blob: 364d5e2989fb78962a36e584130ac7063b22ca08 [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
John Edward Broadbent7e860f12021-04-08 15:57:16 -070018#include <app.hpp>
Ratan Gupta24c85422019-01-30 19:41:24 +053019#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -070020#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -070021#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -070022#include <persistent_data.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -070023#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050024
Ed Tanousabf2add2019-01-22 16:40:12 -080025#include <variant>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -070026
Ed Tanous1abe55e2018-09-05 08:30:59 -070027namespace redfish
28{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010029
Ed Tanous23a21a12020-07-25 04:45:05 +000030constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053031 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070032constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053033 "/xyz/openbmc_project/user/ldap/active_directory";
34
Ratan Gupta6973a582018-12-13 18:25:44 +053035constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
36constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
37constexpr const char* ldapConfigInterface =
38 "xyz.openbmc_project.User.Ldap.Config";
39constexpr const char* ldapCreateInterface =
40 "xyz.openbmc_project.User.Ldap.Create";
41constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053042constexpr const char* ldapPrivMapperInterface =
43 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053044constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
45constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
46constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
47constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
48constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
49
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060050struct LDAPRoleMapData
51{
52 std::string groupName;
53 std::string privilege;
54};
55
Ratan Gupta6973a582018-12-13 18:25:44 +053056struct LDAPConfigData
57{
58 std::string uri{};
59 std::string bindDN{};
60 std::string baseDN{};
61 std::string searchScope{};
62 std::string serverType{};
63 bool serviceEnabled = false;
64 std::string userNameAttribute{};
65 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060066 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053067};
68
Patrick Williams19bd78d2020-05-13 17:38:24 -050069using DbusVariantType = std::variant<bool, int32_t, std::string>;
Przemyslaw Czarnowski107077d2019-07-11 10:16:43 +020070
71using DbusInterfaceType = boost::container::flat_map<
72 std::string, boost::container::flat_map<std::string, DbusVariantType>>;
73
74using ManagedObjectType =
75 std::vector<std::pair<sdbusplus::message::object_path, DbusInterfaceType>>;
76
Ratan Gupta6973a582018-12-13 18:25:44 +053077using GetObjectType =
78 std::vector<std::pair<std::string, std::vector<std::string>>>;
AppaRao Puli84e12cb2018-10-11 01:28:15 +053079
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060080inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053081{
82 if (role == "priv-admin")
83 {
84 return "Administrator";
85 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070086 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053087 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053088 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053089 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070090 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053091 {
92 return "Operator";
93 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070094 if ((role == "") || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +000095 {
96 return "NoAccess";
97 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +053098 return "";
99}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600100inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530101{
102 if (role == "Administrator")
103 {
104 return "priv-admin";
105 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700106 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530107 {
108 return "priv-user";
109 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700110 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530111 {
112 return "priv-operator";
113 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700114 if ((role == "NoAccess") || (role == ""))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000115 {
116 return "priv-noaccess";
117 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530118 return "";
119}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700120
zhanghch058d1b46d2021-04-01 11:18:24 +0800121inline void userErrorMessageHandler(
122 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
123 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000124{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000125 if (e == nullptr)
126 {
127 messages::internalError(asyncResp->res);
128 return;
129 }
130
Manojkiran Eda055806b2020-11-03 09:36:28 +0530131 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000132 if (strcmp(errorMessage,
133 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
134 {
135 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500136 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000137 "UserName", newUser);
138 }
139 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
140 "UserNameDoesNotExist") == 0)
141 {
142 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500143 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000144 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700145 else if ((strcmp(errorMessage,
146 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
147 0) ||
148 (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
149 "UserNameGroupFail") == 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000150 {
151 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
152 }
153 else if (strcmp(errorMessage,
154 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
155 {
156 messages::createLimitReachedForResource(asyncResp->res);
157 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000158 else
159 {
160 messages::internalError(asyncResp->res);
161 }
162
163 return;
164}
165
Ed Tanous81ce6092020-12-17 16:54:55 +0000166inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000167 const LDAPConfigData& confData,
168 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530169{
Ratan Guptaab828d72019-04-22 14:18:33 +0530170 std::string service =
171 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600172 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530173 {"ServiceEnabled", confData.serviceEnabled},
174 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
175 {"Authentication",
176 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530177 {"Username", confData.bindDN},
178 {"Password", nullptr}}},
179 {"LDAPService",
180 {{"SearchSettings",
181 {{"BaseDistinguishedNames",
182 nlohmann::json::array({confData.baseDN})},
183 {"UsernameAttribute", confData.userNameAttribute},
184 {"GroupsAttribute", confData.groupAttribute}}}}},
185 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600186
Ed Tanous81ce6092020-12-17 16:54:55 +0000187 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600188
Ed Tanous81ce6092020-12-17 16:54:55 +0000189 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600190 roleMapArray = nlohmann::json::array();
191 for (auto& obj : confData.groupRoleList)
192 {
193 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
194 << obj.second.groupName << "\n";
195 roleMapArray.push_back(
196 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
197 nlohmann::json::array(
198 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
199 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530200}
201
202/**
Ratan Gupta06785242019-07-26 22:30:16 +0530203 * @brief validates given JSON input and then calls appropriate method to
204 * create, to delete or to set Rolemapping object based on the given input.
205 *
206 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000207inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800208 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530209 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700210 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530211{
212 for (size_t index = 0; index < input.size(); index++)
213 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700214 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530215
216 if (thisJson.is_null())
217 {
218 // delete the existing object
219 if (index < roleMapObjData.size())
220 {
221 crow::connections::systemBus->async_method_call(
222 [asyncResp, roleMapObjData, serverType,
223 index](const boost::system::error_code ec) {
224 if (ec)
225 {
226 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
227 messages::internalError(asyncResp->res);
228 return;
229 }
230 asyncResp->res
231 .jsonValue[serverType]["RemoteRoleMapping"][index] =
232 nullptr;
233 },
234 ldapDbusService, roleMapObjData[index].first,
235 "xyz.openbmc_project.Object.Delete", "Delete");
236 }
237 else
238 {
239 BMCWEB_LOG_ERROR << "Can't delete the object";
240 messages::propertyValueTypeError(
Ed Tanous71f52d92021-02-19 08:51:17 -0800241 asyncResp->res,
242 thisJson.dump(2, ' ', true,
243 nlohmann::json::error_handler_t::replace),
Ratan Gupta06785242019-07-26 22:30:16 +0530244 "RemoteRoleMapping/" + std::to_string(index));
245 return;
246 }
247 }
248 else if (thisJson.empty())
249 {
250 // Don't do anything for the empty objects,parse next json
251 // eg {"RemoteRoleMapping",[{}]}
252 }
253 else
254 {
255 // update/create the object
256 std::optional<std::string> remoteGroup;
257 std::optional<std::string> localRole;
258
Ed Tanousf23b7292020-10-15 09:41:17 -0700259 // This is a copy, but it's required in this case because of how
260 // readJson is structured
261 nlohmann::json thisJsonCopy = thisJson;
262 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
263 "RemoteGroup", remoteGroup, "LocalRole",
264 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530265 {
266 continue;
267 }
268
269 // Update existing RoleMapping Object
270 if (index < roleMapObjData.size())
271 {
272 BMCWEB_LOG_DEBUG << "Update Role Map Object";
273 // If "RemoteGroup" info is provided
274 if (remoteGroup)
275 {
276 crow::connections::systemBus->async_method_call(
277 [asyncResp, roleMapObjData, serverType, index,
278 remoteGroup](const boost::system::error_code ec) {
279 if (ec)
280 {
281 BMCWEB_LOG_ERROR << "DBUS response error: "
282 << ec;
283 messages::internalError(asyncResp->res);
284 return;
285 }
286 asyncResp->res
287 .jsonValue[serverType]["RemoteRoleMapping"]
288 [index]["RemoteGroup"] = *remoteGroup;
289 },
290 ldapDbusService, roleMapObjData[index].first,
291 propertyInterface, "Set",
292 "xyz.openbmc_project.User.PrivilegeMapperEntry",
293 "GroupName",
294 std::variant<std::string>(std::move(*remoteGroup)));
295 }
296
297 // If "LocalRole" info is provided
298 if (localRole)
299 {
300 crow::connections::systemBus->async_method_call(
301 [asyncResp, roleMapObjData, serverType, index,
302 localRole](const boost::system::error_code ec) {
303 if (ec)
304 {
305 BMCWEB_LOG_ERROR << "DBUS response error: "
306 << ec;
307 messages::internalError(asyncResp->res);
308 return;
309 }
310 asyncResp->res
311 .jsonValue[serverType]["RemoteRoleMapping"]
312 [index]["LocalRole"] = *localRole;
313 },
314 ldapDbusService, roleMapObjData[index].first,
315 propertyInterface, "Set",
316 "xyz.openbmc_project.User.PrivilegeMapperEntry",
317 "Privilege",
318 std::variant<std::string>(
319 getPrivilegeFromRoleId(std::move(*localRole))));
320 }
321 }
322 // Create a new RoleMapping Object.
323 else
324 {
325 BMCWEB_LOG_DEBUG
326 << "setRoleMappingProperties: Creating new Object";
327 std::string pathString =
328 "RemoteRoleMapping/" + std::to_string(index);
329
330 if (!localRole)
331 {
332 messages::propertyMissing(asyncResp->res,
333 pathString + "/LocalRole");
334 continue;
335 }
336 if (!remoteGroup)
337 {
338 messages::propertyMissing(asyncResp->res,
339 pathString + "/RemoteGroup");
340 continue;
341 }
342
343 std::string dbusObjectPath;
344 if (serverType == "ActiveDirectory")
345 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700346 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530347 }
348 else if (serverType == "LDAP")
349 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000350 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530351 }
352
353 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
354 << ",LocalRole=" << *localRole;
355
356 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700357 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530358 remoteGroup](const boost::system::error_code ec) {
359 if (ec)
360 {
361 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
362 messages::internalError(asyncResp->res);
363 return;
364 }
365 nlohmann::json& remoteRoleJson =
366 asyncResp->res
367 .jsonValue[serverType]["RemoteRoleMapping"];
368 remoteRoleJson.push_back(
369 {{"LocalRole", *localRole},
370 {"RemoteGroup", *remoteGroup}});
371 },
372 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700373 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530374 getPrivilegeFromRoleId(std::move(*localRole)));
375 }
376 }
377 }
378}
379
380/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530381 * Function that retrieves all properties for LDAP config object
382 * into JSON
383 */
384template <typename CallbackFunc>
385inline void getLDAPConfigData(const std::string& ldapType,
386 CallbackFunc&& callback)
387{
Ratan Guptaab828d72019-04-22 14:18:33 +0530388
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600389 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530390 ldapConfigInterface};
391
392 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600393 [callback, ldapType](const boost::system::error_code ec,
394 const GetObjectType& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600395 if (ec || resp.empty())
396 {
397 BMCWEB_LOG_ERROR << "DBUS response error during getting of "
398 "service name: "
399 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000400 LDAPConfigData empty{};
401 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600402 return;
403 }
404 std::string service = resp.begin()->first;
405 crow::connections::systemBus->async_method_call(
Ed Tanous81ce6092020-12-17 16:54:55 +0000406 [callback, ldapType](const boost::system::error_code errorCode,
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600407 const ManagedObjectType& ldapObjects) {
408 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000409 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600410 {
411 callback(false, confData, ldapType);
412 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000413 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600414 return;
415 }
416
417 std::string ldapDbusType;
418 std::string searchString;
419
420 if (ldapType == "LDAP")
421 {
422 ldapDbusType = "xyz.openbmc_project.User.Ldap.Config."
423 "Type.OpenLdap";
424 searchString = "openldap";
425 }
426 else if (ldapType == "ActiveDirectory")
427 {
428 ldapDbusType =
429 "xyz.openbmc_project.User.Ldap.Config.Type."
430 "ActiveDirectory";
431 searchString = "active_directory";
432 }
433 else
434 {
435 BMCWEB_LOG_ERROR
436 << "Can't get the DbusType for the given type="
437 << ldapType;
438 callback(false, confData, ldapType);
439 return;
440 }
441
442 std::string ldapEnableInterfaceStr = ldapEnableInterface;
443 std::string ldapConfigInterfaceStr = ldapConfigInterface;
444
445 for (const auto& object : ldapObjects)
446 {
447 // let's find the object whose ldap type is equal to the
448 // given type
449 if (object.first.str.find(searchString) ==
450 std::string::npos)
451 {
452 continue;
453 }
454
455 for (const auto& interface : object.second)
456 {
457 if (interface.first == ldapEnableInterfaceStr)
458 {
459 // rest of the properties are string.
460 for (const auto& property : interface.second)
461 {
462 if (property.first == "Enabled")
463 {
464 const bool* value =
465 std::get_if<bool>(&property.second);
466 if (value == nullptr)
467 {
468 continue;
469 }
470 confData.serviceEnabled = *value;
471 break;
472 }
473 }
474 }
475 else if (interface.first == ldapConfigInterfaceStr)
476 {
477
478 for (const auto& property : interface.second)
479 {
Ed Tanous271584a2019-07-09 16:24:22 -0700480 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600481 std::get_if<std::string>(
482 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700483 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600484 {
485 continue;
486 }
487 if (property.first == "LDAPServerURI")
488 {
Ed Tanous271584a2019-07-09 16:24:22 -0700489 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600490 }
491 else if (property.first == "LDAPBindDN")
492 {
Ed Tanous271584a2019-07-09 16:24:22 -0700493 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600494 }
495 else if (property.first == "LDAPBaseDN")
496 {
Ed Tanous271584a2019-07-09 16:24:22 -0700497 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600498 }
499 else if (property.first ==
500 "LDAPSearchScope")
501 {
Ed Tanous271584a2019-07-09 16:24:22 -0700502 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600503 }
504 else if (property.first ==
505 "GroupNameAttribute")
506 {
Ed Tanous271584a2019-07-09 16:24:22 -0700507 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600508 }
509 else if (property.first ==
510 "UserNameAttribute")
511 {
Ed Tanous271584a2019-07-09 16:24:22 -0700512 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600513 }
514 else if (property.first == "LDAPType")
515 {
Ed Tanous271584a2019-07-09 16:24:22 -0700516 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600517 }
518 }
519 }
520 else if (interface.first ==
521 "xyz.openbmc_project.User."
522 "PrivilegeMapperEntry")
523 {
524 LDAPRoleMapData roleMapData{};
525 for (const auto& property : interface.second)
526 {
Ed Tanous271584a2019-07-09 16:24:22 -0700527 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600528 std::get_if<std::string>(
529 &property.second);
530
Ed Tanous271584a2019-07-09 16:24:22 -0700531 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600532 {
533 continue;
534 }
535
536 if (property.first == "GroupName")
537 {
Ed Tanous271584a2019-07-09 16:24:22 -0700538 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600539 }
540 else if (property.first == "Privilege")
541 {
Ed Tanous271584a2019-07-09 16:24:22 -0700542 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600543 }
544 }
545
Ed Tanous0f0353b2019-10-24 11:37:51 -0700546 confData.groupRoleList.emplace_back(
547 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600548 }
549 }
550 }
551 callback(true, confData, ldapType);
552 },
553 service, ldapRootObject, dbusObjManagerIntf,
554 "GetManagedObjects");
555 },
556 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000557 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530558}
559
Ed Tanous6c51eab2021-06-03 12:30:29 -0700560/**
561 * @brief parses the authentication section under the LDAP
562 * @param input JSON data
563 * @param asyncResp pointer to the JSON response
564 * @param userName userName to be filled from the given JSON.
565 * @param password password to be filled from the given JSON.
566 */
567void parseLDAPAuthenticationJson(
568 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
569 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700570{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700571 std::optional<std::string> authType;
572
573 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
574 authType, "Username", username, "Password",
575 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700576 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700577 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700578 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700579 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530580 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700581 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530582 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700583 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530584 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700585 messages::propertyValueNotInList(asyncResp->res, *authType,
586 "AuthenticationType");
587 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530588 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700589}
590/**
591 * @brief parses the LDAPService section under the LDAP
592 * @param input JSON data
593 * @param asyncResp pointer to the JSON response
594 * @param baseDNList baseDN to be filled from the given JSON.
595 * @param userNameAttribute userName to be filled from the given JSON.
596 * @param groupaAttribute password to be filled from the given JSON.
597 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530598
Ed Tanous6c51eab2021-06-03 12:30:29 -0700599void parseLDAPServiceJson(nlohmann::json input,
600 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
601 std::optional<std::vector<std::string>>& baseDNList,
602 std::optional<std::string>& userNameAttribute,
603 std::optional<std::string>& groupsAttribute)
604{
605 std::optional<nlohmann::json> searchSettings;
606
607 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
608 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530609 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700610 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530611 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700612 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530613 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700614 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530615 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700616 if (!json_util::readJson(*searchSettings, asyncResp->res,
617 "BaseDistinguishedNames", baseDNList,
618 "UsernameAttribute", userNameAttribute,
619 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530620 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700621 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530622 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700623}
624/**
625 * @brief updates the LDAP server address and updates the
626 json response with the new value.
627 * @param serviceAddressList address to be updated.
628 * @param asyncResp pointer to the JSON response
629 * @param ldapServerElementName Type of LDAP
630 server(openLDAP/ActiveDirectory)
631 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530632
Ed Tanous6c51eab2021-06-03 12:30:29 -0700633void handleServiceAddressPatch(
634 const std::vector<std::string>& serviceAddressList,
635 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
636 const std::string& ldapServerElementName,
637 const std::string& ldapConfigObject)
638{
639 crow::connections::systemBus->async_method_call(
640 [asyncResp, ldapServerElementName,
641 serviceAddressList](const boost::system::error_code ec) {
642 if (ec)
643 {
644 BMCWEB_LOG_DEBUG
645 << "Error Occurred in updating the service address";
646 messages::internalError(asyncResp->res);
647 return;
648 }
649 std::vector<std::string> modifiedserviceAddressList = {
650 serviceAddressList.front()};
651 asyncResp->res
652 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
653 modifiedserviceAddressList;
654 if ((serviceAddressList).size() > 1)
655 {
656 messages::propertyValueModified(asyncResp->res,
657 "ServiceAddresses",
658 serviceAddressList.front());
659 }
660 BMCWEB_LOG_DEBUG << "Updated the service address";
661 },
662 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
663 ldapConfigInterface, "LDAPServerURI",
664 std::variant<std::string>(serviceAddressList.front()));
665}
666/**
667 * @brief updates the LDAP Bind DN and updates the
668 json response with the new value.
669 * @param username name of the user which needs to be updated.
670 * @param asyncResp pointer to the JSON response
671 * @param ldapServerElementName Type of LDAP
672 server(openLDAP/ActiveDirectory)
673 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530674
Ed Tanous6c51eab2021-06-03 12:30:29 -0700675void handleUserNamePatch(const std::string& username,
zhanghch058d1b46d2021-04-01 11:18:24 +0800676 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700677 const std::string& ldapServerElementName,
678 const std::string& ldapConfigObject)
679{
680 crow::connections::systemBus->async_method_call(
681 [asyncResp, username,
682 ldapServerElementName](const boost::system::error_code ec) {
683 if (ec)
684 {
685 BMCWEB_LOG_DEBUG << "Error occurred in updating the username";
686 messages::internalError(asyncResp->res);
687 return;
688 }
689 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
690 ["Username"] = username;
691 BMCWEB_LOG_DEBUG << "Updated the username";
692 },
693 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
694 ldapConfigInterface, "LDAPBindDN", std::variant<std::string>(username));
695}
696
697/**
698 * @brief updates the LDAP password
699 * @param password : ldap password which needs to be updated.
700 * @param asyncResp pointer to the JSON response
701 * @param ldapServerElementName Type of LDAP
702 * server(openLDAP/ActiveDirectory)
703 */
704
705void handlePasswordPatch(const std::string& password,
706 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
707 const std::string& ldapServerElementName,
708 const std::string& ldapConfigObject)
709{
710 crow::connections::systemBus->async_method_call(
711 [asyncResp, password,
712 ldapServerElementName](const boost::system::error_code ec) {
713 if (ec)
714 {
715 BMCWEB_LOG_DEBUG << "Error occurred in updating the password";
716 messages::internalError(asyncResp->res);
717 return;
718 }
719 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
720 ["Password"] = "";
721 BMCWEB_LOG_DEBUG << "Updated the password";
722 },
723 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
724 ldapConfigInterface, "LDAPBindDNPassword",
725 std::variant<std::string>(password));
726}
727
728/**
729 * @brief updates the LDAP BaseDN and updates the
730 json response with the new value.
731 * @param baseDNList baseDN list which needs to be updated.
732 * @param asyncResp pointer to the JSON response
733 * @param ldapServerElementName Type of LDAP
734 server(openLDAP/ActiveDirectory)
735 */
736
737void handleBaseDNPatch(const std::vector<std::string>& baseDNList,
738 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
739 const std::string& ldapServerElementName,
740 const std::string& ldapConfigObject)
741{
742 crow::connections::systemBus->async_method_call(
743 [asyncResp, baseDNList,
744 ldapServerElementName](const boost::system::error_code ec) {
745 if (ec)
746 {
747 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN";
748 messages::internalError(asyncResp->res);
749 return;
750 }
751 auto& serverTypeJson =
752 asyncResp->res.jsonValue[ldapServerElementName];
753 auto& searchSettingsJson =
754 serverTypeJson["LDAPService"]["SearchSettings"];
755 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
756 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
757 if (baseDNList.size() > 1)
758 {
759 messages::propertyValueModified(asyncResp->res,
760 "BaseDistinguishedNames",
761 baseDNList.front());
762 }
763 BMCWEB_LOG_DEBUG << "Updated the base DN";
764 },
765 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
766 ldapConfigInterface, "LDAPBaseDN",
767 std::variant<std::string>(baseDNList.front()));
768}
769/**
770 * @brief updates the LDAP user name attribute and updates the
771 json response with the new value.
772 * @param userNameAttribute attribute to be updated.
773 * @param asyncResp pointer to the JSON response
774 * @param ldapServerElementName Type of LDAP
775 server(openLDAP/ActiveDirectory)
776 */
777
778void handleUserNameAttrPatch(
779 const std::string& userNameAttribute,
780 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
781 const std::string& ldapServerElementName,
782 const std::string& ldapConfigObject)
783{
784 crow::connections::systemBus->async_method_call(
785 [asyncResp, userNameAttribute,
786 ldapServerElementName](const boost::system::error_code ec) {
787 if (ec)
788 {
789 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
790 "username attribute";
791 messages::internalError(asyncResp->res);
792 return;
793 }
794 auto& serverTypeJson =
795 asyncResp->res.jsonValue[ldapServerElementName];
796 auto& searchSettingsJson =
797 serverTypeJson["LDAPService"]["SearchSettings"];
798 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
799 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
800 },
801 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
802 ldapConfigInterface, "UserNameAttribute",
803 std::variant<std::string>(userNameAttribute));
804}
805/**
806 * @brief updates the LDAP group attribute and updates the
807 json response with the new value.
808 * @param groupsAttribute attribute to be updated.
809 * @param asyncResp pointer to the JSON response
810 * @param ldapServerElementName Type of LDAP
811 server(openLDAP/ActiveDirectory)
812 */
813
814void handleGroupNameAttrPatch(
815 const std::string& groupsAttribute,
816 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
817 const std::string& ldapServerElementName,
818 const std::string& ldapConfigObject)
819{
820 crow::connections::systemBus->async_method_call(
821 [asyncResp, groupsAttribute,
822 ldapServerElementName](const boost::system::error_code ec) {
823 if (ec)
824 {
825 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
826 "groupname attribute";
827 messages::internalError(asyncResp->res);
828 return;
829 }
830 auto& serverTypeJson =
831 asyncResp->res.jsonValue[ldapServerElementName];
832 auto& searchSettingsJson =
833 serverTypeJson["LDAPService"]["SearchSettings"];
834 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
835 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
836 },
837 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
838 ldapConfigInterface, "GroupNameAttribute",
839 std::variant<std::string>(groupsAttribute));
840}
841/**
842 * @brief updates the LDAP service enable and updates the
843 json response with the new value.
844 * @param input JSON data.
845 * @param asyncResp pointer to the JSON response
846 * @param ldapServerElementName Type of LDAP
847 server(openLDAP/ActiveDirectory)
848 */
849
850void handleServiceEnablePatch(
851 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
852 const std::string& ldapServerElementName,
853 const std::string& ldapConfigObject)
854{
855 crow::connections::systemBus->async_method_call(
856 [asyncResp, serviceEnabled,
857 ldapServerElementName](const boost::system::error_code ec) {
858 if (ec)
859 {
860 BMCWEB_LOG_DEBUG
861 << "Error Occurred in Updating the service enable";
862 messages::internalError(asyncResp->res);
863 return;
864 }
865 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
866 serviceEnabled;
867 BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled;
868 },
869 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
870 ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
871}
872
873void handleAuthMethodsPatch(nlohmann::json& input,
874 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
875{
876 std::optional<bool> basicAuth;
877 std::optional<bool> cookie;
878 std::optional<bool> sessionToken;
879 std::optional<bool> xToken;
880 std::optional<bool> tls;
881
882 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
883 "Cookie", cookie, "SessionToken", sessionToken,
884 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530885 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700886 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
887 return;
888 }
889
890 // Make a copy of methods configuration
891 persistent_data::AuthConfigMethods authMethodsConfig =
892 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
893
894 if (basicAuth)
895 {
896#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
897 messages::actionNotSupported(
898 asyncResp->res, "Setting BasicAuth when basic-auth feature "
899 "is disabled");
900 return;
901#endif
902 authMethodsConfig.basic = *basicAuth;
903 }
904
905 if (cookie)
906 {
907#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
908 messages::actionNotSupported(asyncResp->res,
909 "Setting Cookie when cookie-auth feature "
910 "is disabled");
911 return;
912#endif
913 authMethodsConfig.cookie = *cookie;
914 }
915
916 if (sessionToken)
917 {
918#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
919 messages::actionNotSupported(
920 asyncResp->res, "Setting SessionToken when session-auth feature "
921 "is disabled");
922 return;
923#endif
924 authMethodsConfig.sessionToken = *sessionToken;
925 }
926
927 if (xToken)
928 {
929#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
930 messages::actionNotSupported(asyncResp->res,
931 "Setting XToken when xtoken-auth feature "
932 "is disabled");
933 return;
934#endif
935 authMethodsConfig.xtoken = *xToken;
936 }
937
938 if (tls)
939 {
940#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
941 messages::actionNotSupported(asyncResp->res,
942 "Setting TLS when mutual-tls-auth feature "
943 "is disabled");
944 return;
945#endif
946 authMethodsConfig.tls = *tls;
947 }
948
949 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
950 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
951 !authMethodsConfig.tls)
952 {
953 // Do not allow user to disable everything
954 messages::actionNotSupported(asyncResp->res,
955 "of disabling all available methods");
956 return;
957 }
958
959 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
960 authMethodsConfig);
961 // Save configuration immediately
962 persistent_data::getConfig().writeData();
963
964 messages::success(asyncResp->res);
965}
966
967/**
968 * @brief Get the required values from the given JSON, validates the
969 * value and create the LDAP config object.
970 * @param input JSON data
971 * @param asyncResp pointer to the JSON response
972 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
973 */
974
975inline void handleLDAPPatch(nlohmann::json& input,
976 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
977 const std::string& serverType)
978{
979 std::string dbusObjectPath;
980 if (serverType == "ActiveDirectory")
981 {
982 dbusObjectPath = adConfigObject;
983 }
984 else if (serverType == "LDAP")
985 {
986 dbusObjectPath = ldapConfigObjectName;
987 }
988 else
989 {
990 return;
991 }
992
993 std::optional<nlohmann::json> authentication;
994 std::optional<nlohmann::json> ldapService;
995 std::optional<std::vector<std::string>> serviceAddressList;
996 std::optional<bool> serviceEnabled;
997 std::optional<std::vector<std::string>> baseDNList;
998 std::optional<std::string> userNameAttribute;
999 std::optional<std::string> groupsAttribute;
1000 std::optional<std::string> userName;
1001 std::optional<std::string> password;
1002 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1003
1004 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1005 authentication, "LDAPService", ldapService,
1006 "ServiceAddresses", serviceAddressList,
1007 "ServiceEnabled", serviceEnabled,
1008 "RemoteRoleMapping", remoteRoleMapData))
1009 {
1010 return;
1011 }
1012
1013 if (authentication)
1014 {
1015 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1016 password);
1017 }
1018 if (ldapService)
1019 {
1020 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1021 userNameAttribute, groupsAttribute);
1022 }
1023 if (serviceAddressList)
1024 {
1025 if ((*serviceAddressList).size() == 0)
Ratan Guptaeb2bbe52019-04-22 14:27:01 +05301026 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001027 messages::propertyValueNotInList(asyncResp->res, "[]",
1028 "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +00001029 return;
1030 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001031 }
1032 if (baseDNList)
1033 {
1034 if ((*baseDNList).size() == 0)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301035 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001036 messages::propertyValueNotInList(asyncResp->res, "[]",
1037 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +05301038 return;
1039 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001040 }
Ratan Gupta8a07d282019-03-16 08:33:47 +05301041
Ed Tanous6c51eab2021-06-03 12:30:29 -07001042 // nothing to update, then return
1043 if (!userName && !password && !serviceAddressList && !baseDNList &&
1044 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1045 !remoteRoleMapData)
1046 {
1047 return;
1048 }
1049
1050 // Get the existing resource first then keep modifying
1051 // whenever any property gets updated.
1052 getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList,
1053 userNameAttribute, groupsAttribute,
1054 serviceAddressList, serviceEnabled,
1055 dbusObjectPath, remoteRoleMapData](
1056 bool success,
1057 const LDAPConfigData& confData,
1058 const std::string& serverT) {
1059 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301060 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001061 messages::internalError(asyncResp->res);
1062 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +05301063 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001064 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1065 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301066 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001067 // Disable the service first and update the rest of
1068 // the properties.
1069 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301070 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001071
Ratan Gupta8a07d282019-03-16 08:33:47 +05301072 if (serviceAddressList)
1073 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001074 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1075 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301076 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001077 if (userName)
1078 {
1079 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1080 }
1081 if (password)
1082 {
1083 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1084 }
1085
Ratan Gupta8a07d282019-03-16 08:33:47 +05301086 if (baseDNList)
1087 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001088 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1089 }
1090 if (userNameAttribute)
1091 {
1092 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1093 dbusObjectPath);
1094 }
1095 if (groupsAttribute)
1096 {
1097 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1098 dbusObjectPath);
1099 }
1100 if (serviceEnabled)
1101 {
1102 // if user has given the value as true then enable
1103 // the service. if user has given false then no-op
1104 // as service is already stopped.
1105 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301106 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001107 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1108 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301109 }
1110 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001111 else
1112 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001113 // if user has not given the service enabled value
1114 // then revert it to the same state as it was
1115 // before.
1116 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1117 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001118 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001119
Ed Tanous6c51eab2021-06-03 12:30:29 -07001120 if (remoteRoleMapData)
1121 {
1122 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1123 *remoteRoleMapData);
1124 }
1125 });
1126}
1127
1128inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,
1129 const std::string& username,
1130 std::optional<std::string> password,
1131 std::optional<bool> enabled,
1132 std::optional<std::string> roleId,
1133 std::optional<bool> locked)
1134{
1135 std::string dbusObjectPath = "/xyz/openbmc_project/user/" + username;
1136 dbus::utility::escapePathForDbus(dbusObjectPath);
1137
1138 dbus::utility::checkDbusPathExists(
1139 dbusObjectPath,
1140 [dbusObjectPath(std::move(dbusObjectPath)), username,
1141 password(std::move(password)), roleId(std::move(roleId)), enabled,
1142 locked, asyncResp{std::move(asyncResp)}](int rc) {
1143 if (!rc)
1144 {
1145 messages::resourceNotFound(
1146 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1147 username);
1148 return;
1149 }
1150
1151 if (password)
1152 {
1153 int retval = pamUpdatePassword(username, *password);
1154
1155 if (retval == PAM_USER_UNKNOWN)
Ed Tanous04ae99e2018-09-20 15:54:36 -07001156 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001157 messages::resourceNotFound(
1158 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1159 username);
1160 }
1161 else if (retval == PAM_AUTHTOK_ERR)
1162 {
1163 // If password is invalid
1164 messages::propertyValueFormatError(asyncResp->res,
1165 *password, "Password");
1166 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1167 }
1168 else if (retval != PAM_SUCCESS)
1169 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001170 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -07001171 return;
1172 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001173 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001174
Ed Tanous6c51eab2021-06-03 12:30:29 -07001175 if (enabled)
1176 {
1177 crow::connections::systemBus->async_method_call(
1178 [asyncResp](const boost::system::error_code ec) {
1179 if (ec)
1180 {
1181 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1182 messages::internalError(asyncResp->res);
1183 return;
1184 }
1185 messages::success(asyncResp->res);
1186 return;
1187 },
1188 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1189 "org.freedesktop.DBus.Properties", "Set",
1190 "xyz.openbmc_project.User.Attributes", "UserEnabled",
1191 std::variant<bool>{*enabled});
1192 }
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001193
Ed Tanous6c51eab2021-06-03 12:30:29 -07001194 if (roleId)
1195 {
1196 std::string priv = getPrivilegeFromRoleId(*roleId);
1197 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -07001198 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001199 messages::propertyValueNotInList(asyncResp->res, *roleId,
1200 "RoleId");
1201 return;
1202 }
1203 if (priv == "priv-noaccess")
1204 {
1205 priv = "";
1206 }
1207
1208 crow::connections::systemBus->async_method_call(
1209 [asyncResp](const boost::system::error_code ec) {
1210 if (ec)
1211 {
1212 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1213 messages::internalError(asyncResp->res);
1214 return;
1215 }
1216 messages::success(asyncResp->res);
1217 },
1218 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1219 "org.freedesktop.DBus.Properties", "Set",
1220 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
1221 std::variant<std::string>{priv});
1222 }
1223
1224 if (locked)
1225 {
1226 // admin can unlock the account which is locked by
1227 // successive authentication failures but admin should
1228 // not be allowed to lock an account.
1229 if (*locked)
1230 {
1231 messages::propertyValueNotInList(asyncResp->res, "true",
1232 "Locked");
Ed Tanous04ae99e2018-09-20 15:54:36 -07001233 return;
1234 }
1235
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001236 crow::connections::systemBus->async_method_call(
Ed Tanous6c51eab2021-06-03 12:30:29 -07001237 [asyncResp](const boost::system::error_code ec) {
1238 if (ec)
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001239 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001240 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1241 messages::internalError(asyncResp->res);
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001242 return;
1243 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001244 messages::success(asyncResp->res);
1245 return;
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001246 },
Ed Tanous6c51eab2021-06-03 12:30:29 -07001247 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1248 "org.freedesktop.DBus.Properties", "Set",
1249 "xyz.openbmc_project.User.Attributes",
1250 "UserLockedForFailedAttempt", std::variant<bool>{*locked});
1251 }
1252 });
1253}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001254
Ed Tanous6c51eab2021-06-03 12:30:29 -07001255inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001256{
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001257
Ed Tanous6c51eab2021-06-03 12:30:29 -07001258 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
1259 .privileges({{"Login"}})
1260 .methods(
Abhishek Patel72048782021-06-02 09:53:24 -05001261 boost::beast::http::verb::get)([](const crow::Request& req,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001262 const std::shared_ptr<
1263 bmcweb::AsyncResp>& asyncResp)
1264 -> void {
1265 const persistent_data::AuthConfigMethods& authMethodsConfig =
1266 persistent_data::SessionStore::getInstance()
1267 .getAuthMethodsConfig();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001268
Ed Tanous6c51eab2021-06-03 12:30:29 -07001269 asyncResp->res.jsonValue = {
1270 {"@odata.id", "/redfish/v1/AccountService"},
1271 {"@odata.type", "#AccountService."
1272 "v1_5_0.AccountService"},
1273 {"Id", "AccountService"},
1274 {"Name", "Account Service"},
1275 {"Description", "Account Service"},
1276 {"ServiceEnabled", true},
1277 {"MaxPasswordLength", 20},
1278 {"Accounts",
1279 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
1280 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
1281 {"Oem",
1282 {{"OpenBMC",
1283 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
1284 {"AuthMethods",
1285 {
1286 {"BasicAuth", authMethodsConfig.basic},
1287 {"SessionToken", authMethodsConfig.sessionToken},
1288 {"XToken", authMethodsConfig.xtoken},
1289 {"Cookie", authMethodsConfig.cookie},
1290 {"TLS", authMethodsConfig.tls},
Abhishek Patel72048782021-06-02 09:53:24 -05001291 }}}}}}};
1292 // /redfish/v1/AccountService/LDAP/Certificates is something only
1293 // ConfigureManager can access then only display when the user has
1294 // permissions ConfigureManager
1295 Privileges effectiveUserPrivileges =
1296 redfish::getUserPrivileges(req.userRole);
1297
1298 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1299 effectiveUserPrivileges))
1300 {
1301 asyncResp->res.jsonValue["LDAP"] = {
1302 {"Certificates",
1303 {{"@odata.id",
1304 "/redfish/v1/AccountService/LDAP/Certificates"}}}};
1305 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001306 crow::connections::systemBus->async_method_call(
1307 [asyncResp](
1308 const boost::system::error_code ec,
1309 const std::vector<
1310 std::pair<std::string,
1311 std::variant<uint32_t, uint16_t, uint8_t>>>&
1312 propertiesList) {
1313 if (ec)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +00001314 {
1315 messages::internalError(asyncResp->res);
1316 return;
1317 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001318 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1319 << "properties for AccountService";
1320 for (const std::pair<std::string,
1321 std::variant<uint32_t, uint16_t,
1322 uint8_t>>& property :
1323 propertiesList)
1324 {
1325 if (property.first == "MinPasswordLength")
1326 {
1327 const uint8_t* value =
1328 std::get_if<uint8_t>(&property.second);
1329 if (value != nullptr)
Ratan Gupta24c85422019-01-30 19:41:24 +05301330 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001331 asyncResp->res.jsonValue["MinPasswordLength"] =
1332 *value;
Ratan Gupta24c85422019-01-30 19:41:24 +05301333 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001334 }
1335 if (property.first == "AccountUnlockTimeout")
1336 {
1337 const uint32_t* value =
1338 std::get_if<uint32_t>(&property.second);
1339 if (value != nullptr)
1340 {
1341 asyncResp->res
1342 .jsonValue["AccountLockoutDuration"] =
1343 *value;
1344 }
1345 }
1346 if (property.first == "MaxLoginAttemptBeforeLockout")
1347 {
1348 const uint16_t* value =
1349 std::get_if<uint16_t>(&property.second);
1350 if (value != nullptr)
1351 {
1352 asyncResp->res
1353 .jsonValue["AccountLockoutThreshold"] =
1354 *value;
1355 }
1356 }
1357 }
1358 },
1359 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1360 "org.freedesktop.DBus.Properties", "GetAll",
1361 "xyz.openbmc_project.User.AccountPolicy");
1362
1363 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1364 const std::string& ldapType) {
1365 if (!success)
1366 {
1367 return;
1368 }
1369 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1370 ldapType);
1371 };
1372
1373 getLDAPConfigData("LDAP", callback);
1374 getLDAPConfigData("ActiveDirectory", callback);
1375 });
1376
1377 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanouscef1ddf2021-06-03 13:45:10 -07001378 .privileges({{"Login"}})
Ed Tanous6c51eab2021-06-03 12:30:29 -07001379 .methods(boost::beast::http::verb::get)(
1380 [](const crow::Request& req,
1381 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1382 asyncResp->res.jsonValue = {
1383 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1384 {"@odata.type", "#ManagerAccountCollection."
1385 "ManagerAccountCollection"},
1386 {"Name", "Accounts Collection"},
1387 {"Description", "BMC User Accounts"}};
1388
Ed Tanous6c51eab2021-06-03 12:30:29 -07001389 Privileges effectiveUserPrivileges =
1390 redfish::getUserPrivileges(req.userRole);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001391
1392 std::string thisUser = req.session->username;
1393
1394 crow::connections::systemBus->async_method_call(
Ed Tanouscef1ddf2021-06-03 13:45:10 -07001395 [asyncResp, thisUser, effectiveUserPrivileges](
1396 const boost::system::error_code ec,
1397 const ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001398 if (ec)
1399 {
1400 messages::internalError(asyncResp->res);
Ratan Gupta24c85422019-01-30 19:41:24 +05301401 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -07001402 }
Ed Tanous9712f8a2018-09-21 13:38:49 -07001403
Ed Tanouscef1ddf2021-06-03 13:45:10 -07001404 bool userCanSeeAllAccounts =
1405 effectiveUserPrivileges.isSupersetOf(
1406 {{"ConfigureUsers"}});
1407
1408 bool userCanSeeSelf =
1409 effectiveUserPrivileges.isSupersetOf(
1410 {{"ConfigureSelf"}});
1411
Ed Tanous6c51eab2021-06-03 12:30:29 -07001412 nlohmann::json& memberArray =
1413 asyncResp->res.jsonValue["Members"];
1414 memberArray = nlohmann::json::array();
Ratan Gupta24c85422019-01-30 19:41:24 +05301415
Ed Tanous6c51eab2021-06-03 12:30:29 -07001416 for (auto& userpath : users)
1417 {
1418 std::string user = userpath.first.filename();
1419 if (user.empty())
Ratan Gupta24c85422019-01-30 19:41:24 +05301420 {
Ratan Gupta24c85422019-01-30 19:41:24 +05301421 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001422 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1423
Ratan Gupta24c85422019-01-30 19:41:24 +05301424 return;
1425 }
Ratan Gupta24c85422019-01-30 19:41:24 +05301426
Ed Tanous6c51eab2021-06-03 12:30:29 -07001427 // As clarified by Redfish here:
1428 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1429 // Users without ConfigureUsers, only see their own
1430 // account. Users with ConfigureUsers, see all
1431 // accounts.
Ed Tanouscef1ddf2021-06-03 13:45:10 -07001432 if (userCanSeeAllAccounts ||
1433 (thisUser == user && userCanSeeSelf))
Ratan Gupta24c85422019-01-30 19:41:24 +05301434 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001435 memberArray.push_back(
1436 {{"@odata.id",
1437 "/redfish/v1/AccountService/Accounts/" +
1438 user}});
Ratan Gupta24c85422019-01-30 19:41:24 +05301439 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001440 }
1441 asyncResp->res.jsonValue["Members@odata.count"] =
1442 memberArray.size();
1443 },
1444 "xyz.openbmc_project.User.Manager",
1445 "/xyz/openbmc_project/user",
1446 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
Ratan Gupta24c85422019-01-30 19:41:24 +05301447 });
Ed Tanous06e086d2018-09-19 17:19:52 -07001448
Ed Tanous6c51eab2021-06-03 12:30:29 -07001449 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
1450 .privileges({{"ConfigureUsers"}})
1451 .methods(boost::beast::http::verb::post)([](const crow::Request& req,
1452 const std::shared_ptr<
1453 bmcweb::AsyncResp>&
1454 asyncResp) -> void {
1455 std::string username;
1456 std::string password;
1457 std::optional<std::string> roleId("User");
1458 std::optional<bool> enabled = true;
1459 if (!json_util::readJson(req, asyncResp->res, "UserName", username,
1460 "Password", password, "RoleId", roleId,
1461 "Enabled", enabled))
1462 {
1463 return;
1464 }
Ed Tanous06e086d2018-09-19 17:19:52 -07001465
Ed Tanous6c51eab2021-06-03 12:30:29 -07001466 std::string priv = getPrivilegeFromRoleId(*roleId);
1467 if (priv.empty())
1468 {
1469 messages::propertyValueNotInList(asyncResp->res, *roleId,
1470 "RoleId");
1471 return;
1472 }
1473 // TODO: Following override will be reverted once support in
1474 // phosphor-user-manager is added. In order to avoid dependency
1475 // issues, this is added in bmcweb, which will removed, once
1476 // phosphor-user-manager supports priv-noaccess.
1477 if (priv == "priv-noaccess")
1478 {
1479 roleId = "";
1480 }
1481 else
1482 {
1483 roleId = priv;
1484 }
Ed Tanous06e086d2018-09-19 17:19:52 -07001485
Ed Tanous6c51eab2021-06-03 12:30:29 -07001486 // Reading AllGroups property
1487 crow::connections::systemBus->async_method_call(
1488 [asyncResp, username, password{std::move(password)}, roleId,
1489 enabled](
1490 const boost::system::error_code ec,
1491 const std::variant<std::vector<std::string>>& allGroups) {
1492 if (ec)
1493 {
1494 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1495 messages::internalError(asyncResp->res);
1496 return;
1497 }
Ed Tanous06e086d2018-09-19 17:19:52 -07001498
Ed Tanous6c51eab2021-06-03 12:30:29 -07001499 const std::vector<std::string>* allGroupsList =
1500 std::get_if<std::vector<std::string>>(&allGroups);
1501
1502 if (allGroupsList == nullptr || allGroupsList->empty())
1503 {
1504 messages::internalError(asyncResp->res);
1505 return;
1506 }
1507
1508 crow::connections::systemBus->async_method_call(
1509 [asyncResp, username,
1510 password](const boost::system::error_code ec2,
1511 sdbusplus::message::message& m) {
1512 if (ec2)
1513 {
1514 userErrorMessageHandler(
1515 m.get_error(), asyncResp, username, "");
1516 return;
1517 }
1518
1519 if (pamUpdatePassword(username, password) !=
1520 PAM_SUCCESS)
1521 {
1522 // At this point we have a user that's been
1523 // created, but the password set
1524 // failed.Something is wrong, so delete the user
1525 // that we've already created
1526 crow::connections::systemBus->async_method_call(
1527 [asyncResp, password](
1528 const boost::system::error_code ec3) {
1529 if (ec3)
1530 {
1531 messages::internalError(
1532 asyncResp->res);
1533 return;
1534 }
1535
1536 // If password is invalid
1537 messages::propertyValueFormatError(
1538 asyncResp->res, password,
1539 "Password");
1540 },
1541 "xyz.openbmc_project.User.Manager",
1542 "/xyz/openbmc_project/user/" + username,
1543 "xyz.openbmc_project.Object.Delete",
1544 "Delete");
1545
1546 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1547 return;
1548 }
1549
1550 messages::created(asyncResp->res);
1551 asyncResp->res.addHeader(
1552 "Location",
1553 "/redfish/v1/AccountService/Accounts/" +
1554 username);
1555 },
1556 "xyz.openbmc_project.User.Manager",
1557 "/xyz/openbmc_project/user",
1558 "xyz.openbmc_project.User.Manager", "CreateUser",
1559 username, *allGroupsList, *roleId, *enabled);
1560 },
1561 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1562 "org.freedesktop.DBus.Properties", "Get",
1563 "xyz.openbmc_project.User.Manager", "AllGroups");
1564 });
1565
1566 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
1567 .privileges(
1568 {{"ConfigureUsers"}, {"ConfigureManager"}, {"ConfigureSelf"}})
1569 .methods(
1570 boost::beast::http::verb::
1571 get)([](const crow::Request& req,
1572 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1573 const std::string& accountName) -> void {
1574 if (req.session->username != accountName)
1575 {
1576 // At this point we've determined that the user is trying to
1577 // modify a user that isn't them. We need to verify that they
1578 // have permissions to modify other users, so re-run the auth
1579 // check with the same permissions, minus ConfigureSelf.
1580 Privileges effectiveUserPrivileges =
1581 redfish::getUserPrivileges(req.userRole);
1582 Privileges requiredPermissionsToChangeNonSelf = {
1583 {"ConfigureUsers"}, {"ConfigureManager"}};
1584 if (!effectiveUserPrivileges.isSupersetOf(
1585 requiredPermissionsToChangeNonSelf))
Ed Tanous06e086d2018-09-19 17:19:52 -07001586 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001587 BMCWEB_LOG_DEBUG << "GET Account denied access";
1588 messages::insufficientPrivilege(asyncResp->res);
1589 return;
1590 }
1591 }
1592
1593 crow::connections::systemBus->async_method_call(
1594 [asyncResp, accountName](const boost::system::error_code ec,
1595 const ManagedObjectType& users) {
1596 if (ec)
1597 {
1598 messages::internalError(asyncResp->res);
1599 return;
1600 }
1601 auto userIt = users.begin();
1602
1603 for (; userIt != users.end(); userIt++)
1604 {
1605 if (boost::ends_with(userIt->first.str,
1606 "/" + accountName))
1607 {
1608 break;
1609 }
1610 }
1611 if (userIt == users.end())
1612 {
1613 messages::resourceNotFound(
1614 asyncResp->res, "ManagerAccount", accountName);
1615 return;
1616 }
1617
1618 asyncResp->res.jsonValue = {
1619 {"@odata.type",
1620 "#ManagerAccount.v1_4_0.ManagerAccount"},
1621 {"Name", "User Account"},
1622 {"Description", "User Account"},
1623 {"Password", nullptr},
1624 {"AccountTypes", {"Redfish"}}};
1625
1626 for (const auto& interface : userIt->second)
1627 {
1628 if (interface.first ==
1629 "xyz.openbmc_project.User.Attributes")
1630 {
1631 for (const auto& property : interface.second)
1632 {
1633 if (property.first == "UserEnabled")
1634 {
1635 const bool* userEnabled =
1636 std::get_if<bool>(&property.second);
1637 if (userEnabled == nullptr)
1638 {
1639 BMCWEB_LOG_ERROR
1640 << "UserEnabled wasn't a bool";
1641 messages::internalError(asyncResp->res);
1642 return;
1643 }
1644 asyncResp->res.jsonValue["Enabled"] =
1645 *userEnabled;
1646 }
1647 else if (property.first ==
1648 "UserLockedForFailedAttempt")
1649 {
1650 const bool* userLocked =
1651 std::get_if<bool>(&property.second);
1652 if (userLocked == nullptr)
1653 {
1654 BMCWEB_LOG_ERROR << "UserLockedForF"
1655 "ailedAttempt "
1656 "wasn't a bool";
1657 messages::internalError(asyncResp->res);
1658 return;
1659 }
1660 asyncResp->res.jsonValue["Locked"] =
1661 *userLocked;
1662 asyncResp->res.jsonValue
1663 ["Locked@Redfish.AllowableValues"] = {
1664 "false"}; // can only unlock accounts
1665 }
1666 else if (property.first == "UserPrivilege")
1667 {
1668 const std::string* userPrivPtr =
1669 std::get_if<std::string>(
1670 &property.second);
1671 if (userPrivPtr == nullptr)
1672 {
1673 BMCWEB_LOG_ERROR
1674 << "UserPrivilege wasn't a "
1675 "string";
1676 messages::internalError(asyncResp->res);
1677 return;
1678 }
1679 std::string role =
1680 getRoleIdFromPrivilege(*userPrivPtr);
1681 if (role.empty())
1682 {
1683 BMCWEB_LOG_ERROR << "Invalid user role";
1684 messages::internalError(asyncResp->res);
1685 return;
1686 }
1687 asyncResp->res.jsonValue["RoleId"] = role;
1688
1689 asyncResp->res.jsonValue["Links"]["Role"] =
1690 {{"@odata.id",
1691 "/redfish/v1/AccountService/"
1692 "Roles/" +
1693 role}};
1694 }
1695 else if (property.first ==
1696 "UserPasswordExpired")
1697 {
1698 const bool* userPasswordExpired =
1699 std::get_if<bool>(&property.second);
1700 if (userPasswordExpired == nullptr)
1701 {
1702 BMCWEB_LOG_ERROR << "UserPassword"
1703 "Expired "
1704 "wasn't a bool";
1705 messages::internalError(asyncResp->res);
1706 return;
1707 }
1708 asyncResp->res
1709 .jsonValue["PasswordChangeRequired"] =
1710 *userPasswordExpired;
1711 }
1712 }
1713 }
1714 }
1715
1716 asyncResp->res.jsonValue["@odata.id"] =
1717 "/redfish/v1/AccountService/Accounts/" + accountName;
1718 asyncResp->res.jsonValue["Id"] = accountName;
1719 asyncResp->res.jsonValue["UserName"] = accountName;
1720 },
1721 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1722 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1723 });
1724
1725 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
1726 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
1727 .methods(boost::beast::http::verb::patch)(
1728 [](const crow::Request& req,
1729 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1730 const std::string& username) -> void {
1731 std::optional<std::string> newUserName;
1732 std::optional<std::string> password;
1733 std::optional<bool> enabled;
1734 std::optional<std::string> roleId;
1735 std::optional<bool> locked;
1736 if (!json_util::readJson(req, asyncResp->res, "UserName",
1737 newUserName, "Password", password,
1738 "RoleId", roleId, "Enabled", enabled,
1739 "Locked", locked))
1740 {
Ed Tanous06e086d2018-09-19 17:19:52 -07001741 return;
1742 }
1743
Ed Tanous6c51eab2021-06-03 12:30:29 -07001744 // Perform a proper ConfigureSelf authority check. If the
1745 // session is being used to PATCH a property other than
1746 // Password, then the ConfigureSelf privilege does not apply.
1747 // If the user is operating on an account not their own, then
1748 // their ConfigureSelf privilege does not apply. In either
1749 // case, perform the authority check again without the user's
1750 // ConfigureSelf privilege.
1751 if ((username != req.session->username))
1752 {
1753 Privileges requiredPermissionsToChangeNonSelf = {
1754 {"ConfigureUsers"}};
1755 Privileges effectiveUserPrivileges =
1756 redfish::getUserPrivileges(req.userRole);
1757
1758 if (!effectiveUserPrivileges.isSupersetOf(
1759 requiredPermissionsToChangeNonSelf))
1760 {
1761 messages::insufficientPrivilege(asyncResp->res);
1762 return;
1763 }
1764 }
1765
1766 // if user name is not provided in the patch method or if it
1767 // matches the user name in the URI, then we are treating it as
1768 // updating user properties other then username. If username
1769 // provided doesn't match the URI, then we are treating this as
1770 // user rename request.
1771 if (!newUserName || (newUserName.value() == username))
1772 {
1773 updateUserProperties(asyncResp, username, password, enabled,
1774 roleId, locked);
1775 return;
1776 }
1777 crow::connections::systemBus->async_method_call(
1778 [asyncResp, username, password(std::move(password)),
1779 roleId(std::move(roleId)), enabled,
1780 newUser{std::string(*newUserName)},
1781 locked](const boost::system::error_code ec,
1782 sdbusplus::message::message& m) {
1783 if (ec)
1784 {
1785 userErrorMessageHandler(m.get_error(), asyncResp,
1786 newUser, username);
1787 return;
1788 }
1789
1790 updateUserProperties(asyncResp, newUser, password,
1791 enabled, roleId, locked);
1792 },
1793 "xyz.openbmc_project.User.Manager",
1794 "/xyz/openbmc_project/user",
1795 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1796 *newUserName);
1797 });
1798
1799 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
1800 .privileges({{"ConfigureUsers"}})
1801 .methods(boost::beast::http::verb::delete_)(
1802 [](const crow::Request& /*req*/,
1803 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1804 const std::string& username) -> void {
1805 const std::string userPath =
1806 "/xyz/openbmc_project/user/" + username;
1807
1808 crow::connections::systemBus->async_method_call(
1809 [asyncResp, username](const boost::system::error_code ec) {
1810 if (ec)
1811 {
1812 messages::resourceNotFound(
1813 asyncResp->res,
1814 "#ManagerAccount.v1_4_0.ManagerAccount",
1815 username);
1816 return;
1817 }
1818
1819 messages::accountRemoved(asyncResp->res);
1820 },
1821 "xyz.openbmc_project.User.Manager", userPath,
1822 "xyz.openbmc_project.Object.Delete", "Delete");
1823 });
1824}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001825
Ed Tanous1abe55e2018-09-05 08:30:59 -07001826} // namespace redfish