
328 std::string pathString =
329 "RemoteRoleMapping/" + std::to_string(index);
330
331 if (!localRole)
332 {
333 messages::propertyMissing(asyncResp->res,
334 pathString + "/LocalRole");
335 continue;
336 }
337 if (!remoteGroup)
338 {
339 messages::propertyMissing(asyncResp->res,
340 pathString + "/RemoteGroup");
341 continue;
342 }
343
344 std::string dbusObjectPath;
345 if (serverType == "ActiveDirectory")
346 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]347 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]348 }
349 else if (serverType == "LDAP")
350 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]351 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]352 }
353
354 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
355 << ",LocalRole=" << *localRole;
356
357 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]358 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]359 remoteGroup](const boost::system::error_code ec) {
360 if (ec)
361 {
362 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
363 messages::internalError(asyncResp->res);
364 return;
365 }
366 nlohmann::json& remoteRoleJson =
367 asyncResp->res
368 .jsonValue[serverType]["RemoteRoleMapping"];
369 remoteRoleJson.push_back(
370 {{"LocalRole", *localRole},
371 {"RemoteGroup", *remoteGroup}});
372 },
373 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]374 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]375 getPrivilegeFromRoleId(std::move(*localRole)));
376 }
377 }
378 }
379}
380
381/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]382 * Function that retrieves all properties for LDAP config object
383 * into JSON
384 */
385template <typename CallbackFunc>
386inline void getLDAPConfigData(const std::string& ldapType,
387 CallbackFunc&& callback)
388{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]389
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]390 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]391 ldapConfigInterface};
392
393 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]394 [callback, ldapType](const boost::system::error_code ec,
395 const GetObjectType& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]396 if (ec || resp.empty())
397 {
398 BMCWEB_LOG_ERROR << "DBUS response error during getting of "
399 "service name: "
400 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]401 LDAPConfigData empty{};
402 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]403 return;
404 }
405 std::string service = resp.begin()->first;
406 crow::connections::systemBus->async_method_call(
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]407 [callback, ldapType](const boost::system::error_code errorCode,
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]408 const ManagedObjectType& ldapObjects) {
409 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]410 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]411 {
412 callback(false, confData, ldapType);
413 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]414 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]415 return;
416 }
417
418 std::string ldapDbusType;
419 std::string searchString;
420
421 if (ldapType == "LDAP")
422 {
423 ldapDbusType = "xyz.openbmc_project.User.Ldap.Config."
424 "Type.OpenLdap";
425 searchString = "openldap";
426 }
427 else if (ldapType == "ActiveDirectory")
428 {
429 ldapDbusType =
430 "xyz.openbmc_project.User.Ldap.Config.Type."
431 "ActiveDirectory";
432 searchString = "active_directory";
433 }
434 else
435 {
436 BMCWEB_LOG_ERROR
437 << "Can't get the DbusType for the given type="
438 << ldapType;
439 callback(false, confData, ldapType);
440 return;
441 }
442
443 std::string ldapEnableInterfaceStr = ldapEnableInterface;
444 std::string ldapConfigInterfaceStr = ldapConfigInterface;
445
446 for (const auto& object : ldapObjects)
447 {
448 // let's find the object whose ldap type is equal to the
449 // given type
450 if (object.first.str.find(searchString) ==
451 std::string::npos)
452 {
453 continue;
454 }
455
456 for (const auto& interface : object.second)
457 {
458 if (interface.first == ldapEnableInterfaceStr)
459 {
460 // rest of the properties are string.
461 for (const auto& property : interface.second)
462 {
463 if (property.first == "Enabled")
464 {
465 const bool* value =
466 std::get_if<bool>(&property.second);
467 if (value == nullptr)
468 {
469 continue;
470 }
471 confData.serviceEnabled = *value;
472 break;
473 }
474 }
475 }
476 else if (interface.first == ldapConfigInterfaceStr)
477 {
478
479 for (const auto& property : interface.second)
480 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]481 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]482 std::get_if<std::string>(
483 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]484 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]485 {
486 continue;
487 }
488 if (property.first == "LDAPServerURI")
489 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]490 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]491 }
492 else if (property.first == "LDAPBindDN")
493 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]494 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]495 }
496 else if (property.first == "LDAPBaseDN")
497 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]498 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]499 }
500 else if (property.first ==
501 "LDAPSearchScope")
502 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]503 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]504 }
505 else if (property.first ==
506 "GroupNameAttribute")
507 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]508 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]509 }
510 else if (property.first ==
511 "UserNameAttribute")
512 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]513 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]514 }
515 else if (property.first == "LDAPType")
516 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]517 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]518 }
519 }
520 }
521 else if (interface.first ==
522 "xyz.openbmc_project.User."
523 "PrivilegeMapperEntry")
524 {
525 LDAPRoleMapData roleMapData{};
526 for (const auto& property : interface.second)
527 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]528 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]529 std::get_if<std::string>(
530 &property.second);
531
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]532 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]533 {
534 continue;
535 }
536
537 if (property.first == "GroupName")
538 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]539 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]540 }
541 else if (property.first == "Privilege")
542 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]543 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]544 }
545 }
546
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]547 confData.groupRoleList.emplace_back(
548 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]549 }
550 }
551 }
552 callback(true, confData, ldapType);
553 },
554 service, ldapRootObject, dbusObjManagerIntf,
555 "GetManagedObjects");
556 },
557 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]558 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]559}
560
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]561class AccountService : public Node
562{
563 public:
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]564 AccountService(App& app) : Node(app, "/redfish/v1/AccountService/")
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]565 {
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]566 entityPrivileges = {
Gunnar Mills3c5a3762020-01-29 15:21:30 -0600[diff] [blame]567 {boost::beast::http::verb::get, {{"Login"}}},
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]568 {boost::beast::http::verb::head, {{"Login"}}},
569 {boost::beast::http::verb::patch, {{"ConfigureUsers"}}},
570 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
571 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
572 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
573 }
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]574
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]575 private:
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]576 /**
577 * @brief parses the authentication section under the LDAP
578 * @param input JSON data
579 * @param asyncResp pointer to the JSON response
580 * @param userName userName to be filled from the given JSON.
581 * @param password password to be filled from the given JSON.
582 */
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]583 void parseLDAPAuthenticationJson(
584 nlohmann::json input,
585 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
586 std::optional<std::string>& username,
587 std::optional<std::string>& password)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]588 {
589 std::optional<std::string> authType;
590
591 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
592 authType, "Username", username, "Password",
593 password))
594 {
595 return;
596 }
597 if (!authType)
598 {
599 return;
600 }
601 if (*authType != "UsernameAndPassword")
602 {
603 messages::propertyValueNotInList(asyncResp->res, *authType,
604 "AuthenticationType");
605 return;
606 }
607 }
608 /**
609 * @brief parses the LDAPService section under the LDAP
610 * @param input JSON data
611 * @param asyncResp pointer to the JSON response
612 * @param baseDNList baseDN to be filled from the given JSON.
613 * @param userNameAttribute userName to be filled from the given JSON.
614 * @param groupaAttribute password to be filled from the given JSON.
615 */
616
617 void parseLDAPServiceJson(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]618 nlohmann::json input,
619 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]620 std::optional<std::vector<std::string>>& baseDNList,
621 std::optional<std::string>& userNameAttribute,
622 std::optional<std::string>& groupsAttribute)
623 {
624 std::optional<nlohmann::json> searchSettings;
625
626 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
627 searchSettings))
628 {
629 return;
630 }
631 if (!searchSettings)
632 {
633 return;
634 }
635 if (!json_util::readJson(*searchSettings, asyncResp->res,
636 "BaseDistinguishedNames", baseDNList,
637 "UsernameAttribute", userNameAttribute,
638 "GroupsAttribute", groupsAttribute))
639 {
640 return;
641 }
642 }
643 /**
644 * @brief updates the LDAP server address and updates the
645 json response with the new value.
646 * @param serviceAddressList address to be updated.
647 * @param asyncResp pointer to the JSON response
648 * @param ldapServerElementName Type of LDAP
649 server(openLDAP/ActiveDirectory)
650 */
651
652 void handleServiceAddressPatch(
653 const std::vector<std::string>& serviceAddressList,
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]654 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]655 const std::string& ldapServerElementName,
656 const std::string& ldapConfigObject)
657 {
658 crow::connections::systemBus->async_method_call(
659 [asyncResp, ldapServerElementName,
660 serviceAddressList](const boost::system::error_code ec) {
661 if (ec)
662 {
663 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]664 << "Error Occurred in updating the service address";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]665 messages::internalError(asyncResp->res);
666 return;
667 }
668 std::vector<std::string> modifiedserviceAddressList = {
669 serviceAddressList.front()};
670 asyncResp->res
671 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
672 modifiedserviceAddressList;
673 if ((serviceAddressList).size() > 1)
674 {
675 messages::propertyValueModified(asyncResp->res,
676 "ServiceAddresses",
677 serviceAddressList.front());
678 }
679 BMCWEB_LOG_DEBUG << "Updated the service address";
680 },
681 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
682 ldapConfigInterface, "LDAPServerURI",
683 std::variant<std::string>(serviceAddressList.front()));
684 }
685 /**
686 * @brief updates the LDAP Bind DN and updates the
687 json response with the new value.
688 * @param username name of the user which needs to be updated.
689 * @param asyncResp pointer to the JSON response
690 * @param ldapServerElementName Type of LDAP
691 server(openLDAP/ActiveDirectory)
692 */
693
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]694 void
695 handleUserNamePatch(const std::string& username,
696 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
697 const std::string& ldapServerElementName,
698 const std::string& ldapConfigObject)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]699 {
700 crow::connections::systemBus->async_method_call(
701 [asyncResp, username,
702 ldapServerElementName](const boost::system::error_code ec) {
703 if (ec)
704 {
705 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]706 << "Error occurred in updating the username";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]707 messages::internalError(asyncResp->res);
708 return;
709 }
710 asyncResp->res.jsonValue[ldapServerElementName]
711 ["Authentication"]["Username"] =
712 username;
713 BMCWEB_LOG_DEBUG << "Updated the username";
714 },
715 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
716 ldapConfigInterface, "LDAPBindDN",
717 std::variant<std::string>(username));
718 }
719
720 /**
721 * @brief updates the LDAP password
722 * @param password : ldap password which needs to be updated.
723 * @param asyncResp pointer to the JSON response
724 * @param ldapServerElementName Type of LDAP
725 * server(openLDAP/ActiveDirectory)
726 */
727
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]728 void
729 handlePasswordPatch(const std::string& password,
730 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
731 const std::string& ldapServerElementName,
732 const std::string& ldapConfigObject)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]733 {
734 crow::connections::systemBus->async_method_call(
735 [asyncResp, password,
736 ldapServerElementName](const boost::system::error_code ec) {
737 if (ec)
738 {
739 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]740 << "Error occurred in updating the password";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]741 messages::internalError(asyncResp->res);
742 return;
743 }
744 asyncResp->res.jsonValue[ldapServerElementName]
745 ["Authentication"]["Password"] = "";
746 BMCWEB_LOG_DEBUG << "Updated the password";
747 },
748 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
749 ldapConfigInterface, "LDAPBindDNPassword",
750 std::variant<std::string>(password));
751 }
752
753 /**
754 * @brief updates the LDAP BaseDN and updates the
755 json response with the new value.
756 * @param baseDNList baseDN list which needs to be updated.
757 * @param asyncResp pointer to the JSON response
758 * @param ldapServerElementName Type of LDAP
759 server(openLDAP/ActiveDirectory)
760 */
761
762 void handleBaseDNPatch(const std::vector<std::string>& baseDNList,
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]763 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]764 const std::string& ldapServerElementName,
765 const std::string& ldapConfigObject)
766 {
767 crow::connections::systemBus->async_method_call(
768 [asyncResp, baseDNList,
769 ldapServerElementName](const boost::system::error_code ec) {
770 if (ec)
771 {
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]772 BMCWEB_LOG_DEBUG
773 << "Error Occurred in Updating the base DN";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]774 messages::internalError(asyncResp->res);
775 return;
776 }
777 auto& serverTypeJson =
778 asyncResp->res.jsonValue[ldapServerElementName];
779 auto& searchSettingsJson =
780 serverTypeJson["LDAPService"]["SearchSettings"];
781 std::vector<std::string> modifiedBaseDNList = {
782 baseDNList.front()};
783 searchSettingsJson["BaseDistinguishedNames"] =
784 modifiedBaseDNList;
785 if (baseDNList.size() > 1)
786 {
787 messages::propertyValueModified(asyncResp->res,
788 "BaseDistinguishedNames",
789 baseDNList.front());
790 }
791 BMCWEB_LOG_DEBUG << "Updated the base DN";
792 },
793 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
794 ldapConfigInterface, "LDAPBaseDN",
795 std::variant<std::string>(baseDNList.front()));
796 }
797 /**
798 * @brief updates the LDAP user name attribute and updates the
799 json response with the new value.
800 * @param userNameAttribute attribute to be updated.
801 * @param asyncResp pointer to the JSON response
802 * @param ldapServerElementName Type of LDAP
803 server(openLDAP/ActiveDirectory)
804 */
805
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]806 void handleUserNameAttrPatch(
807 const std::string& userNameAttribute,
808 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
809 const std::string& ldapServerElementName,
810 const std::string& ldapConfigObject)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]811 {
812 crow::connections::systemBus->async_method_call(
813 [asyncResp, userNameAttribute,
814 ldapServerElementName](const boost::system::error_code ec) {
815 if (ec)
816 {
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]817 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]818 "username attribute";
819 messages::internalError(asyncResp->res);
820 return;
821 }
822 auto& serverTypeJson =
823 asyncResp->res.jsonValue[ldapServerElementName];
824 auto& searchSettingsJson =
825 serverTypeJson["LDAPService"]["SearchSettings"];
826 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
827 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
828 },
829 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
830 ldapConfigInterface, "UserNameAttribute",
831 std::variant<std::string>(userNameAttribute));
832 }
833 /**
834 * @brief updates the LDAP group attribute and updates the
835 json response with the new value.
836 * @param groupsAttribute attribute to be updated.
837 * @param asyncResp pointer to the JSON response
838 * @param ldapServerElementName Type of LDAP
839 server(openLDAP/ActiveDirectory)
840 */
841
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]842 void handleGroupNameAttrPatch(
843 const std::string& groupsAttribute,
844 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
845 const std::string& ldapServerElementName,
846 const std::string& ldapConfigObject)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]847 {
848 crow::connections::systemBus->async_method_call(
849 [asyncResp, groupsAttribute,
850 ldapServerElementName](const boost::system::error_code ec) {
851 if (ec)
852 {
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]853 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]854 "groupname attribute";
855 messages::internalError(asyncResp->res);
856 return;
857 }
858 auto& serverTypeJson =
859 asyncResp->res.jsonValue[ldapServerElementName];
860 auto& searchSettingsJson =
861 serverTypeJson["LDAPService"]["SearchSettings"];
862 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
863 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
864 },
865 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
866 ldapConfigInterface, "GroupNameAttribute",
867 std::variant<std::string>(groupsAttribute));
868 }
869 /**
870 * @brief updates the LDAP service enable and updates the
871 json response with the new value.
872 * @param input JSON data.
873 * @param asyncResp pointer to the JSON response
874 * @param ldapServerElementName Type of LDAP
875 server(openLDAP/ActiveDirectory)
876 */
877
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]878 void handleServiceEnablePatch(
879 bool serviceEnabled,
880 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
881 const std::string& ldapServerElementName,
882 const std::string& ldapConfigObject)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]883 {
884 crow::connections::systemBus->async_method_call(
885 [asyncResp, serviceEnabled,
886 ldapServerElementName](const boost::system::error_code ec) {
887 if (ec)
888 {
889 BMCWEB_LOG_DEBUG
Gunnar Millsc61704a2020-07-08 13:47:06 -0500[diff] [blame]890 << "Error Occurred in Updating the service enable";
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]891 messages::internalError(asyncResp->res);
892 return;
893 }
894 asyncResp->res
895 .jsonValue[ldapServerElementName]["ServiceEnabled"] =
896 serviceEnabled;
897 BMCWEB_LOG_DEBUG << "Updated Service enable = "
898 << serviceEnabled;
899 },
900 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
901 ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
902 }
903
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]904 void handleAuthMethodsPatch(
905 nlohmann::json& input,
906 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]907 {
908 std::optional<bool> basicAuth;
909 std::optional<bool> cookie;
910 std::optional<bool> sessionToken;
911 std::optional<bool> xToken;
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]912 std::optional<bool> tls;
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]913
914 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
915 "Cookie", cookie, "SessionToken", sessionToken,
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]916 "XToken", xToken, "TLS", tls))
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]917 {
918 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
919 return;
920 }
921
922 // Make a copy of methods configuration
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]923 persistent_data::AuthConfigMethods authMethodsConfig =
924 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]925
926 if (basicAuth)
927 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]928#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
929 messages::actionNotSupported(
930 asyncResp->res, "Setting BasicAuth when basic-auth feature "
931 "is disabled");
932 return;
933#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]934 authMethodsConfig.basic = *basicAuth;
935 }
936
937 if (cookie)
938 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]939#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
940 messages::actionNotSupported(
941 asyncResp->res, "Setting Cookie when cookie-auth feature "
942 "is disabled");
943 return;
944#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]945 authMethodsConfig.cookie = *cookie;
946 }
947
948 if (sessionToken)
949 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]950#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
951 messages::actionNotSupported(
952 asyncResp->res,
953 "Setting SessionToken when session-auth feature "
954 "is disabled");
955 return;
956#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]957 authMethodsConfig.sessionToken = *sessionToken;
958 }
959
960 if (xToken)
961 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]962#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
963 messages::actionNotSupported(
964 asyncResp->res, "Setting XToken when xtoken-auth feature "
965 "is disabled");
966 return;
967#endif
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]968 authMethodsConfig.xtoken = *xToken;
969 }
970
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]971 if (tls)
972 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]973#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
974 messages::actionNotSupported(
975 asyncResp->res, "Setting TLS when mutual-tls-auth feature "
976 "is disabled");
977 return;
978#endif
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]979 authMethodsConfig.tls = *tls;
980 }
981
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]982 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]983 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
984 !authMethodsConfig.tls)
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]985 {
986 // Do not allow user to disable everything
987 messages::actionNotSupported(asyncResp->res,
988 "of disabling all available methods");
989 return;
990 }
991
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]992 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
993 authMethodsConfig);
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]994 // Save configuration immediately
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]995 persistent_data::getConfig().writeData();
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]996
997 messages::success(asyncResp->res);
998 }
999
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1000 /**
1001 * @brief Get the required values from the given JSON, validates the
1002 * value and create the LDAP config object.
1003 * @param input JSON data
1004 * @param asyncResp pointer to the JSON response
1005 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
1006 */
1007
1008 void handleLDAPPatch(nlohmann::json& input,
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1009 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1010 const std::string& serverType)
1011 {
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1012 std::string dbusObjectPath;
1013 if (serverType == "ActiveDirectory")
1014 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]1015 dbusObjectPath = adConfigObject;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1016 }
1017 else if (serverType == "LDAP")
1018 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1019 dbusObjectPath = ldapConfigObjectName;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1020 }
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1021 else
1022 {
1023 return;
1024 }
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1025
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1026 std::optional<nlohmann::json> authentication;
1027 std::optional<nlohmann::json> ldapService;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1028 std::optional<std::vector<std::string>> serviceAddressList;
1029 std::optional<bool> serviceEnabled;
1030 std::optional<std::vector<std::string>> baseDNList;
1031 std::optional<std::string> userNameAttribute;
1032 std::optional<std::string> groupsAttribute;
1033 std::optional<std::string> userName;
1034 std::optional<std::string> password;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1035 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1036
1037 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1038 authentication, "LDAPService", ldapService,
1039 "ServiceAddresses", serviceAddressList,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1040 "ServiceEnabled", serviceEnabled,
1041 "RemoteRoleMapping", remoteRoleMapData))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1042 {
1043 return;
1044 }
1045
1046 if (authentication)
1047 {
1048 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1049 password);
1050 }
1051 if (ldapService)
1052 {
1053 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1054 userNameAttribute, groupsAttribute);
1055 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1056 if (serviceAddressList)
1057 {
1058 if ((*serviceAddressList).size() == 0)
1059 {
1060 messages::propertyValueNotInList(asyncResp->res, "[]",
1061 "ServiceAddress");
1062 return;
1063 }
1064 }
1065 if (baseDNList)
1066 {
1067 if ((*baseDNList).size() == 0)
1068 {
1069 messages::propertyValueNotInList(asyncResp->res, "[]",
1070 "BaseDistinguishedNames");
1071 return;
1072 }
1073 }
1074
1075 // nothing to update, then return
1076 if (!userName && !password && !serviceAddressList && !baseDNList &&
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1077 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1078 !remoteRoleMapData)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1079 {
1080 return;
1081 }
1082
1083 // Get the existing resource first then keep modifying
1084 // whenever any property gets updated.
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1085 getLDAPConfigData(
1086 serverType, [this, asyncResp, userName, password, baseDNList,
1087 userNameAttribute, groupsAttribute, serviceAddressList,
1088 serviceEnabled, dbusObjectPath, remoteRoleMapData](
1089 bool success, const LDAPConfigData& confData,
1090 const std::string& serverT) {
1091 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1092 {
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1093 messages::internalError(asyncResp->res);
1094 return;
1095 }
1096 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1097 serverT);
1098 if (confData.serviceEnabled)
1099 {
1100 // Disable the service first and update the rest of
1101 // the properties.
1102 handleServiceEnablePatch(false, asyncResp, serverT,
1103 dbusObjectPath);
1104 }
1105
1106 if (serviceAddressList)
1107 {
1108 handleServiceAddressPatch(*serviceAddressList, asyncResp,
1109 serverT, dbusObjectPath);
1110 }
1111 if (userName)
1112 {
1113 handleUserNamePatch(*userName, asyncResp, serverT,
1114 dbusObjectPath);
1115 }
1116 if (password)
1117 {
1118 handlePasswordPatch(*password, asyncResp, serverT,
1119 dbusObjectPath);
1120 }
1121
1122 if (baseDNList)
1123 {
1124 handleBaseDNPatch(*baseDNList, asyncResp, serverT,
1125 dbusObjectPath);
1126 }
1127 if (userNameAttribute)
1128 {
1129 handleUserNameAttrPatch(*userNameAttribute, asyncResp,
1130 serverT, dbusObjectPath);
1131 }
1132 if (groupsAttribute)
1133 {
1134 handleGroupNameAttrPatch(*groupsAttribute, asyncResp,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1135 serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1136 }
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1137 if (serviceEnabled)
1138 {
1139 // if user has given the value as true then enable
1140 // the service. if user has given false then no-op
1141 // as service is already stopped.
1142 if (*serviceEnabled)
1143 {
1144 handleServiceEnablePatch(*serviceEnabled, asyncResp,
1145 serverT, dbusObjectPath);
1146 }
1147 }
1148 else
1149 {
1150 // if user has not given the service enabled value
1151 // then revert it to the same state as it was
1152 // before.
1153 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1154 serverT, dbusObjectPath);
1155 }
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]1156
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1157 if (remoteRoleMapData)
1158 {
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1159 handleRoleMapPatch(asyncResp, confData.groupRoleList,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1160 serverT, *remoteRoleMapData);
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]1161 }
1162 });
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1163 }
Ed Tanousd4b54432019-07-17 22:51:55 +0000[diff] [blame]1164
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1165 void doGet(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1166 const crow::Request&, const std::vector<std::string>&) override
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1167 {
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1168 const persistent_data::AuthConfigMethods& authMethodsConfig =
1169 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1170
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1171 asyncResp->res.jsonValue = {
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1172 {"@odata.id", "/redfish/v1/AccountService"},
1173 {"@odata.type", "#AccountService."
Gunnar Millsba9dd4a2020-02-20 10:40:18 -0600[diff] [blame]1174 "v1_5_0.AccountService"},
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1175 {"Id", "AccountService"},
1176 {"Name", "Account Service"},
1177 {"Description", "Account Service"},
1178 {"ServiceEnabled", true},
AppaRao Puli343ff2e2019-03-24 00:42:13 +0530[diff] [blame]1179 {"MaxPasswordLength", 20},
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1180 {"Accounts",
1181 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1182 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1183 {"Oem",
1184 {{"OpenBMC",
1185 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
1186 {"AuthMethods",
1187 {
1188 {"BasicAuth", authMethodsConfig.basic},
1189 {"SessionToken", authMethodsConfig.sessionToken},
1190 {"XToken", authMethodsConfig.xtoken},
1191 {"Cookie", authMethodsConfig.cookie},
Zbigniew Kurzynski501f1e52019-10-02 11:22:11 +0200[diff] [blame]1192 {"TLS", authMethodsConfig.tls},
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1193 }}}}}},
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]1194 {"LDAP",
1195 {{"Certificates",
1196 {{"@odata.id",
1197 "/redfish/v1/AccountService/LDAP/Certificates"}}}}}};
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1198 crow::connections::systemBus->async_method_call(
1199 [asyncResp](
1200 const boost::system::error_code ec,
1201 const std::vector<std::pair<
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1202 std::string, std::variant<uint32_t, uint16_t, uint8_t>>>&
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1203 propertiesList) {
1204 if (ec)
1205 {
1206 messages::internalError(asyncResp->res);
1207 return;
1208 }
1209 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1210 << "properties for AccountService";
1211 for (const std::pair<std::string,
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1212 std::variant<uint32_t, uint16_t, uint8_t>>&
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1213 property : propertiesList)
1214 {
1215 if (property.first == "MinPasswordLength")
1216 {
1217 const uint8_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1218 std::get_if<uint8_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1219 if (value != nullptr)
1220 {
1221 asyncResp->res.jsonValue["MinPasswordLength"] =
1222 *value;
1223 }
1224 }
1225 if (property.first == "AccountUnlockTimeout")
1226 {
1227 const uint32_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1228 std::get_if<uint32_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1229 if (value != nullptr)
1230 {
1231 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1232 *value;
1233 }
1234 }
1235 if (property.first == "MaxLoginAttemptBeforeLockout")
1236 {
1237 const uint16_t* value =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1238 std::get_if<uint16_t>(&property.second);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1239 if (value != nullptr)
1240 {
1241 asyncResp->res
1242 .jsonValue["AccountLockoutThreshold"] = *value;
1243 }
1244 }
1245 }
1246 },
1247 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1248 "org.freedesktop.DBus.Properties", "GetAll",
1249 "xyz.openbmc_project.User.AccountPolicy");
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]1250
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1251 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1252 const std::string& ldapType) {
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1253 if (!success)
1254 {
1255 return;
1256 }
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]1257 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1258 };
1259
1260 getLDAPConfigData("LDAP", callback);
1261 getLDAPConfigData("ActiveDirectory", callback);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1262 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]1263
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1264 void doPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1265 const crow::Request& req,
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1266 const std::vector<std::string>&) override
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1267 {
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1268 std::optional<uint32_t> unlockTimeout;
1269 std::optional<uint16_t> lockoutThreshold;
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1270 std::optional<uint16_t> minPasswordLength;
1271 std::optional<uint16_t> maxPasswordLength;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1272 std::optional<nlohmann::json> ldapObject;
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1273 std::optional<nlohmann::json> activeDirectoryObject;
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1274 std::optional<nlohmann::json> oemObject;
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1275
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1276 if (!json_util::readJson(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1277 req, asyncResp->res, "AccountLockoutDuration", unlockTimeout,
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1278 "AccountLockoutThreshold", lockoutThreshold,
1279 "MaxPasswordLength", maxPasswordLength, "MinPasswordLength",
1280 minPasswordLength, "LDAP", ldapObject, "ActiveDirectory",
1281 activeDirectoryObject, "Oem", oemObject))
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1282 {
1283 return;
1284 }
Ratan Gupta19fb6e72019-03-04 13:30:50 +0530[diff] [blame]1285
1286 if (minPasswordLength)
1287 {
1288 messages::propertyNotWritable(asyncResp->res, "MinPasswordLength");
1289 }
1290
1291 if (maxPasswordLength)
1292 {
1293 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1294 }
1295
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1296 if (ldapObject)
1297 {
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1298 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1299 }
1300
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1301 if (std::optional<nlohmann::json> oemOpenBMCObject;
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1302 oemObject && json_util::readJson(*oemObject, asyncResp->res,
1303 "OpenBMC", oemOpenBMCObject))
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1304 {
1305 if (std::optional<nlohmann::json> authMethodsObject;
1306 oemOpenBMCObject &&
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1307 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1308 "AuthMethods", authMethodsObject))
Zbigniew Kurzynski78158632019-11-05 12:57:37 +0100[diff] [blame]1309 {
1310 if (authMethodsObject)
1311 {
1312 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1313 }
1314 }
1315 }
1316
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1317 if (activeDirectoryObject)
1318 {
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1319 handleLDAPPatch(*activeDirectoryObject, asyncResp,
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1320 "ActiveDirectory");
1321 }
1322
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1323 if (unlockTimeout)
1324 {
1325 crow::connections::systemBus->async_method_call(
1326 [asyncResp](const boost::system::error_code ec) {
1327 if (ec)
1328 {
1329 messages::internalError(asyncResp->res);
1330 return;
1331 }
Ratan Guptaadd61332019-02-13 20:49:16 +0530[diff] [blame]1332 messages::success(asyncResp->res);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1333 },
1334 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1335 "org.freedesktop.DBus.Properties", "Set",
1336 "xyz.openbmc_project.User.AccountPolicy",
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1337 "AccountUnlockTimeout", std::variant<uint32_t>(*unlockTimeout));
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1338 }
1339 if (lockoutThreshold)
1340 {
1341 crow::connections::systemBus->async_method_call(
1342 [asyncResp](const boost::system::error_code ec) {
1343 if (ec)
1344 {
1345 messages::internalError(asyncResp->res);
1346 return;
1347 }
Ratan Guptaadd61332019-02-13 20:49:16 +0530[diff] [blame]1348 messages::success(asyncResp->res);
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1349 },
1350 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1351 "org.freedesktop.DBus.Properties", "Set",
1352 "xyz.openbmc_project.User.AccountPolicy",
1353 "MaxLoginAttemptBeforeLockout",
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1354 std::variant<uint16_t>(*lockoutThreshold));
AppaRao Puli3d958bb2018-12-25 12:45:54 +0530[diff] [blame]1355 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1356 }
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1357};
Tanousf00032d2018-11-05 01:18:10 -0300[diff] [blame]1358
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1359class AccountsCollection : public Node
1360{
1361 public:
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1362 AccountsCollection(App& app) :
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1363 Node(app, "/redfish/v1/AccountService/Accounts/")
1364 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1365 entityPrivileges = {
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1366 // According to the PrivilegeRegistry, GET should actually be
1367 // "Login". A "Login" only privilege would return an empty "Members"
1368 // list. Not going to worry about this since none of the defined
1369 // roles are just "Login". E.g. Readonly is {"Login",
1370 // "ConfigureSelf"}. In the rare event anyone defines a role that
1371 // has Login but not ConfigureSelf, implement this.
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1372 {boost::beast::http::verb::get,
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1373 {{"ConfigureUsers"}, {"ConfigureSelf"}}},
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1374 {boost::beast::http::verb::head, {{"Login"}}},
1375 {boost::beast::http::verb::patch, {{"ConfigureUsers"}}},
1376 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
1377 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
1378 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
1379 }
1380
1381 private:
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1382 void doGet(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1383 const crow::Request& req,
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1384 const std::vector<std::string>&) override
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1385 {
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1386 asyncResp->res.jsonValue = {
1387 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1388 {"@odata.type", "#ManagerAccountCollection."
1389 "ManagerAccountCollection"},
1390 {"Name", "Accounts Collection"},
1391 {"Description", "BMC User Accounts"}};
Ed Tanous0f74e642018-11-12 15:17:05 -0800[diff] [blame]1392
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1393 crow::connections::systemBus->async_method_call(
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1394 [asyncResp, &req, this](const boost::system::error_code ec,
1395 const ManagedObjectType& users) {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1396 if (ec)
1397 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1398 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1399 return;
1400 }
1401
1402 nlohmann::json& memberArray =
1403 asyncResp->res.jsonValue["Members"];
1404 memberArray = nlohmann::json::array();
1405
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame]1406 for (auto& userpath : users)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1407 {
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame]1408 std::string user = userpath.first.filename();
1409 if (user.empty())
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1410 {
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame]1411 messages::internalError(asyncResp->res);
1412 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1413
1414 return;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1415 }
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1416
1417 // As clarified by Redfish here:
1418 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1419 // Users without ConfigureUsers, only see their own account.
1420 // Users with ConfigureUsers, see all accounts.
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame]1421 if (req.session->username == user ||
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1422 isAllowedWithoutConfigureSelf(req))
1423 {
1424 memberArray.push_back(
1425 {{"@odata.id",
Ed Tanous2dfd18e2020-12-18 00:41:31 +0000[diff] [blame]1426 "/redfish/v1/AccountService/Accounts/" + user}});
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1427 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1428 }
Gunnar Millsf3659102020-01-29 16:23:28 -0600[diff] [blame]1429 asyncResp->res.jsonValue["Members@odata.count"] =
1430 memberArray.size();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1431 },
1432 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1433 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1434 }
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1435 void doPost(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1436 const crow::Request& req,
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1437 const std::vector<std::string>&) override
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1438 {
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1439 std::string username;
1440 std::string password;
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1441 std::optional<std::string> roleId("User");
1442 std::optional<bool> enabled = true;
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1443 if (!json_util::readJson(req, asyncResp->res, "UserName", username,
1444 "Password", password, "RoleId", roleId,
1445 "Enabled", enabled))
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1446 {
1447 return;
1448 }
1449
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1450 std::string priv = getPrivilegeFromRoleId(*roleId);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1451 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1452 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1453 messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1454 return;
1455 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1456 // TODO: Following override will be reverted once support in
1457 // phosphor-user-manager is added. In order to avoid dependency issues,
1458 // this is added in bmcweb, which will removed, once
1459 // phosphor-user-manager supports priv-noaccess.
1460 if (priv == "priv-noaccess")
1461 {
1462 roleId = "";
1463 }
1464 else
1465 {
1466 roleId = priv;
1467 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1468
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1469 // Reading AllGroups property
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1470 crow::connections::systemBus->async_method_call(
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1471 [asyncResp, username, password{std::move(password)}, roleId,
1472 enabled](const boost::system::error_code ec,
1473 const std::variant<std::vector<std::string>>& allGroups) {
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1474 if (ec)
1475 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1476 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1477 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1478 return;
1479 }
1480
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1481 const std::vector<std::string>* allGroupsList =
1482 std::get_if<std::vector<std::string>>(&allGroups);
1483
1484 if (allGroupsList == nullptr || allGroupsList->empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1485 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1486 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1487 return;
1488 }
1489
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1490 crow::connections::systemBus->async_method_call(
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1491 [asyncResp, username,
1492 password](const boost::system::error_code ec2,
1493 sdbusplus::message::message& m) {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1494 if (ec2)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1495 {
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1496 userErrorMessageHandler(m.get_error(), asyncResp,
1497 username, "");
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1498 return;
1499 }
1500
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1501 if (pamUpdatePassword(username, password) !=
1502 PAM_SUCCESS)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1503 {
1504 // At this point we have a user that's been created,
1505 // but the password set failed.Something is wrong,
1506 // so delete the user that we've already created
1507 crow::connections::systemBus->async_method_call(
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]1508 [asyncResp, password](
1509 const boost::system::error_code ec3) {
1510 if (ec3)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1511 {
1512 messages::internalError(asyncResp->res);
1513 return;
1514 }
1515
anil kumar appana0d4197e2019-06-13 15:06:23 +0000[diff] [blame]1516 // If password is invalid
1517 messages::propertyValueFormatError(
1518 asyncResp->res, password, "Password");
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1519 },
1520 "xyz.openbmc_project.User.Manager",
1521 "/xyz/openbmc_project/user/" + username,
1522 "xyz.openbmc_project.Object.Delete", "Delete");
1523
1524 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1525 return;
1526 }
1527
1528 messages::created(asyncResp->res);
1529 asyncResp->res.addHeader(
1530 "Location",
1531 "/redfish/v1/AccountService/Accounts/" + username);
1532 },
1533 "xyz.openbmc_project.User.Manager",
1534 "/xyz/openbmc_project/user",
1535 "xyz.openbmc_project.User.Manager", "CreateUser", username,
1536 *allGroupsList, *roleId, *enabled);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1537 },
1538 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1539 "org.freedesktop.DBus.Properties", "Get",
1540 "xyz.openbmc_project.User.Manager", "AllGroups");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1541 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1542};
1543
1544class ManagerAccount : public Node
1545{
1546 public:
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1547 ManagerAccount(App& app) :
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1548 Node(app, "/redfish/v1/AccountService/Accounts/<str>/", std::string())
1549 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1550 entityPrivileges = {
1551 {boost::beast::http::verb::get,
1552 {{"ConfigureUsers"}, {"ConfigureManager"}, {"ConfigureSelf"}}},
1553 {boost::beast::http::verb::head, {{"Login"}}},
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1554 {boost::beast::http::verb::patch,
1555 {{"ConfigureUsers"}, {"ConfigureSelf"}}},
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1556 {boost::beast::http::verb::put, {{"ConfigureUsers"}}},
1557 {boost::beast::http::verb::delete_, {{"ConfigureUsers"}}},
1558 {boost::beast::http::verb::post, {{"ConfigureUsers"}}}};
1559 }
1560
1561 private:
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1562 void doGet(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1563 const crow::Request& req,
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1564 const std::vector<std::string>& params) override
1565 {
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1566 if (params.size() != 1)
1567 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1568 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1569 return;
1570 }
1571
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1572 // Perform a proper ConfigureSelf authority check. If the
1573 // user is operating on an account not their own, then their
1574 // ConfigureSelf privilege does not apply. In this case,
1575 // perform the authority check again without the user's
1576 // ConfigureSelf privilege.
1577 if (req.session->username != params[0])
1578 {
1579 if (!isAllowedWithoutConfigureSelf(req))
1580 {
1581 BMCWEB_LOG_DEBUG << "GET Account denied access";
1582 messages::insufficientPrivilege(asyncResp->res);
1583 return;
1584 }
1585 }
1586
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1587 crow::connections::systemBus->async_method_call(
1588 [asyncResp, accountName{std::string(params[0])}](
1589 const boost::system::error_code ec,
1590 const ManagedObjectType& users) {
1591 if (ec)
1592 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1593 messages::internalError(asyncResp->res);
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1594 return;
1595 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1596 auto userIt = users.begin();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1597
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1598 for (; userIt != users.end(); userIt++)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1599 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1600 if (boost::ends_with(userIt->first.str, "/" + accountName))
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1601 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1602 break;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1603 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1604 }
1605 if (userIt == users.end())
1606 {
1607 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1608 accountName);
1609 return;
1610 }
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1611
1612 asyncResp->res.jsonValue = {
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1613 {"@odata.type", "#ManagerAccount.v1_4_0.ManagerAccount"},
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1614 {"Name", "User Account"},
1615 {"Description", "User Account"},
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1616 {"Password", nullptr},
1617 {"AccountTypes", {"Redfish"}}};
Ayushi Smriti4e68c452019-09-04 14:37:55 +0530[diff] [blame]1618
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1619 for (const auto& interface : userIt->second)
1620 {
1621 if (interface.first ==
1622 "xyz.openbmc_project.User.Attributes")
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1623 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1624 for (const auto& property : interface.second)
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1625 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1626 if (property.first == "UserEnabled")
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1627 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1628 const bool* userEnabled =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1629 std::get_if<bool>(&property.second);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1630 if (userEnabled == nullptr)
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1631 {
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1632 BMCWEB_LOG_ERROR
1633 << "UserEnabled wasn't a bool";
1634 messages::internalError(asyncResp->res);
1635 return;
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1636 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1637 asyncResp->res.jsonValue["Enabled"] =
1638 *userEnabled;
1639 }
1640 else if (property.first ==
1641 "UserLockedForFailedAttempt")
1642 {
1643 const bool* userLocked =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1644 std::get_if<bool>(&property.second);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1645 if (userLocked == nullptr)
1646 {
1647 BMCWEB_LOG_ERROR << "UserLockedForF"
1648 "ailedAttempt "
1649 "wasn't a bool";
1650 messages::internalError(asyncResp->res);
1651 return;
1652 }
1653 asyncResp->res.jsonValue["Locked"] =
1654 *userLocked;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1655 asyncResp->res.jsonValue
1656 ["Locked@Redfish.AllowableValues"] = {
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]1657 "false"}; // can only unlock accounts
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1658 }
1659 else if (property.first == "UserPrivilege")
1660 {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1661 const std::string* userPrivPtr =
Ed Tanousabf2add2019-01-22 16:40:12 -0800[diff] [blame]1662 std::get_if<std::string>(&property.second);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1663 if (userPrivPtr == nullptr)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1664 {
1665 BMCWEB_LOG_ERROR
1666 << "UserPrivilege wasn't a "
1667 "string";
1668 messages::internalError(asyncResp->res);
1669 return;
1670 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1671 std::string role =
1672 getRoleIdFromPrivilege(*userPrivPtr);
1673 if (role.empty())
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1674 {
1675 BMCWEB_LOG_ERROR << "Invalid user role";
1676 messages::internalError(asyncResp->res);
1677 return;
1678 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1679 asyncResp->res.jsonValue["RoleId"] = role;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1680
1681 asyncResp->res.jsonValue["Links"]["Role"] = {
1682 {"@odata.id", "/redfish/v1/AccountService/"
1683 "Roles/" +
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1684 role}};
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1685 }
Joseph Reynolds3bf4e632020-02-06 14:44:32 -0600[diff] [blame]1686 else if (property.first == "UserPasswordExpired")
1687 {
1688 const bool* userPasswordExpired =
1689 std::get_if<bool>(&property.second);
1690 if (userPasswordExpired == nullptr)
1691 {
1692 BMCWEB_LOG_ERROR << "UserPassword"
1693 "Expired "
1694 "wasn't a bool";
1695 messages::internalError(asyncResp->res);
1696 return;
1697 }
1698 asyncResp->res
1699 .jsonValue["PasswordChangeRequired"] =
1700 *userPasswordExpired;
1701 }
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]1702 }
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1703 }
1704 }
1705
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1706 asyncResp->res.jsonValue["@odata.id"] =
1707 "/redfish/v1/AccountService/Accounts/" + accountName;
1708 asyncResp->res.jsonValue["Id"] = accountName;
1709 asyncResp->res.jsonValue["UserName"] = accountName;
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1710 },
1711 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1712 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1713 }
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1714
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1715 void doPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1716 const crow::Request& req,
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1717 const std::vector<std::string>& params) override
1718 {
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1719
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1720 if (params.size() != 1)
1721 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1722 messages::internalError(asyncResp->res);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1723 return;
1724 }
1725
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1726 std::optional<std::string> newUserName;
1727 std::optional<std::string> password;
1728 std::optional<bool> enabled;
1729 std::optional<std::string> roleId;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1730 std::optional<bool> locked;
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1731 if (!json_util::readJson(req, asyncResp->res, "UserName", newUserName,
1732 "Password", password, "RoleId", roleId,
1733 "Enabled", enabled, "Locked", locked))
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1734 {
1735 return;
1736 }
1737
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1738 const std::string& username = params[0];
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1739
Joseph Reynolds900f9492019-11-25 15:37:29 -0600[diff] [blame]1740 // Perform a proper ConfigureSelf authority check. If the
1741 // session is being used to PATCH a property other than
1742 // Password, then the ConfigureSelf privilege does not apply.
1743 // If the user is operating on an account not their own, then
1744 // their ConfigureSelf privilege does not apply. In either
1745 // case, perform the authority check again without the user's
1746 // ConfigureSelf privilege.
1747 if ((username != req.session->username) ||
1748 (newUserName || enabled || roleId || locked))
1749 {
1750 if (!isAllowedWithoutConfigureSelf(req))
1751 {
1752 BMCWEB_LOG_WARNING << "PATCH Password denied access";
1753 asyncResp->res.clear();
1754 messages::insufficientPrivilege(asyncResp->res);
1755 return;
1756 }
1757 }
1758
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1759 // if user name is not provided in the patch method or if it
1760 // matches the user name in the URI, then we are treating it as updating
1761 // user properties other then username. If username provided doesn't
1762 // match the URI, then we are treating this as user rename request.
1763 if (!newUserName || (newUserName.value() == username))
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1764 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1765 updateUserProperties(asyncResp, username, password, enabled, roleId,
1766 locked);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1767 return;
1768 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1769 crow::connections::systemBus->async_method_call(
1770 [this, asyncResp, username, password(std::move(password)),
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1771 roleId(std::move(roleId)), enabled,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1772 newUser{std::string(*newUserName)},
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1773 locked](const boost::system::error_code ec,
1774 sdbusplus::message::message& m) {
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1775 if (ec)
1776 {
1777 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
1778 username);
1779 return;
1780 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1781
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]1782 updateUserProperties(asyncResp, newUser, password, enabled,
1783 roleId, locked);
1784 },
1785 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1786 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1787 *newUserName);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1788 }
1789
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1790 void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1791 const std::string& username,
Ed Tanousa24526d2018-12-10 15:17:59 -0800[diff] [blame]1792 std::optional<std::string> password,
1793 std::optional<bool> enabled,
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1794 std::optional<std::string> roleId,
1795 std::optional<bool> locked)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1796 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1797 std::string dbusObjectPath = "/xyz/openbmc_project/user/" + username;
1798 dbus::utility::escapePathForDbus(dbusObjectPath);
1799
Ratan Gupta22c33712019-05-03 21:50:28 +0530[diff] [blame]1800 dbus::utility::checkDbusPathExists(
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1801 dbusObjectPath,
1802 [dbusObjectPath(std::move(dbusObjectPath)), username,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1803 password(std::move(password)), roleId(std::move(roleId)), enabled,
1804 locked, asyncResp{std::move(asyncResp)}](int rc) {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1805 if (!rc)
1806 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1807 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1808 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1809 username);
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1810 return;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1811 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1812
1813 if (password)
1814 {
1815 int retval = pamUpdatePassword(username, *password);
1816
1817 if (retval == PAM_USER_UNKNOWN)
1818 {
1819 messages::resourceNotFound(
1820 asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1821 "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1822 }
1823 else if (retval == PAM_AUTHTOK_ERR)
1824 {
1825 // If password is invalid
1826 messages::propertyValueFormatError(
1827 asyncResp->res, *password, "Password");
1828 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1829 }
1830 else if (retval != PAM_SUCCESS)
1831 {
1832 messages::internalError(asyncResp->res);
1833 return;
1834 }
1835 }
1836
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1837 if (enabled)
1838 {
1839 crow::connections::systemBus->async_method_call(
1840 [asyncResp](const boost::system::error_code ec) {
1841 if (ec)
1842 {
1843 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1844 << ec;
1845 messages::internalError(asyncResp->res);
1846 return;
1847 }
1848 messages::success(asyncResp->res);
1849 return;
1850 },
1851 "xyz.openbmc_project.User.Manager",
1852 dbusObjectPath.c_str(),
1853 "org.freedesktop.DBus.Properties", "Set",
1854 "xyz.openbmc_project.User.Attributes", "UserEnabled",
1855 std::variant<bool>{*enabled});
1856 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1857
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1858 if (roleId)
1859 {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1860 std::string priv = getPrivilegeFromRoleId(*roleId);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1861 if (priv.empty())
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1862 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1863 messages::propertyValueNotInList(asyncResp->res,
1864 *roleId, "RoleId");
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1865 return;
1866 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1867 if (priv == "priv-noaccess")
1868 {
1869 priv = "";
1870 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1871
1872 crow::connections::systemBus->async_method_call(
1873 [asyncResp](const boost::system::error_code ec) {
1874 if (ec)
1875 {
1876 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1877 << ec;
1878 messages::internalError(asyncResp->res);
1879 return;
1880 }
1881 messages::success(asyncResp->res);
1882 },
1883 "xyz.openbmc_project.User.Manager",
1884 dbusObjectPath.c_str(),
1885 "org.freedesktop.DBus.Properties", "Set",
1886 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
1887 std::variant<std::string>{priv});
1888 }
1889
1890 if (locked)
1891 {
1892 // admin can unlock the account which is locked by
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]1893 // successive authentication failures but admin should
1894 // not be allowed to lock an account.
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1895 if (*locked)
1896 {
1897 messages::propertyValueNotInList(asyncResp->res, "true",
1898 "Locked");
1899 return;
1900 }
1901
1902 crow::connections::systemBus->async_method_call(
1903 [asyncResp](const boost::system::error_code ec) {
1904 if (ec)
1905 {
1906 BMCWEB_LOG_ERROR << "D-Bus responses error: "
1907 << ec;
1908 messages::internalError(asyncResp->res);
1909 return;
1910 }
1911 messages::success(asyncResp->res);
1912 return;
1913 },
1914 "xyz.openbmc_project.User.Manager",
1915 dbusObjectPath.c_str(),
1916 "org.freedesktop.DBus.Properties", "Set",
1917 "xyz.openbmc_project.User.Attributes",
1918 "UserLockedForFailedAttempt",
Patrick Williams19bd78d2020-05-13 17:38:24 -0500[diff] [blame]1919 std::variant<bool>{*locked});
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1920 }
1921 });
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]1922 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1923
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]1924 void doDelete(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1925 const crow::Request&,
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1926 const std::vector<std::string>& params) override
1927 {
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1928
1929 if (params.size() != 1)
1930 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1931 messages::internalError(asyncResp->res);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1932 return;
1933 }
1934
1935 const std::string userPath = "/xyz/openbmc_project/user/" + params[0];
1936
1937 crow::connections::systemBus->async_method_call(
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]1938 [asyncResp,
1939 username{params[0]}](const boost::system::error_code ec) {
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1940 if (ec)
1941 {
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1942 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]1943 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1944 username);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1945 return;
1946 }
1947
Jason M. Billsf12894f2018-10-09 12:45:45 -0700[diff] [blame]1948 messages::accountRemoved(asyncResp->res);
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1949 },
1950 "xyz.openbmc_project.User.Manager", userPath,
1951 "xyz.openbmc_project.Object.Delete", "Delete");
1952 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]1953};
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1954
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1955} // namespace redfish