blob: 4fbf3c3c4bfd7270b79f174d85eae22e8285f19c [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080018#include "app.hpp"
19#include "dbus_utility.hpp"
20#include "error_messages.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070021#include "generated/enums/account_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080022#include "openbmc_dbus_rest.hpp"
23#include "persistent_data.hpp"
24#include "query.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070025#include "registries/privilege_registry.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080026#include "utils/dbus_utils.hpp"
27#include "utils/json_utils.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070028
Jonathan Doman1e1e5982021-06-11 09:36:17 -070029#include <sdbusplus/asio/property.hpp>
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +020030#include <sdbusplus/unpack_properties.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050031
George Liu2b731192023-01-11 16:27:13 +080032#include <array>
Abhishek Patelc7229812022-02-01 10:07:15 -060033#include <optional>
Ed Tanous3544d2a2023-08-06 18:12:20 -070034#include <ranges>
Abhishek Patelc7229812022-02-01 10:07:15 -060035#include <string>
George Liu2b731192023-01-11 16:27:13 +080036#include <string_view>
Abhishek Patelc7229812022-02-01 10:07:15 -060037#include <vector>
38
Ed Tanous1abe55e2018-09-05 08:30:59 -070039namespace redfish
40{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010041
Ed Tanous23a21a12020-07-25 04:45:05 +000042constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053043 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070044constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053045 "/xyz/openbmc_project/user/ldap/active_directory";
46
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +053047constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +053048constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
49constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
50constexpr const char* ldapConfigInterface =
51 "xyz.openbmc_project.User.Ldap.Config";
52constexpr const char* ldapCreateInterface =
53 "xyz.openbmc_project.User.Ldap.Create";
54constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053055constexpr const char* ldapPrivMapperInterface =
56 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053057
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060058struct LDAPRoleMapData
59{
60 std::string groupName;
61 std::string privilege;
62};
63
Ratan Gupta6973a582018-12-13 18:25:44 +053064struct LDAPConfigData
65{
66 std::string uri{};
67 std::string bindDN{};
68 std::string baseDN{};
69 std::string searchScope{};
70 std::string serverType{};
71 bool serviceEnabled = false;
72 std::string userNameAttribute{};
73 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060074 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053075};
76
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060077inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053078{
79 if (role == "priv-admin")
80 {
81 return "Administrator";
82 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070083 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053084 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053085 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053086 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070087 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053088 {
89 return "Operator";
90 }
91 return "";
92}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060093inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053094{
95 if (role == "Administrator")
96 {
97 return "priv-admin";
98 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070099 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530100 {
101 return "priv-user";
102 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700103 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530104 {
105 return "priv-operator";
106 }
107 return "";
108}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700109
Abhishek Patelc7229812022-02-01 10:07:15 -0600110/**
111 * @brief Maps user group names retrieved from D-Bus object to
112 * Account Types.
113 *
114 * @param[in] userGroups List of User groups
115 * @param[out] res AccountTypes populated
116 *
117 * @return true in case of success, false if UserGroups contains
118 * invalid group name(s).
119 */
120inline bool translateUserGroup(const std::vector<std::string>& userGroups,
121 crow::Response& res)
122{
123 std::vector<std::string> accountTypes;
124 for (const auto& userGroup : userGroups)
125 {
126 if (userGroup == "redfish")
127 {
128 accountTypes.emplace_back("Redfish");
129 accountTypes.emplace_back("WebUI");
130 }
131 else if (userGroup == "ipmi")
132 {
133 accountTypes.emplace_back("IPMI");
134 }
135 else if (userGroup == "ssh")
136 {
Abhishek Patelc7229812022-02-01 10:07:15 -0600137 accountTypes.emplace_back("ManagerConsole");
138 }
Ninad Palsule3e72c202023-03-27 17:19:55 -0500139 else if (userGroup == "hostconsole")
140 {
141 // The hostconsole group controls who can access the host console
142 // port via ssh and websocket.
143 accountTypes.emplace_back("HostConsole");
144 }
Abhishek Patelc7229812022-02-01 10:07:15 -0600145 else if (userGroup == "web")
146 {
147 // 'web' is one of the valid groups in the UserGroups property of
148 // the user account in the D-Bus object. This group is currently not
149 // doing anything, and is considered to be equivalent to 'redfish'.
150 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
151 // AccountTypes, so do nothing here...
152 }
153 else
154 {
155 // Invalid user group name. Caller throws an excption.
156 return false;
157 }
158 }
159
160 res.jsonValue["AccountTypes"] = std::move(accountTypes);
161 return true;
162}
163
Abhishek Patel58345852022-02-02 08:54:25 -0600164/**
165 * @brief Builds User Groups from the Account Types
166 *
167 * @param[in] asyncResp Async Response
168 * @param[in] accountTypes List of Account Types
169 * @param[out] userGroups List of User Groups mapped from Account Types
170 *
171 * @return true if Account Types mapped to User Groups, false otherwise.
172 */
173inline bool
174 getUserGroupFromAccountType(crow::Response& res,
175 const std::vector<std::string>& accountTypes,
176 std::vector<std::string>& userGroups)
177{
178 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
179 bool redfishType = false;
180 bool webUIType = false;
181
182 for (const auto& accountType : accountTypes)
183 {
184 if (accountType == "Redfish")
185 {
186 redfishType = true;
187 }
188 else if (accountType == "WebUI")
189 {
190 webUIType = true;
191 }
192 else if (accountType == "IPMI")
193 {
194 userGroups.emplace_back("ipmi");
195 }
196 else if (accountType == "HostConsole")
197 {
198 userGroups.emplace_back("hostconsole");
199 }
200 else if (accountType == "ManagerConsole")
201 {
202 userGroups.emplace_back("ssh");
203 }
204 else
205 {
206 // Invalid Account Type
207 messages::propertyValueNotInList(res, "AccountTypes", accountType);
208 return false;
209 }
210 }
211
212 // Both Redfish and WebUI Account Types are needed to PATCH
213 if (redfishType ^ webUIType)
214 {
Ed Tanous62598e32023-07-17 17:06:25 -0700215 BMCWEB_LOG_ERROR(
216 "Missing Redfish or WebUI Account Type to set redfish User Group");
Abhishek Patel58345852022-02-02 08:54:25 -0600217 messages::strictAccountTypes(res, "AccountTypes");
218 return false;
219 }
220
221 if (redfishType && webUIType)
222 {
223 userGroups.emplace_back("redfish");
224 }
225
226 return true;
227}
228
229/**
230 * @brief Sets UserGroups property of the user based on the Account Types
231 *
232 * @param[in] accountTypes List of User Account Types
233 * @param[in] asyncResp Async Response
234 * @param[in] dbusObjectPath D-Bus Object Path
235 * @param[in] userSelf true if User is updating OWN Account Types
236 */
237inline void
238 patchAccountTypes(const std::vector<std::string>& accountTypes,
239 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
240 const std::string& dbusObjectPath, bool userSelf)
241{
242 // Check if User is disabling own Redfish Account Type
243 if (userSelf &&
244 (accountTypes.cend() ==
245 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
246 {
Ed Tanous62598e32023-07-17 17:06:25 -0700247 BMCWEB_LOG_ERROR(
248 "User disabling OWN Redfish Account Type is not allowed");
Abhishek Patel58345852022-02-02 08:54:25 -0600249 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
250 return;
251 }
252
253 std::vector<std::string> updatedUserGroups;
254 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
255 updatedUserGroups))
256 {
257 // Problem in mapping Account Types to User Groups, Error already
258 // logged.
259 return;
260 }
261
George Liu9ae226f2023-06-21 17:56:46 +0800262 sdbusplus::asio::setProperty(
263 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
264 dbusObjectPath, "xyz.openbmc_project.User.Attributes", "UserGroups",
265 updatedUserGroups, [asyncResp](const boost::system::error_code& ec) {
266 if (ec)
267 {
Ed Tanous62598e32023-07-17 17:06:25 -0700268 BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
George Liu9ae226f2023-06-21 17:56:46 +0800269 messages::internalError(asyncResp->res);
270 return;
271 }
272 messages::success(asyncResp->res);
273 });
Abhishek Patel58345852022-02-02 08:54:25 -0600274}
275
zhanghch058d1b46d2021-04-01 11:18:24 +0800276inline void userErrorMessageHandler(
277 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
278 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000279{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000280 if (e == nullptr)
281 {
282 messages::internalError(asyncResp->res);
283 return;
284 }
285
Manojkiran Eda055806b2020-11-03 09:36:28 +0530286 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000287 if (strcmp(errorMessage,
288 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
289 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800290 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000291 "UserName", newUser);
292 }
293 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
294 "UserNameDoesNotExist") == 0)
295 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800296 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000297 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700298 else if ((strcmp(errorMessage,
299 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
300 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800301 (strcmp(
302 errorMessage,
303 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
304 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000305 {
306 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
307 }
308 else if (strcmp(errorMessage,
309 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
310 {
311 messages::createLimitReachedForResource(asyncResp->res);
312 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000313 else
314 {
315 messages::internalError(asyncResp->res);
316 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000317}
318
Ed Tanous81ce6092020-12-17 16:54:55 +0000319inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000320 const LDAPConfigData& confData,
321 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530322{
Patrick Williams89492a12023-05-10 07:51:34 -0500323 std::string service = (ldapType == "LDAP") ? "LDAPService"
324 : "ActiveDirectoryService";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600325
Ed Tanous14766872022-03-15 10:44:42 -0700326 nlohmann::json& ldap = jsonResponse[ldapType];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600327
Ed Tanous14766872022-03-15 10:44:42 -0700328 ldap["ServiceEnabled"] = confData.serviceEnabled;
329 ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri});
Ed Tanous0ec8b832022-03-14 14:56:47 -0700330 ldap["Authentication"]["AuthenticationType"] =
331 account_service::AuthenticationTypes::UsernameAndPassword;
Ed Tanous14766872022-03-15 10:44:42 -0700332 ldap["Authentication"]["Username"] = confData.bindDN;
333 ldap["Authentication"]["Password"] = nullptr;
334
335 ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] =
336 nlohmann::json::array({confData.baseDN});
337 ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] =
338 confData.userNameAttribute;
339 ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] =
340 confData.groupAttribute;
341
342 nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600343 roleMapArray = nlohmann::json::array();
Ed Tanous9eb808c2022-01-25 10:19:23 -0800344 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600345 {
Ed Tanous62598e32023-07-17 17:06:25 -0700346 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
Ed Tanous613dabe2022-07-09 11:17:36 -0700347
Ed Tanous613dabe2022-07-09 11:17:36 -0700348 nlohmann::json::object_t remoteGroup;
349 remoteGroup["RemoteGroup"] = obj.second.groupName;
Jorge Cisneros329f0342022-11-04 16:26:25 +0000350 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
351 roleMapArray.emplace_back(std::move(remoteGroup));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600352 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530353}
354
355/**
Ratan Gupta06785242019-07-26 22:30:16 +0530356 * @brief validates given JSON input and then calls appropriate method to
357 * create, to delete or to set Rolemapping object based on the given input.
358 *
359 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000360inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800361 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530362 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700363 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530364{
365 for (size_t index = 0; index < input.size(); index++)
366 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700367 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530368
369 if (thisJson.is_null())
370 {
371 // delete the existing object
372 if (index < roleMapObjData.size())
373 {
374 crow::connections::systemBus->async_method_call(
375 [asyncResp, roleMapObjData, serverType,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800376 index](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700377 if (ec)
378 {
Ed Tanous62598e32023-07-17 17:06:25 -0700379 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700380 messages::internalError(asyncResp->res);
381 return;
382 }
Patrick Williams89492a12023-05-10 07:51:34 -0500383 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
384 [index] = nullptr;
Ratan Gupta06785242019-07-26 22:30:16 +0530385 },
386 ldapDbusService, roleMapObjData[index].first,
387 "xyz.openbmc_project.Object.Delete", "Delete");
388 }
389 else
390 {
Ed Tanous62598e32023-07-17 17:06:25 -0700391 BMCWEB_LOG_ERROR("Can't delete the object");
Ed Tanous2e8c4bd2022-06-27 12:59:12 -0700392 messages::propertyValueTypeError(asyncResp->res, thisJson,
393 "RemoteRoleMapping/" +
394 std::to_string(index));
Ratan Gupta06785242019-07-26 22:30:16 +0530395 return;
396 }
397 }
398 else if (thisJson.empty())
399 {
400 // Don't do anything for the empty objects,parse next json
401 // eg {"RemoteRoleMapping",[{}]}
402 }
403 else
404 {
405 // update/create the object
406 std::optional<std::string> remoteGroup;
407 std::optional<std::string> localRole;
408
Ed Tanousf23b7292020-10-15 09:41:17 -0700409 // This is a copy, but it's required in this case because of how
410 // readJson is structured
411 nlohmann::json thisJsonCopy = thisJson;
412 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
413 "RemoteGroup", remoteGroup, "LocalRole",
414 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530415 {
416 continue;
417 }
418
419 // Update existing RoleMapping Object
420 if (index < roleMapObjData.size())
421 {
Ed Tanous62598e32023-07-17 17:06:25 -0700422 BMCWEB_LOG_DEBUG("Update Role Map Object");
Ratan Gupta06785242019-07-26 22:30:16 +0530423 // If "RemoteGroup" info is provided
424 if (remoteGroup)
425 {
George Liu9ae226f2023-06-21 17:56:46 +0800426 sdbusplus::asio::setProperty(
427 *crow::connections::systemBus, ldapDbusService,
428 roleMapObjData[index].first,
429 "xyz.openbmc_project.User.PrivilegeMapperEntry",
430 "GroupName", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530431 [asyncResp, roleMapObjData, serverType, index,
Ravi Teja25e055a2022-08-09 03:18:38 -0500432 remoteGroup](const boost::system::error_code& ec,
Patrick Williams7a543892023-06-24 03:07:55 -0500433 const sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700434 if (ec)
435 {
Ravi Teja25e055a2022-08-09 03:18:38 -0500436 const sd_bus_error* dbusError = msg.get_error();
437 if ((dbusError != nullptr) &&
438 (dbusError->name ==
439 std::string_view(
440 "xyz.openbmc_project.Common.Error.InvalidArgument")))
441 {
Ed Tanous62598e32023-07-17 17:06:25 -0700442 BMCWEB_LOG_WARNING("DBUS response error: {}",
443 ec);
Ravi Teja25e055a2022-08-09 03:18:38 -0500444 messages::propertyValueIncorrect(asyncResp->res,
445 "RemoteGroup",
446 *remoteGroup);
447 return;
448 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700449 messages::internalError(asyncResp->res);
450 return;
451 }
452 asyncResp->res
453 .jsonValue[serverType]["RemoteRoleMapping"][index]
454 ["RemoteGroup"] = *remoteGroup;
George Liu9ae226f2023-06-21 17:56:46 +0800455 });
Ratan Gupta06785242019-07-26 22:30:16 +0530456 }
457
458 // If "LocalRole" info is provided
459 if (localRole)
460 {
George Liu9ae226f2023-06-21 17:56:46 +0800461 sdbusplus::asio::setProperty(
462 *crow::connections::systemBus, ldapDbusService,
463 roleMapObjData[index].first,
464 "xyz.openbmc_project.User.PrivilegeMapperEntry",
465 "Privilege", *localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530466 [asyncResp, roleMapObjData, serverType, index,
Ravi Teja25e055a2022-08-09 03:18:38 -0500467 localRole](const boost::system::error_code& ec,
Patrick Williams7a543892023-06-24 03:07:55 -0500468 const sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700469 if (ec)
470 {
Ravi Teja25e055a2022-08-09 03:18:38 -0500471 const sd_bus_error* dbusError = msg.get_error();
472 if ((dbusError != nullptr) &&
473 (dbusError->name ==
474 std::string_view(
475 "xyz.openbmc_project.Common.Error.InvalidArgument")))
476 {
Ed Tanous62598e32023-07-17 17:06:25 -0700477 BMCWEB_LOG_WARNING("DBUS response error: {}",
478 ec);
Ravi Teja25e055a2022-08-09 03:18:38 -0500479 messages::propertyValueIncorrect(
480 asyncResp->res, "LocalRole", *localRole);
481 return;
482 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700483 messages::internalError(asyncResp->res);
484 return;
485 }
486 asyncResp->res
487 .jsonValue[serverType]["RemoteRoleMapping"][index]
488 ["LocalRole"] = *localRole;
George Liu9ae226f2023-06-21 17:56:46 +0800489 });
Ratan Gupta06785242019-07-26 22:30:16 +0530490 }
491 }
492 // Create a new RoleMapping Object.
493 else
494 {
Ed Tanous62598e32023-07-17 17:06:25 -0700495 BMCWEB_LOG_DEBUG(
496 "setRoleMappingProperties: Creating new Object");
Patrick Williams89492a12023-05-10 07:51:34 -0500497 std::string pathString = "RemoteRoleMapping/" +
498 std::to_string(index);
Ratan Gupta06785242019-07-26 22:30:16 +0530499
500 if (!localRole)
501 {
502 messages::propertyMissing(asyncResp->res,
503 pathString + "/LocalRole");
504 continue;
505 }
506 if (!remoteGroup)
507 {
508 messages::propertyMissing(asyncResp->res,
509 pathString + "/RemoteGroup");
510 continue;
511 }
512
513 std::string dbusObjectPath;
514 if (serverType == "ActiveDirectory")
515 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700516 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530517 }
518 else if (serverType == "LDAP")
519 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000520 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530521 }
522
Ed Tanous62598e32023-07-17 17:06:25 -0700523 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
524 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530525
526 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700527 [asyncResp, serverType, localRole,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800528 remoteGroup](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700529 if (ec)
530 {
Ed Tanous62598e32023-07-17 17:06:25 -0700531 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700532 messages::internalError(asyncResp->res);
533 return;
534 }
535 nlohmann::json& remoteRoleJson =
536 asyncResp->res
537 .jsonValue[serverType]["RemoteRoleMapping"];
538 nlohmann::json::object_t roleMapEntry;
539 roleMapEntry["LocalRole"] = *localRole;
540 roleMapEntry["RemoteGroup"] = *remoteGroup;
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500541 remoteRoleJson.emplace_back(std::move(roleMapEntry));
Ratan Gupta06785242019-07-26 22:30:16 +0530542 },
543 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700544 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530545 getPrivilegeFromRoleId(std::move(*localRole)));
546 }
547 }
548 }
549}
550
551/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530552 * Function that retrieves all properties for LDAP config object
553 * into JSON
554 */
555template <typename CallbackFunc>
556inline void getLDAPConfigData(const std::string& ldapType,
557 CallbackFunc&& callback)
558{
George Liu2b731192023-01-11 16:27:13 +0800559 constexpr std::array<std::string_view, 2> interfaces = {
560 ldapEnableInterface, ldapConfigInterface};
Ratan Gupta6973a582018-12-13 18:25:44 +0530561
George Liu2b731192023-01-11 16:27:13 +0800562 dbus::utility::getDbusObject(
563 ldapConfigObjectName, interfaces,
564 [callback, ldapType](const boost::system::error_code& ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800565 const dbus::utility::MapperGetObject& resp) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700566 if (ec || resp.empty())
567 {
Carson Labradobf2dded2023-08-10 00:37:06 +0000568 BMCWEB_LOG_WARNING(
Ed Tanous62598e32023-07-17 17:06:25 -0700569 "DBUS response error during getting of service name: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700570 LDAPConfigData empty{};
571 callback(false, empty, ldapType);
572 return;
573 }
574 std::string service = resp.begin()->first;
George Liu5eb468d2023-06-20 17:03:24 +0800575 sdbusplus::message::object_path path(ldapRootObject);
576 dbus::utility::getManagedObjects(
577 service, path,
Ed Tanous002d39b2022-05-31 08:59:27 -0700578 [callback,
Ed Tanous8b242752023-06-27 17:17:13 -0700579 ldapType](const boost::system::error_code& ec2,
Ed Tanous002d39b2022-05-31 08:59:27 -0700580 const dbus::utility::ManagedObjectType& ldapObjects) {
581 LDAPConfigData confData{};
Ed Tanous8b242752023-06-27 17:17:13 -0700582 if (ec2)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600583 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700584 callback(false, confData, ldapType);
Carson Labradobf2dded2023-08-10 00:37:06 +0000585 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600586 return;
587 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600588
Ed Tanous002d39b2022-05-31 08:59:27 -0700589 std::string ldapDbusType;
590 std::string searchString;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600591
Ed Tanous002d39b2022-05-31 08:59:27 -0700592 if (ldapType == "LDAP")
593 {
594 ldapDbusType =
595 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
596 searchString = "openldap";
597 }
598 else if (ldapType == "ActiveDirectory")
599 {
600 ldapDbusType =
601 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
602 searchString = "active_directory";
603 }
604 else
605 {
Ed Tanous62598e32023-07-17 17:06:25 -0700606 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}",
607 ldapType);
Ed Tanous002d39b2022-05-31 08:59:27 -0700608 callback(false, confData, ldapType);
609 return;
610 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600611
Ed Tanous002d39b2022-05-31 08:59:27 -0700612 std::string ldapEnableInterfaceStr = ldapEnableInterface;
613 std::string ldapConfigInterfaceStr = ldapConfigInterface;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600614
Ed Tanous002d39b2022-05-31 08:59:27 -0700615 for (const auto& object : ldapObjects)
616 {
617 // let's find the object whose ldap type is equal to the
618 // given type
619 if (object.first.str.find(searchString) == std::string::npos)
620 {
621 continue;
622 }
623
624 for (const auto& interface : object.second)
625 {
626 if (interface.first == ldapEnableInterfaceStr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600627 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700628 // rest of the properties are string.
629 for (const auto& property : interface.second)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600630 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700631 if (property.first == "Enabled")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600632 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700633 const bool* value =
634 std::get_if<bool>(&property.second);
635 if (value == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600636 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700637 continue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600638 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700639 confData.serviceEnabled = *value;
640 break;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600641 }
642 }
643 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700644 else if (interface.first == ldapConfigInterfaceStr)
645 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700646 for (const auto& property : interface.second)
647 {
648 const std::string* strValue =
649 std::get_if<std::string>(&property.second);
650 if (strValue == nullptr)
651 {
652 continue;
653 }
654 if (property.first == "LDAPServerURI")
655 {
656 confData.uri = *strValue;
657 }
658 else if (property.first == "LDAPBindDN")
659 {
660 confData.bindDN = *strValue;
661 }
662 else if (property.first == "LDAPBaseDN")
663 {
664 confData.baseDN = *strValue;
665 }
666 else if (property.first == "LDAPSearchScope")
667 {
668 confData.searchScope = *strValue;
669 }
670 else if (property.first == "GroupNameAttribute")
671 {
672 confData.groupAttribute = *strValue;
673 }
674 else if (property.first == "UserNameAttribute")
675 {
676 confData.userNameAttribute = *strValue;
677 }
678 else if (property.first == "LDAPType")
679 {
680 confData.serverType = *strValue;
681 }
682 }
683 }
684 else if (interface.first ==
685 "xyz.openbmc_project.User.PrivilegeMapperEntry")
686 {
687 LDAPRoleMapData roleMapData{};
688 for (const auto& property : interface.second)
689 {
690 const std::string* strValue =
691 std::get_if<std::string>(&property.second);
692
693 if (strValue == nullptr)
694 {
695 continue;
696 }
697
698 if (property.first == "GroupName")
699 {
700 roleMapData.groupName = *strValue;
701 }
702 else if (property.first == "Privilege")
703 {
704 roleMapData.privilege = *strValue;
705 }
706 }
707
708 confData.groupRoleList.emplace_back(object.first.str,
709 roleMapData);
710 }
711 }
712 }
713 callback(true, confData, ldapType);
George Liu5eb468d2023-06-20 17:03:24 +0800714 });
George Liu2b731192023-01-11 16:27:13 +0800715 });
Ratan Gupta6973a582018-12-13 18:25:44 +0530716}
717
Ed Tanous6c51eab2021-06-03 12:30:29 -0700718/**
719 * @brief parses the authentication section under the LDAP
720 * @param input JSON data
721 * @param asyncResp pointer to the JSON response
722 * @param userName userName to be filled from the given JSON.
723 * @param password password to be filled from the given JSON.
724 */
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700725inline void parseLDAPAuthenticationJson(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700726 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
727 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700728{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700729 std::optional<std::string> authType;
730
731 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
732 authType, "Username", username, "Password",
733 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700734 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700735 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700736 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700737 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530738 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700739 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530740 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700741 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530742 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700743 messages::propertyValueNotInList(asyncResp->res, *authType,
744 "AuthenticationType");
745 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530746 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700747}
748/**
749 * @brief parses the LDAPService section under the LDAP
750 * @param input JSON data
751 * @param asyncResp pointer to the JSON response
752 * @param baseDNList baseDN to be filled from the given JSON.
753 * @param userNameAttribute userName to be filled from the given JSON.
754 * @param groupaAttribute password to be filled from the given JSON.
755 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530756
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700757inline void
758 parseLDAPServiceJson(nlohmann::json input,
759 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
760 std::optional<std::vector<std::string>>& baseDNList,
761 std::optional<std::string>& userNameAttribute,
762 std::optional<std::string>& groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700763{
764 std::optional<nlohmann::json> searchSettings;
765
766 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
767 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530768 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700769 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530770 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700771 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530772 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700773 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530774 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700775 if (!json_util::readJson(*searchSettings, asyncResp->res,
776 "BaseDistinguishedNames", baseDNList,
777 "UsernameAttribute", userNameAttribute,
778 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530779 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700780 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530781 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700782}
783/**
784 * @brief updates the LDAP server address and updates the
785 json response with the new value.
786 * @param serviceAddressList address to be updated.
787 * @param asyncResp pointer to the JSON response
788 * @param ldapServerElementName Type of LDAP
789 server(openLDAP/ActiveDirectory)
790 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530791
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700792inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700793 const std::vector<std::string>& serviceAddressList,
794 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
795 const std::string& ldapServerElementName,
796 const std::string& ldapConfigObject)
797{
George Liu9ae226f2023-06-21 17:56:46 +0800798 sdbusplus::asio::setProperty(
799 *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
800 ldapConfigInterface, "LDAPServerURI", serviceAddressList.front(),
Patrick Williams7a543892023-06-24 03:07:55 -0500801 [asyncResp, ldapServerElementName, serviceAddressList](
802 const boost::system::error_code& ec, sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700803 if (ec)
804 {
Ravi Teja25e055a2022-08-09 03:18:38 -0500805 const sd_bus_error* dbusError = msg.get_error();
806 if ((dbusError != nullptr) &&
807 (dbusError->name ==
808 std::string_view(
809 "xyz.openbmc_project.Common.Error.InvalidArgument")))
810 {
Ed Tanous62598e32023-07-17 17:06:25 -0700811 BMCWEB_LOG_WARNING(
812 "Error Occurred in updating the service address");
Ravi Teja25e055a2022-08-09 03:18:38 -0500813 messages::propertyValueIncorrect(asyncResp->res,
814 "ServiceAddresses",
815 serviceAddressList.front());
816 return;
817 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700818 messages::internalError(asyncResp->res);
819 return;
820 }
821 std::vector<std::string> modifiedserviceAddressList = {
822 serviceAddressList.front()};
823 asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] =
824 modifiedserviceAddressList;
825 if ((serviceAddressList).size() > 1)
826 {
827 messages::propertyValueModified(asyncResp->res, "ServiceAddresses",
828 serviceAddressList.front());
829 }
Ed Tanous62598e32023-07-17 17:06:25 -0700830 BMCWEB_LOG_DEBUG("Updated the service address");
George Liu9ae226f2023-06-21 17:56:46 +0800831 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700832}
833/**
834 * @brief updates the LDAP Bind DN and updates the
835 json response with the new value.
836 * @param username name of the user which needs to be updated.
837 * @param asyncResp pointer to the JSON response
838 * @param ldapServerElementName Type of LDAP
839 server(openLDAP/ActiveDirectory)
840 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530841
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700842inline void
843 handleUserNamePatch(const std::string& username,
844 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
845 const std::string& ldapServerElementName,
846 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700847{
George Liu9ae226f2023-06-21 17:56:46 +0800848 sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService,
849 ldapConfigObject, ldapConfigInterface,
850 "LDAPBindDN", username,
851 [asyncResp, username, ldapServerElementName](
852 const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700853 if (ec)
854 {
Ed Tanous62598e32023-07-17 17:06:25 -0700855 BMCWEB_LOG_DEBUG("Error occurred in updating the username");
Ed Tanous002d39b2022-05-31 08:59:27 -0700856 messages::internalError(asyncResp->res);
857 return;
858 }
Patrick Williams89492a12023-05-10 07:51:34 -0500859 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
860 ["Username"] = username;
Ed Tanous62598e32023-07-17 17:06:25 -0700861 BMCWEB_LOG_DEBUG("Updated the username");
George Liu9ae226f2023-06-21 17:56:46 +0800862 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700863}
864
865/**
866 * @brief updates the LDAP password
867 * @param password : ldap password which needs to be updated.
868 * @param asyncResp pointer to the JSON response
869 * @param ldapServerElementName Type of LDAP
870 * server(openLDAP/ActiveDirectory)
871 */
872
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700873inline void
874 handlePasswordPatch(const std::string& password,
875 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
876 const std::string& ldapServerElementName,
877 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700878{
George Liu9ae226f2023-06-21 17:56:46 +0800879 sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService,
880 ldapConfigObject, ldapConfigInterface,
881 "LDAPBindDNPassword", password,
882 [asyncResp, password, ldapServerElementName](
883 const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700884 if (ec)
885 {
Ed Tanous62598e32023-07-17 17:06:25 -0700886 BMCWEB_LOG_DEBUG("Error occurred in updating the password");
Ed Tanous002d39b2022-05-31 08:59:27 -0700887 messages::internalError(asyncResp->res);
888 return;
889 }
Patrick Williams89492a12023-05-10 07:51:34 -0500890 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
891 ["Password"] = "";
Ed Tanous62598e32023-07-17 17:06:25 -0700892 BMCWEB_LOG_DEBUG("Updated the password");
George Liu9ae226f2023-06-21 17:56:46 +0800893 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700894}
895
896/**
897 * @brief updates the LDAP BaseDN and updates the
898 json response with the new value.
899 * @param baseDNList baseDN list which needs to be updated.
900 * @param asyncResp pointer to the JSON response
901 * @param ldapServerElementName Type of LDAP
902 server(openLDAP/ActiveDirectory)
903 */
904
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700905inline void
906 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
907 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
908 const std::string& ldapServerElementName,
909 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700910{
George Liu9ae226f2023-06-21 17:56:46 +0800911 sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService,
912 ldapConfigObject, ldapConfigInterface,
913 "LDAPBaseDN", baseDNList.front(),
914 [asyncResp, baseDNList, ldapServerElementName](
915 const boost::system::error_code& ec,
916 const sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700917 if (ec)
918 {
Ed Tanous62598e32023-07-17 17:06:25 -0700919 BMCWEB_LOG_DEBUG("Error Occurred in Updating the base DN");
Ravi Teja25e055a2022-08-09 03:18:38 -0500920 const sd_bus_error* dbusError = msg.get_error();
921 if ((dbusError != nullptr) &&
922 (dbusError->name ==
923 std::string_view(
924 "xyz.openbmc_project.Common.Error.InvalidArgument")))
925 {
926 messages::propertyValueIncorrect(asyncResp->res,
927 "BaseDistinguishedNames",
928 baseDNList.front());
929 return;
930 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700931 messages::internalError(asyncResp->res);
932 return;
933 }
934 auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
935 auto& searchSettingsJson =
936 serverTypeJson["LDAPService"]["SearchSettings"];
937 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
938 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
939 if (baseDNList.size() > 1)
940 {
941 messages::propertyValueModified(
942 asyncResp->res, "BaseDistinguishedNames", baseDNList.front());
943 }
Ed Tanous62598e32023-07-17 17:06:25 -0700944 BMCWEB_LOG_DEBUG("Updated the base DN");
George Liu9ae226f2023-06-21 17:56:46 +0800945 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700946}
947/**
948 * @brief updates the LDAP user name attribute and updates the
949 json response with the new value.
950 * @param userNameAttribute attribute to be updated.
951 * @param asyncResp pointer to the JSON response
952 * @param ldapServerElementName Type of LDAP
953 server(openLDAP/ActiveDirectory)
954 */
955
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700956inline void
957 handleUserNameAttrPatch(const std::string& userNameAttribute,
958 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
959 const std::string& ldapServerElementName,
960 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700961{
George Liu9ae226f2023-06-21 17:56:46 +0800962 sdbusplus::asio::setProperty(
963 *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
964 ldapConfigInterface, "UserNameAttribute", userNameAttribute,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700965 [asyncResp, userNameAttribute,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800966 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700967 if (ec)
968 {
Ed Tanous62598e32023-07-17 17:06:25 -0700969 BMCWEB_LOG_DEBUG("Error Occurred in Updating the "
970 "username attribute");
Ed Tanous002d39b2022-05-31 08:59:27 -0700971 messages::internalError(asyncResp->res);
972 return;
973 }
974 auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
975 auto& searchSettingsJson =
976 serverTypeJson["LDAPService"]["SearchSettings"];
977 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
Ed Tanous62598e32023-07-17 17:06:25 -0700978 BMCWEB_LOG_DEBUG("Updated the user name attr.");
George Liu9ae226f2023-06-21 17:56:46 +0800979 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700980}
981/**
982 * @brief updates the LDAP group attribute and updates the
983 json response with the new value.
984 * @param groupsAttribute attribute to be updated.
985 * @param asyncResp pointer to the JSON response
986 * @param ldapServerElementName Type of LDAP
987 server(openLDAP/ActiveDirectory)
988 */
989
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700990inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700991 const std::string& groupsAttribute,
992 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
993 const std::string& ldapServerElementName,
994 const std::string& ldapConfigObject)
995{
George Liu9ae226f2023-06-21 17:56:46 +0800996 sdbusplus::asio::setProperty(
997 *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
998 ldapConfigInterface, "GroupNameAttribute", groupsAttribute,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700999 [asyncResp, groupsAttribute,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001000 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001001 if (ec)
1002 {
Ed Tanous62598e32023-07-17 17:06:25 -07001003 BMCWEB_LOG_DEBUG("Error Occurred in Updating the "
1004 "groupname attribute");
Ed Tanous002d39b2022-05-31 08:59:27 -07001005 messages::internalError(asyncResp->res);
1006 return;
1007 }
1008 auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
1009 auto& searchSettingsJson =
1010 serverTypeJson["LDAPService"]["SearchSettings"];
1011 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
Ed Tanous62598e32023-07-17 17:06:25 -07001012 BMCWEB_LOG_DEBUG("Updated the groupname attr");
George Liu9ae226f2023-06-21 17:56:46 +08001013 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001014}
1015/**
1016 * @brief updates the LDAP service enable and updates the
1017 json response with the new value.
1018 * @param input JSON data.
1019 * @param asyncResp pointer to the JSON response
1020 * @param ldapServerElementName Type of LDAP
1021 server(openLDAP/ActiveDirectory)
1022 */
1023
Ed Tanous4f48d5f2021-06-21 08:27:45 -07001024inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -07001025 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1026 const std::string& ldapServerElementName,
1027 const std::string& ldapConfigObject)
1028{
George Liu9ae226f2023-06-21 17:56:46 +08001029 sdbusplus::asio::setProperty(
1030 *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
1031 ldapEnableInterface, "Enabled", serviceEnabled,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001032 [asyncResp, serviceEnabled,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001033 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001034 if (ec)
1035 {
Ed Tanous62598e32023-07-17 17:06:25 -07001036 BMCWEB_LOG_DEBUG("Error Occurred in Updating the service enable");
Ed Tanous002d39b2022-05-31 08:59:27 -07001037 messages::internalError(asyncResp->res);
1038 return;
1039 }
1040 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
1041 serviceEnabled;
Ed Tanous62598e32023-07-17 17:06:25 -07001042 BMCWEB_LOG_DEBUG("Updated Service enable = {}", serviceEnabled);
George Liu9ae226f2023-06-21 17:56:46 +08001043 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001044}
1045
Ed Tanous4f48d5f2021-06-21 08:27:45 -07001046inline void
1047 handleAuthMethodsPatch(nlohmann::json& input,
1048 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001049{
1050 std::optional<bool> basicAuth;
1051 std::optional<bool> cookie;
1052 std::optional<bool> sessionToken;
1053 std::optional<bool> xToken;
1054 std::optional<bool> tls;
1055
1056 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
1057 "Cookie", cookie, "SessionToken", sessionToken,
1058 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +05301059 {
Ed Tanous62598e32023-07-17 17:06:25 -07001060 BMCWEB_LOG_ERROR("Cannot read values from AuthMethod tag");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001061 return;
1062 }
1063
1064 // Make a copy of methods configuration
1065 persistent_data::AuthConfigMethods authMethodsConfig =
1066 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1067
1068 if (basicAuth)
1069 {
1070#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
1071 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +08001072 asyncResp->res,
1073 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001074 return;
1075#endif
1076 authMethodsConfig.basic = *basicAuth;
1077 }
1078
1079 if (cookie)
1080 {
1081#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +08001082 messages::actionNotSupported(
1083 asyncResp->res,
1084 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001085 return;
1086#endif
1087 authMethodsConfig.cookie = *cookie;
1088 }
1089
1090 if (sessionToken)
1091 {
1092#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
1093 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +08001094 asyncResp->res,
1095 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001096 return;
1097#endif
1098 authMethodsConfig.sessionToken = *sessionToken;
1099 }
1100
1101 if (xToken)
1102 {
1103#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +08001104 messages::actionNotSupported(
1105 asyncResp->res,
1106 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001107 return;
1108#endif
1109 authMethodsConfig.xtoken = *xToken;
1110 }
1111
1112 if (tls)
1113 {
1114#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +08001115 messages::actionNotSupported(
1116 asyncResp->res,
1117 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001118 return;
1119#endif
1120 authMethodsConfig.tls = *tls;
1121 }
1122
1123 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
1124 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
1125 !authMethodsConfig.tls)
1126 {
1127 // Do not allow user to disable everything
1128 messages::actionNotSupported(asyncResp->res,
1129 "of disabling all available methods");
1130 return;
1131 }
1132
1133 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
1134 authMethodsConfig);
1135 // Save configuration immediately
1136 persistent_data::getConfig().writeData();
1137
1138 messages::success(asyncResp->res);
1139}
1140
1141/**
1142 * @brief Get the required values from the given JSON, validates the
1143 * value and create the LDAP config object.
1144 * @param input JSON data
1145 * @param asyncResp pointer to the JSON response
1146 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
1147 */
1148
1149inline void handleLDAPPatch(nlohmann::json& input,
1150 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1151 const std::string& serverType)
1152{
1153 std::string dbusObjectPath;
1154 if (serverType == "ActiveDirectory")
1155 {
1156 dbusObjectPath = adConfigObject;
1157 }
1158 else if (serverType == "LDAP")
1159 {
1160 dbusObjectPath = ldapConfigObjectName;
1161 }
1162 else
1163 {
1164 return;
1165 }
1166
1167 std::optional<nlohmann::json> authentication;
1168 std::optional<nlohmann::json> ldapService;
1169 std::optional<std::vector<std::string>> serviceAddressList;
1170 std::optional<bool> serviceEnabled;
1171 std::optional<std::vector<std::string>> baseDNList;
1172 std::optional<std::string> userNameAttribute;
1173 std::optional<std::string> groupsAttribute;
1174 std::optional<std::string> userName;
1175 std::optional<std::string> password;
1176 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1177
1178 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1179 authentication, "LDAPService", ldapService,
1180 "ServiceAddresses", serviceAddressList,
1181 "ServiceEnabled", serviceEnabled,
1182 "RemoteRoleMapping", remoteRoleMapData))
1183 {
1184 return;
1185 }
1186
1187 if (authentication)
1188 {
1189 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1190 password);
1191 }
1192 if (ldapService)
1193 {
1194 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1195 userNameAttribute, groupsAttribute);
1196 }
1197 if (serviceAddressList)
1198 {
Ed Tanous26f69762022-01-25 09:49:11 -08001199 if (serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +05301200 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001201 messages::propertyValueNotInList(
1202 asyncResp->res, *serviceAddressList, "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +00001203 return;
1204 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001205 }
1206 if (baseDNList)
1207 {
Ed Tanous26f69762022-01-25 09:49:11 -08001208 if (baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +05301209 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001210 messages::propertyValueNotInList(asyncResp->res, *baseDNList,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001211 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +05301212 return;
1213 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001214 }
Ratan Gupta8a07d282019-03-16 08:33:47 +05301215
Ed Tanous6c51eab2021-06-03 12:30:29 -07001216 // nothing to update, then return
1217 if (!userName && !password && !serviceAddressList && !baseDNList &&
1218 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1219 !remoteRoleMapData)
1220 {
1221 return;
1222 }
1223
1224 // Get the existing resource first then keep modifying
1225 // whenever any property gets updated.
Ed Tanous002d39b2022-05-31 08:59:27 -07001226 getLDAPConfigData(
1227 serverType,
1228 [asyncResp, userName, password, baseDNList, userNameAttribute,
1229 groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath,
1230 remoteRoleMapData](bool success, const LDAPConfigData& confData,
1231 const std::string& serverT) {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001232 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301233 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001234 messages::internalError(asyncResp->res);
1235 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +05301236 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001237 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1238 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301239 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001240 // Disable the service first and update the rest of
1241 // the properties.
1242 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301243 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001244
Ratan Gupta8a07d282019-03-16 08:33:47 +05301245 if (serviceAddressList)
1246 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001247 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1248 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301249 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001250 if (userName)
1251 {
1252 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1253 }
1254 if (password)
1255 {
1256 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1257 }
1258
Ratan Gupta8a07d282019-03-16 08:33:47 +05301259 if (baseDNList)
1260 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001261 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1262 }
1263 if (userNameAttribute)
1264 {
1265 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1266 dbusObjectPath);
1267 }
1268 if (groupsAttribute)
1269 {
1270 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1271 dbusObjectPath);
1272 }
1273 if (serviceEnabled)
1274 {
1275 // if user has given the value as true then enable
1276 // the service. if user has given false then no-op
1277 // as service is already stopped.
1278 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301279 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001280 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1281 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301282 }
1283 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001284 else
1285 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001286 // if user has not given the service enabled value
1287 // then revert it to the same state as it was
1288 // before.
1289 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1290 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001291 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001292
Ed Tanous6c51eab2021-06-03 12:30:29 -07001293 if (remoteRoleMapData)
1294 {
1295 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1296 *remoteRoleMapData);
1297 }
Ed Tanous002d39b2022-05-31 08:59:27 -07001298 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001299}
1300
Abhishek Patel58345852022-02-02 08:54:25 -06001301inline void updateUserProperties(
1302 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1303 const std::optional<std::string>& password,
1304 const std::optional<bool>& enabled,
1305 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1306 std::optional<std::vector<std::string>> accountTypes, bool userSelf)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001307{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +05301308 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1309 tempObjPath /= username;
1310 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001311
1312 dbus::utility::checkDbusPathExists(
Ed Tanous618c14b2022-06-30 17:44:25 -07001313 dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled,
Abhishek Patel58345852022-02-02 08:54:25 -06001314 locked, accountTypes(std::move(accountTypes)),
1315 userSelf, asyncResp{std::move(asyncResp)}](int rc) {
Ed Tanous618c14b2022-06-30 17:44:25 -07001316 if (rc <= 0)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001317 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001318 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1319 username);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001320 return;
1321 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001322
Ed Tanous618c14b2022-06-30 17:44:25 -07001323 if (password)
1324 {
1325 int retval = pamUpdatePassword(username, *password);
1326
1327 if (retval == PAM_USER_UNKNOWN)
1328 {
1329 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1330 username);
1331 }
1332 else if (retval == PAM_AUTHTOK_ERR)
1333 {
1334 // If password is invalid
1335 messages::propertyValueFormatError(asyncResp->res,
1336 *password, "Password");
Ed Tanous62598e32023-07-17 17:06:25 -07001337 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
Ed Tanous618c14b2022-06-30 17:44:25 -07001338 }
1339 else if (retval != PAM_SUCCESS)
1340 {
1341 messages::internalError(asyncResp->res);
1342 return;
1343 }
1344 else
1345 {
1346 messages::success(asyncResp->res);
1347 }
1348 }
1349
1350 if (enabled)
1351 {
George Liu9ae226f2023-06-21 17:56:46 +08001352 sdbusplus::asio::setProperty(
1353 *crow::connections::systemBus,
Ed Tanous618c14b2022-06-30 17:44:25 -07001354 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous618c14b2022-06-30 17:44:25 -07001355 "xyz.openbmc_project.User.Attributes", "UserEnabled",
George Liu9ae226f2023-06-21 17:56:46 +08001356 *enabled, [asyncResp](const boost::system::error_code& ec) {
1357 if (ec)
1358 {
Ed Tanous62598e32023-07-17 17:06:25 -07001359 BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
George Liu9ae226f2023-06-21 17:56:46 +08001360 messages::internalError(asyncResp->res);
1361 return;
1362 }
1363 messages::success(asyncResp->res);
1364 });
Ed Tanous002d39b2022-05-31 08:59:27 -07001365 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001366
Ed Tanous618c14b2022-06-30 17:44:25 -07001367 if (roleId)
1368 {
1369 std::string priv = getPrivilegeFromRoleId(*roleId);
1370 if (priv.empty())
1371 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001372 messages::propertyValueNotInList(asyncResp->res, true,
1373 "Locked");
Ed Tanous618c14b2022-06-30 17:44:25 -07001374 return;
1375 }
1376
George Liu9ae226f2023-06-21 17:56:46 +08001377 sdbusplus::asio::setProperty(
1378 *crow::connections::systemBus,
Ed Tanous618c14b2022-06-30 17:44:25 -07001379 "xyz.openbmc_project.User.Manager", dbusObjectPath,
Ed Tanous618c14b2022-06-30 17:44:25 -07001380 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
George Liu9ae226f2023-06-21 17:56:46 +08001381 priv, [asyncResp](const boost::system::error_code& ec) {
1382 if (ec)
1383 {
Ed Tanous62598e32023-07-17 17:06:25 -07001384 BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
George Liu9ae226f2023-06-21 17:56:46 +08001385 messages::internalError(asyncResp->res);
1386 return;
1387 }
1388 messages::success(asyncResp->res);
1389 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001390 }
1391
Ed Tanous618c14b2022-06-30 17:44:25 -07001392 if (locked)
1393 {
1394 // admin can unlock the account which is locked by
1395 // successive authentication failures but admin should
1396 // not be allowed to lock an account.
1397 if (*locked)
1398 {
1399 messages::propertyValueNotInList(asyncResp->res, "true",
1400 "Locked");
1401 return;
1402 }
1403
George Liu9ae226f2023-06-21 17:56:46 +08001404 sdbusplus::asio::setProperty(
1405 *crow::connections::systemBus,
1406 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1407 "xyz.openbmc_project.User.Attributes",
1408 "UserLockedForFailedAttempt", *locked,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001409 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001410 if (ec)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001411 {
Ed Tanous62598e32023-07-17 17:06:25 -07001412 BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -07001413 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -07001414 return;
1415 }
Ed Tanous002d39b2022-05-31 08:59:27 -07001416 messages::success(asyncResp->res);
George Liu9ae226f2023-06-21 17:56:46 +08001417 });
Ed Tanous618c14b2022-06-30 17:44:25 -07001418 }
Abhishek Patel58345852022-02-02 08:54:25 -06001419
1420 if (accountTypes)
1421 {
1422 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1423 userSelf);
1424 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001425 });
1426}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001427
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001428inline void handleAccountServiceHead(
1429 App& app, const crow::Request& req,
1430 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001431{
1432 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1433 {
1434 return;
1435 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001436 asyncResp->res.addHeader(
1437 boost::beast::http::field::link,
1438 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1439}
1440
1441inline void
1442 handleAccountServiceGet(App& app, const crow::Request& req,
1443 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1444{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001445 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1446 {
1447 return;
1448 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001449
1450 if (req.session == nullptr)
1451 {
1452 messages::internalError(asyncResp->res);
1453 return;
1454 }
1455
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001456 asyncResp->res.addHeader(
1457 boost::beast::http::field::link,
1458 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1459
Ed Tanous1ef4c342022-05-12 16:12:36 -07001460 const persistent_data::AuthConfigMethods& authMethodsConfig =
1461 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1462
1463 nlohmann::json& json = asyncResp->res.jsonValue;
1464 json["@odata.id"] = "/redfish/v1/AccountService";
1465 json["@odata.type"] = "#AccountService."
1466 "v1_10_0.AccountService";
1467 json["Id"] = "AccountService";
1468 json["Name"] = "Account Service";
1469 json["Description"] = "Account Service";
1470 json["ServiceEnabled"] = true;
1471 json["MaxPasswordLength"] = 20;
1472 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1473 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
1474 json["Oem"]["OpenBMC"]["@odata.type"] =
Ed Tanous5b5574a2022-09-26 19:53:36 -07001475 "#OpenBMCAccountService.v1_0_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001476 json["Oem"]["OpenBMC"]["@odata.id"] =
1477 "/redfish/v1/AccountService#/Oem/OpenBMC";
1478 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1479 authMethodsConfig.basic;
1480 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1481 authMethodsConfig.sessionToken;
1482 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1483 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1484 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1485
1486 // /redfish/v1/AccountService/LDAP/Certificates is something only
1487 // ConfigureManager can access then only display when the user has
1488 // permissions ConfigureManager
1489 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001490 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001491
1492 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1493 effectiveUserPrivileges))
1494 {
1495 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1496 "/redfish/v1/AccountService/LDAP/Certificates";
1497 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001498 sdbusplus::asio::getAllProperties(
1499 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1500 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001501 [asyncResp](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001502 const dbus::utility::DBusPropertiesMap& propertiesList) {
1503 if (ec)
1504 {
1505 messages::internalError(asyncResp->res);
1506 return;
1507 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001508
Ed Tanous62598e32023-07-17 17:06:25 -07001509 BMCWEB_LOG_DEBUG("Got {}properties for AccountService",
1510 propertiesList.size());
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001511
1512 const uint8_t* minPasswordLength = nullptr;
1513 const uint32_t* accountUnlockTimeout = nullptr;
1514 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1515
1516 const bool success = sdbusplus::unpackPropertiesNoThrow(
1517 dbus_utils::UnpackErrorPrinter(), propertiesList,
1518 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1519 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1520 maxLoginAttemptBeforeLockout);
1521
1522 if (!success)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001523 {
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001524 messages::internalError(asyncResp->res);
1525 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001526 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001527
1528 if (minPasswordLength != nullptr)
1529 {
1530 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1531 }
1532
1533 if (accountUnlockTimeout != nullptr)
1534 {
1535 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1536 *accountUnlockTimeout;
1537 }
1538
1539 if (maxLoginAttemptBeforeLockout != nullptr)
1540 {
1541 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1542 *maxLoginAttemptBeforeLockout;
1543 }
1544 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001545
Ed Tanous02cad962022-06-30 16:50:15 -07001546 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001547 const std::string& ldapType) {
1548 if (!success)
1549 {
1550 return;
1551 }
1552 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1553 };
1554
1555 getLDAPConfigData("LDAP", callback);
1556 getLDAPConfigData("ActiveDirectory", callback);
1557}
1558
1559inline void handleAccountServicePatch(
1560 App& app, const crow::Request& req,
1561 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1562{
1563 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1564 {
1565 return;
1566 }
1567 std::optional<uint32_t> unlockTimeout;
1568 std::optional<uint16_t> lockoutThreshold;
1569 std::optional<uint8_t> minPasswordLength;
1570 std::optional<uint16_t> maxPasswordLength;
1571 std::optional<nlohmann::json> ldapObject;
1572 std::optional<nlohmann::json> activeDirectoryObject;
1573 std::optional<nlohmann::json> oemObject;
1574
1575 if (!json_util::readJsonPatch(
1576 req, asyncResp->res, "AccountLockoutDuration", unlockTimeout,
1577 "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength",
1578 maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP",
1579 ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem",
1580 oemObject))
1581 {
1582 return;
1583 }
1584
1585 if (minPasswordLength)
1586 {
George Liu9ae226f2023-06-21 17:56:46 +08001587 sdbusplus::asio::setProperty(
1588 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1589 "/xyz/openbmc_project/user",
1590 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
1591 *minPasswordLength,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001592 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001593 if (ec)
1594 {
1595 messages::internalError(asyncResp->res);
1596 return;
1597 }
1598 messages::success(asyncResp->res);
George Liu9ae226f2023-06-21 17:56:46 +08001599 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001600 }
1601
1602 if (maxPasswordLength)
1603 {
1604 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1605 }
1606
1607 if (ldapObject)
1608 {
1609 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1610 }
1611
1612 if (std::optional<nlohmann::json> oemOpenBMCObject;
1613 oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1614 oemOpenBMCObject))
1615 {
1616 if (std::optional<nlohmann::json> authMethodsObject;
1617 oemOpenBMCObject &&
1618 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1619 "AuthMethods", authMethodsObject))
1620 {
1621 if (authMethodsObject)
1622 {
1623 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1624 }
1625 }
1626 }
1627
1628 if (activeDirectoryObject)
1629 {
1630 handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory");
1631 }
1632
1633 if (unlockTimeout)
1634 {
George Liu9ae226f2023-06-21 17:56:46 +08001635 sdbusplus::asio::setProperty(
1636 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1637 "/xyz/openbmc_project/user",
Ed Tanous1ef4c342022-05-12 16:12:36 -07001638 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
George Liu9ae226f2023-06-21 17:56:46 +08001639 *unlockTimeout, [asyncResp](const boost::system::error_code& ec) {
1640 if (ec)
1641 {
1642 messages::internalError(asyncResp->res);
1643 return;
1644 }
1645 messages::success(asyncResp->res);
1646 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001647 }
1648 if (lockoutThreshold)
1649 {
George Liu9ae226f2023-06-21 17:56:46 +08001650 sdbusplus::asio::setProperty(
1651 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1652 "/xyz/openbmc_project/user",
1653 "xyz.openbmc_project.User.AccountPolicy",
1654 "MaxLoginAttemptBeforeLockout", *lockoutThreshold,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001655 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001656 if (ec)
1657 {
1658 messages::internalError(asyncResp->res);
1659 return;
1660 }
1661 messages::success(asyncResp->res);
George Liu9ae226f2023-06-21 17:56:46 +08001662 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001663 }
1664}
1665
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001666inline void handleAccountCollectionHead(
Ed Tanous1ef4c342022-05-12 16:12:36 -07001667 App& app, const crow::Request& req,
1668 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1669{
1670 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1671 {
1672 return;
1673 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001674 asyncResp->res.addHeader(
1675 boost::beast::http::field::link,
1676 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1677}
1678
1679inline void handleAccountCollectionGet(
1680 App& app, const crow::Request& req,
1681 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1682{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001683 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1684 {
1685 return;
1686 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001687
1688 if (req.session == nullptr)
1689 {
1690 messages::internalError(asyncResp->res);
1691 return;
1692 }
1693
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001694 asyncResp->res.addHeader(
1695 boost::beast::http::field::link,
1696 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001697
1698 asyncResp->res.jsonValue["@odata.id"] =
1699 "/redfish/v1/AccountService/Accounts";
1700 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1701 "ManagerAccountCollection";
1702 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1703 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1704
1705 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001706 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001707
1708 std::string thisUser;
1709 if (req.session)
1710 {
1711 thisUser = req.session->username;
1712 }
George Liu5eb468d2023-06-20 17:03:24 +08001713 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1714 dbus::utility::getManagedObjects(
1715 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001716 [asyncResp, thisUser, effectiveUserPrivileges](
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001717 const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001718 const dbus::utility::ManagedObjectType& users) {
1719 if (ec)
1720 {
1721 messages::internalError(asyncResp->res);
1722 return;
1723 }
1724
1725 bool userCanSeeAllAccounts =
1726 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1727
1728 bool userCanSeeSelf =
1729 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1730
1731 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1732 memberArray = nlohmann::json::array();
1733
1734 for (const auto& userpath : users)
1735 {
1736 std::string user = userpath.first.filename();
1737 if (user.empty())
1738 {
1739 messages::internalError(asyncResp->res);
Ed Tanous62598e32023-07-17 17:06:25 -07001740 BMCWEB_LOG_ERROR("Invalid firmware ID");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001741
1742 return;
1743 }
1744
1745 // As clarified by Redfish here:
1746 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1747 // Users without ConfigureUsers, only see their own
1748 // account. Users with ConfigureUsers, see all
1749 // accounts.
1750 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1751 {
1752 nlohmann::json::object_t member;
Ed Tanous3b327802023-08-14 09:23:43 -07001753 member["@odata.id"] = boost::urls::format(
1754 "/redfish/v1/AccountService/Accounts/{}", user);
Patrick Williamsb2ba3072023-05-12 10:27:39 -05001755 memberArray.emplace_back(std::move(member));
Ed Tanous1ef4c342022-05-12 16:12:36 -07001756 }
1757 }
1758 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
George Liu5eb468d2023-06-20 17:03:24 +08001759 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001760}
1761
Ninad Palsule97e90da2023-05-17 14:04:52 -05001762inline void processAfterCreateUser(
1763 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1764 const std::string& username, const std::string& password,
1765 const boost::system::error_code& ec, sdbusplus::message_t& m)
1766{
1767 if (ec)
1768 {
1769 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1770 return;
1771 }
1772
1773 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1774 {
1775 // At this point we have a user that's been
1776 // created, but the password set
1777 // failed.Something is wrong, so delete the user
1778 // that we've already created
1779 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1780 tempObjPath /= username;
1781 const std::string userPath(tempObjPath);
1782
1783 crow::connections::systemBus->async_method_call(
1784 [asyncResp, password](const boost::system::error_code& ec3) {
1785 if (ec3)
1786 {
1787 messages::internalError(asyncResp->res);
1788 return;
1789 }
1790
1791 // If password is invalid
1792 messages::propertyValueFormatError(asyncResp->res, password,
1793 "Password");
1794 },
1795 "xyz.openbmc_project.User.Manager", userPath,
1796 "xyz.openbmc_project.Object.Delete", "Delete");
1797
Ed Tanous62598e32023-07-17 17:06:25 -07001798 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
Ninad Palsule97e90da2023-05-17 14:04:52 -05001799 return;
1800 }
1801
1802 messages::created(asyncResp->res);
1803 asyncResp->res.addHeader("Location",
1804 "/redfish/v1/AccountService/Accounts/" + username);
1805}
1806
1807inline void processAfterGetAllGroups(
1808 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1809 const std::string& username, const std::string& password,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001810 const std::string& roleId, bool enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001811 std::optional<std::vector<std::string>> accountTypes,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001812 const std::vector<std::string>& allGroupsList)
Ninad Palsule97e90da2023-05-17 14:04:52 -05001813{
Ninad Palsule3e72c202023-03-27 17:19:55 -05001814 std::vector<std::string> userGroups;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001815 std::vector<std::string> accountTypeUserGroups;
1816
1817 // If user specified account types then convert them to unix user groups
1818 if (accountTypes)
1819 {
1820 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1821 accountTypeUserGroups))
1822 {
1823 // Problem in mapping Account Types to User Groups, Error already
1824 // logged.
1825 return;
1826 }
1827 }
1828
Ninad Palsule3e72c202023-03-27 17:19:55 -05001829 for (const auto& grp : allGroupsList)
1830 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001831 // If user specified the account type then only accept groups which are
1832 // in the account types group list.
1833 if (!accountTypeUserGroups.empty())
1834 {
1835 bool found = false;
1836 for (const auto& grp1 : accountTypeUserGroups)
1837 {
1838 if (grp == grp1)
1839 {
1840 found = true;
1841 break;
1842 }
1843 }
1844 if (!found)
1845 {
1846 continue;
1847 }
1848 }
1849
Ninad Palsule3e72c202023-03-27 17:19:55 -05001850 // Console access is provided to the user who is a member of
1851 // hostconsole group and has a administrator role. So, set
1852 // hostconsole group only for the administrator.
Ninad Palsule9ba73932023-06-01 16:38:57 -05001853 if ((grp == "hostconsole") && (roleId != "priv-admin"))
Ninad Palsule3e72c202023-03-27 17:19:55 -05001854 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001855 if (!accountTypeUserGroups.empty())
1856 {
Ed Tanous62598e32023-07-17 17:06:25 -07001857 BMCWEB_LOG_ERROR(
1858 "Only administrator can get HostConsole access");
Ninad Palsule9ba73932023-06-01 16:38:57 -05001859 asyncResp->res.result(boost::beast::http::status::bad_request);
1860 return;
1861 }
1862 continue;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001863 }
Ninad Palsule9ba73932023-06-01 16:38:57 -05001864 userGroups.emplace_back(grp);
1865 }
1866
1867 // Make sure user specified groups are valid. This is internal error because
1868 // it some inconsistencies between user manager and bmcweb.
1869 if (!accountTypeUserGroups.empty() &&
1870 accountTypeUserGroups.size() != userGroups.size())
1871 {
1872 messages::internalError(asyncResp->res);
1873 return;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001874 }
Ninad Palsule97e90da2023-05-17 14:04:52 -05001875 crow::connections::systemBus->async_method_call(
1876 [asyncResp, username, password](const boost::system::error_code& ec2,
1877 sdbusplus::message_t& m) {
1878 processAfterCreateUser(asyncResp, username, password, ec2, m);
1879 },
1880 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ninad Palsule3e72c202023-03-27 17:19:55 -05001881 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001882 roleId, enabled);
Ninad Palsule97e90da2023-05-17 14:04:52 -05001883}
1884
Ed Tanous1ef4c342022-05-12 16:12:36 -07001885inline void handleAccountCollectionPost(
1886 App& app, const crow::Request& req,
1887 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1888{
1889 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1890 {
1891 return;
1892 }
1893 std::string username;
1894 std::string password;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001895 std::optional<std::string> roleIdJson;
1896 std::optional<bool> enabledJson;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001897 std::optional<std::vector<std::string>> accountTypes;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001898 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
1899 "Password", password, "RoleId", roleIdJson,
1900 "Enabled", enabledJson, "AccountTypes",
1901 accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001902 {
1903 return;
1904 }
1905
Ed Tanouse01d0c32023-06-30 13:21:32 -07001906 std::string roleId = roleIdJson.value_or("User");
1907 std::string priv = getPrivilegeFromRoleId(roleId);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001908 if (priv.empty())
1909 {
Ed Tanouse01d0c32023-06-30 13:21:32 -07001910 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001911 return;
1912 }
Asmitha Karunanithi239adf82022-03-25 02:59:03 -05001913 roleId = priv;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001914
Ed Tanouse01d0c32023-06-30 13:21:32 -07001915 bool enabled = enabledJson.value_or(true);
1916
Ed Tanous1ef4c342022-05-12 16:12:36 -07001917 // Reading AllGroups property
1918 sdbusplus::asio::getProperty<std::vector<std::string>>(
1919 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1920 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1921 "AllGroups",
Ninad Palsule9ba73932023-06-01 16:38:57 -05001922 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1923 accountTypes](const boost::system::error_code& ec,
1924 const std::vector<std::string>& allGroupsList) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001925 if (ec)
1926 {
Ed Tanous62598e32023-07-17 17:06:25 -07001927 BMCWEB_LOG_DEBUG("ERROR with async_method_call");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001928 messages::internalError(asyncResp->res);
1929 return;
1930 }
1931
1932 if (allGroupsList.empty())
1933 {
1934 messages::internalError(asyncResp->res);
1935 return;
1936 }
1937
Ninad Palsule97e90da2023-05-17 14:04:52 -05001938 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001939 accountTypes, allGroupsList);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001940 });
1941}
1942
1943inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001944 handleAccountHead(App& app, const crow::Request& req,
1945 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1946 const std::string& /*accountName*/)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001947{
1948 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1949 {
1950 return;
1951 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001952 asyncResp->res.addHeader(
1953 boost::beast::http::field::link,
1954 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1955}
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001956
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001957inline void
1958 handleAccountGet(App& app, const crow::Request& req,
1959 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1960 const std::string& accountName)
1961{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001962 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1963 {
1964 return;
1965 }
1966 asyncResp->res.addHeader(
1967 boost::beast::http::field::link,
1968 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1969
Ed Tanous1ef4c342022-05-12 16:12:36 -07001970#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1971 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001972 messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001973 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001974#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001975
Ed Tanous1ef4c342022-05-12 16:12:36 -07001976 if (req.session == nullptr)
1977 {
1978 messages::internalError(asyncResp->res);
1979 return;
1980 }
1981 if (req.session->username != accountName)
1982 {
1983 // At this point we've determined that the user is trying to
1984 // modify a user that isn't them. We need to verify that they
1985 // have permissions to modify other users, so re-run the auth
1986 // check with the same permissions, minus ConfigureSelf.
1987 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001988 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001989 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1990 "ConfigureManager"};
1991 if (!effectiveUserPrivileges.isSupersetOf(
1992 requiredPermissionsToChangeNonSelf))
1993 {
Ed Tanous62598e32023-07-17 17:06:25 -07001994 BMCWEB_LOG_DEBUG("GET Account denied access");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001995 messages::insufficientPrivilege(asyncResp->res);
1996 return;
1997 }
1998 }
1999
George Liu5eb468d2023-06-20 17:03:24 +08002000 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
2001 dbus::utility::getManagedObjects(
2002 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07002003 [asyncResp,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08002004 accountName](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07002005 const dbus::utility::ManagedObjectType& users) {
2006 if (ec)
2007 {
2008 messages::internalError(asyncResp->res);
2009 return;
2010 }
Ed Tanous3544d2a2023-08-06 18:12:20 -07002011 const auto userIt = std::ranges::find_if(
2012 users, [accountName](
2013 const std::pair<sdbusplus::message::object_path,
2014 dbus::utility::DBusInteracesMap>& user) {
2015 return accountName == user.first.filename();
Ed Tanous1ef4c342022-05-12 16:12:36 -07002016 });
2017
2018 if (userIt == users.end())
2019 {
2020 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2021 accountName);
2022 return;
2023 }
2024
2025 asyncResp->res.jsonValue["@odata.type"] =
Abhishek Patel58345852022-02-02 08:54:25 -06002026 "#ManagerAccount.v1_7_0.ManagerAccount";
Ed Tanous1ef4c342022-05-12 16:12:36 -07002027 asyncResp->res.jsonValue["Name"] = "User Account";
2028 asyncResp->res.jsonValue["Description"] = "User Account";
2029 asyncResp->res.jsonValue["Password"] = nullptr;
Abhishek Patel58345852022-02-02 08:54:25 -06002030 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
Ed Tanous1ef4c342022-05-12 16:12:36 -07002031
2032 for (const auto& interface : userIt->second)
2033 {
2034 if (interface.first == "xyz.openbmc_project.User.Attributes")
2035 {
2036 for (const auto& property : interface.second)
2037 {
2038 if (property.first == "UserEnabled")
2039 {
2040 const bool* userEnabled =
2041 std::get_if<bool>(&property.second);
2042 if (userEnabled == nullptr)
2043 {
Ed Tanous62598e32023-07-17 17:06:25 -07002044 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002045 messages::internalError(asyncResp->res);
2046 return;
2047 }
2048 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
2049 }
2050 else if (property.first == "UserLockedForFailedAttempt")
2051 {
2052 const bool* userLocked =
2053 std::get_if<bool>(&property.second);
2054 if (userLocked == nullptr)
2055 {
Ed Tanous62598e32023-07-17 17:06:25 -07002056 BMCWEB_LOG_ERROR("UserLockedForF"
2057 "ailedAttempt "
2058 "wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002059 messages::internalError(asyncResp->res);
2060 return;
2061 }
2062 asyncResp->res.jsonValue["Locked"] = *userLocked;
2063 asyncResp->res
2064 .jsonValue["Locked@Redfish.AllowableValues"] = {
2065 "false"}; // can only unlock accounts
2066 }
2067 else if (property.first == "UserPrivilege")
2068 {
2069 const std::string* userPrivPtr =
2070 std::get_if<std::string>(&property.second);
2071 if (userPrivPtr == nullptr)
2072 {
Ed Tanous62598e32023-07-17 17:06:25 -07002073 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
2074 "string");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002075 messages::internalError(asyncResp->res);
2076 return;
2077 }
2078 std::string role = getRoleIdFromPrivilege(*userPrivPtr);
2079 if (role.empty())
2080 {
Ed Tanous62598e32023-07-17 17:06:25 -07002081 BMCWEB_LOG_ERROR("Invalid user role");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002082 messages::internalError(asyncResp->res);
2083 return;
2084 }
2085 asyncResp->res.jsonValue["RoleId"] = role;
2086
2087 nlohmann::json& roleEntry =
2088 asyncResp->res.jsonValue["Links"]["Role"];
Ed Tanous3b327802023-08-14 09:23:43 -07002089 roleEntry["@odata.id"] = boost::urls::format(
2090 "/redfish/v1/AccountService/Roles/{}", role);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002091 }
2092 else if (property.first == "UserPasswordExpired")
2093 {
2094 const bool* userPasswordExpired =
2095 std::get_if<bool>(&property.second);
2096 if (userPasswordExpired == nullptr)
2097 {
Ed Tanous62598e32023-07-17 17:06:25 -07002098 BMCWEB_LOG_ERROR(
2099 "UserPasswordExpired wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07002100 messages::internalError(asyncResp->res);
2101 return;
2102 }
2103 asyncResp->res.jsonValue["PasswordChangeRequired"] =
2104 *userPasswordExpired;
2105 }
Abhishek Patelc7229812022-02-01 10:07:15 -06002106 else if (property.first == "UserGroups")
2107 {
2108 const std::vector<std::string>* userGroups =
2109 std::get_if<std::vector<std::string>>(
2110 &property.second);
2111 if (userGroups == nullptr)
2112 {
Ed Tanous62598e32023-07-17 17:06:25 -07002113 BMCWEB_LOG_ERROR(
2114 "userGroups wasn't a string vector");
Abhishek Patelc7229812022-02-01 10:07:15 -06002115 messages::internalError(asyncResp->res);
2116 return;
2117 }
2118 if (!translateUserGroup(*userGroups, asyncResp->res))
2119 {
Ed Tanous62598e32023-07-17 17:06:25 -07002120 BMCWEB_LOG_ERROR("userGroups mapping failed");
Abhishek Patelc7229812022-02-01 10:07:15 -06002121 messages::internalError(asyncResp->res);
2122 return;
2123 }
2124 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002125 }
2126 }
2127 }
2128
Ed Tanous3b327802023-08-14 09:23:43 -07002129 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
2130 "/redfish/v1/AccountService/Accounts/{}", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002131 asyncResp->res.jsonValue["Id"] = accountName;
2132 asyncResp->res.jsonValue["UserName"] = accountName;
George Liu5eb468d2023-06-20 17:03:24 +08002133 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07002134}
2135
2136inline void
Gunnar Mills20fc3072023-01-27 15:13:36 -06002137 handleAccountDelete(App& app, const crow::Request& req,
2138 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2139 const std::string& username)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002140{
2141 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2142 {
2143 return;
2144 }
2145
2146#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2147 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002148 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002149 return;
2150
2151#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2152 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2153 tempObjPath /= username;
2154 const std::string userPath(tempObjPath);
2155
2156 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08002157 [asyncResp, username](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002158 if (ec)
2159 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002160 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
Ed Tanous1ef4c342022-05-12 16:12:36 -07002161 username);
2162 return;
2163 }
2164
2165 messages::accountRemoved(asyncResp->res);
2166 },
2167 "xyz.openbmc_project.User.Manager", userPath,
2168 "xyz.openbmc_project.Object.Delete", "Delete");
2169}
2170
2171inline void
2172 handleAccountPatch(App& app, const crow::Request& req,
2173 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2174 const std::string& username)
2175{
2176 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2177 {
2178 return;
2179 }
2180#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2181 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002182 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002183 return;
2184
2185#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2186 std::optional<std::string> newUserName;
2187 std::optional<std::string> password;
2188 std::optional<bool> enabled;
2189 std::optional<std::string> roleId;
2190 std::optional<bool> locked;
Abhishek Patel58345852022-02-02 08:54:25 -06002191 std::optional<std::vector<std::string>> accountTypes;
2192
2193 bool userSelf = (username == req.session->username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002194
2195 if (req.session == nullptr)
2196 {
2197 messages::internalError(asyncResp->res);
2198 return;
2199 }
2200
2201 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05002202 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002203 Privileges configureUsers = {"ConfigureUsers"};
2204 bool userHasConfigureUsers =
2205 effectiveUserPrivileges.isSupersetOf(configureUsers);
2206 if (userHasConfigureUsers)
2207 {
2208 // Users with ConfigureUsers can modify for all users
Abhishek Patel58345852022-02-02 08:54:25 -06002209 if (!json_util::readJsonPatch(
2210 req, asyncResp->res, "UserName", newUserName, "Password",
2211 password, "RoleId", roleId, "Enabled", enabled, "Locked",
2212 locked, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07002213 {
2214 return;
2215 }
2216 }
2217 else
2218 {
2219 // ConfigureSelf accounts can only modify their own account
Abhishek Patel58345852022-02-02 08:54:25 -06002220 if (!userSelf)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002221 {
2222 messages::insufficientPrivilege(asyncResp->res);
2223 return;
2224 }
2225
2226 // ConfigureSelf accounts can only modify their password
2227 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2228 password))
2229 {
2230 return;
2231 }
2232 }
2233
2234 // if user name is not provided in the patch method or if it
2235 // matches the user name in the URI, then we are treating it as
2236 // updating user properties other then username. If username
2237 // provided doesn't match the URI, then we are treating this as
2238 // user rename request.
2239 if (!newUserName || (newUserName.value() == username))
2240 {
2241 updateUserProperties(asyncResp, username, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06002242 locked, accountTypes, userSelf);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002243 return;
2244 }
2245 crow::connections::systemBus->async_method_call(
2246 [asyncResp, username, password(std::move(password)),
2247 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
Abhishek Patel58345852022-02-02 08:54:25 -06002248 locked, userSelf, accountTypes(std::move(accountTypes))](
Ed Tanouse81de512023-06-27 17:07:00 -07002249 const boost::system::error_code& ec, sdbusplus::message_t& m) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002250 if (ec)
2251 {
2252 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2253 username);
2254 return;
2255 }
2256
2257 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06002258 locked, accountTypes, userSelf);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002259 },
2260 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2261 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2262 *newUserName);
2263}
2264
Ed Tanous6c51eab2021-06-03 12:30:29 -07002265inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07002266{
Ed Tanous6c51eab2021-06-03 12:30:29 -07002267 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002268 .privileges(redfish::privileges::headAccountService)
2269 .methods(boost::beast::http::verb::head)(
2270 std::bind_front(handleAccountServiceHead, std::ref(app)));
2271
2272 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -07002273 .privileges(redfish::privileges::getAccountService)
Ed Tanous002d39b2022-05-31 08:59:27 -07002274 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002275 std::bind_front(handleAccountServiceGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002276
Ed Tanousf5ffd802021-07-19 10:55:33 -07002277 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -06002278 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -07002279 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002280 std::bind_front(handleAccountServicePatch, std::ref(app)));
Ed Tanousf5ffd802021-07-19 10:55:33 -07002281
Ed Tanous6c51eab2021-06-03 12:30:29 -07002282 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002283 .privileges(redfish::privileges::headManagerAccountCollection)
2284 .methods(boost::beast::http::verb::head)(
2285 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2286
2287 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002288 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002289 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002290 std::bind_front(handleAccountCollectionGet, std::ref(app)));
Ed Tanous06e086d2018-09-19 17:19:52 -07002291
Ed Tanous6c51eab2021-06-03 12:30:29 -07002292 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002293 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous002d39b2022-05-31 08:59:27 -07002294 .methods(boost::beast::http::verb::post)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002295 std::bind_front(handleAccountCollectionPost, std::ref(app)));
Ed Tanous002d39b2022-05-31 08:59:27 -07002296
2297 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002298 .privileges(redfish::privileges::headManagerAccount)
2299 .methods(boost::beast::http::verb::head)(
2300 std::bind_front(handleAccountHead, std::ref(app)));
2301
2302 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous002d39b2022-05-31 08:59:27 -07002303 .privileges(redfish::privileges::getManagerAccount)
2304 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002305 std::bind_front(handleAccountGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002306
2307 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002308 // TODO this privilege should be using the generated endpoints, but
2309 // because of the special handling of ConfigureSelf, it's not able to
2310 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -07002311 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2312 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002313 std::bind_front(handleAccountPatch, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002314
2315 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002316 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002317 .methods(boost::beast::http::verb::delete_)(
Gunnar Mills20fc3072023-01-27 15:13:36 -06002318 std::bind_front(handleAccountDelete, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002319}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01002320
Ed Tanous1abe55e2018-09-05 08:30:59 -07002321} // namespace redfish