blob: 8a893e390159adea7043592fd83ae9157d23a2b8 [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080018#include "app.hpp"
19#include "dbus_utility.hpp"
20#include "error_messages.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070021#include "generated/enums/account_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080022#include "openbmc_dbus_rest.hpp"
23#include "persistent_data.hpp"
24#include "query.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070025#include "registries/privilege_registry.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080026#include "utils/dbus_utils.hpp"
27#include "utils/json_utils.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070028
Jonathan Doman1e1e5982021-06-11 09:36:17 -070029#include <sdbusplus/asio/property.hpp>
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +020030#include <sdbusplus/unpack_properties.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050031
George Liu2b731192023-01-11 16:27:13 +080032#include <array>
Abhishek Patelc7229812022-02-01 10:07:15 -060033#include <optional>
34#include <string>
George Liu2b731192023-01-11 16:27:13 +080035#include <string_view>
Abhishek Patelc7229812022-02-01 10:07:15 -060036#include <vector>
37
Ed Tanous1abe55e2018-09-05 08:30:59 -070038namespace redfish
39{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010040
Ed Tanous23a21a12020-07-25 04:45:05 +000041constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053042 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070043constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053044 "/xyz/openbmc_project/user/ldap/active_directory";
45
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +053046constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +053047constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
48constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
49constexpr const char* ldapConfigInterface =
50 "xyz.openbmc_project.User.Ldap.Config";
51constexpr const char* ldapCreateInterface =
52 "xyz.openbmc_project.User.Ldap.Create";
53constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053054constexpr const char* ldapPrivMapperInterface =
55 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053056constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
Ratan Gupta6973a582018-12-13 18:25:44 +053057
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060058struct LDAPRoleMapData
59{
60 std::string groupName;
61 std::string privilege;
62};
63
Ratan Gupta6973a582018-12-13 18:25:44 +053064struct LDAPConfigData
65{
66 std::string uri{};
67 std::string bindDN{};
68 std::string baseDN{};
69 std::string searchScope{};
70 std::string serverType{};
71 bool serviceEnabled = false;
72 std::string userNameAttribute{};
73 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060074 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053075};
76
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060077inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053078{
79 if (role == "priv-admin")
80 {
81 return "Administrator";
82 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070083 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053084 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053085 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053086 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070087 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053088 {
89 return "Operator";
90 }
91 return "";
92}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060093inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053094{
95 if (role == "Administrator")
96 {
97 return "priv-admin";
98 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070099 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530100 {
101 return "priv-user";
102 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700103 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530104 {
105 return "priv-operator";
106 }
107 return "";
108}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700109
Abhishek Patelc7229812022-02-01 10:07:15 -0600110/**
111 * @brief Maps user group names retrieved from D-Bus object to
112 * Account Types.
113 *
114 * @param[in] userGroups List of User groups
115 * @param[out] res AccountTypes populated
116 *
117 * @return true in case of success, false if UserGroups contains
118 * invalid group name(s).
119 */
120inline bool translateUserGroup(const std::vector<std::string>& userGroups,
121 crow::Response& res)
122{
123 std::vector<std::string> accountTypes;
124 for (const auto& userGroup : userGroups)
125 {
126 if (userGroup == "redfish")
127 {
128 accountTypes.emplace_back("Redfish");
129 accountTypes.emplace_back("WebUI");
130 }
131 else if (userGroup == "ipmi")
132 {
133 accountTypes.emplace_back("IPMI");
134 }
135 else if (userGroup == "ssh")
136 {
Abhishek Patelc7229812022-02-01 10:07:15 -0600137 accountTypes.emplace_back("ManagerConsole");
138 }
Ninad Palsule3e72c202023-03-27 17:19:55 -0500139 else if (userGroup == "hostconsole")
140 {
141 // The hostconsole group controls who can access the host console
142 // port via ssh and websocket.
143 accountTypes.emplace_back("HostConsole");
144 }
Abhishek Patelc7229812022-02-01 10:07:15 -0600145 else if (userGroup == "web")
146 {
147 // 'web' is one of the valid groups in the UserGroups property of
148 // the user account in the D-Bus object. This group is currently not
149 // doing anything, and is considered to be equivalent to 'redfish'.
150 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
151 // AccountTypes, so do nothing here...
152 }
153 else
154 {
155 // Invalid user group name. Caller throws an excption.
156 return false;
157 }
158 }
159
160 res.jsonValue["AccountTypes"] = std::move(accountTypes);
161 return true;
162}
163
Abhishek Patel58345852022-02-02 08:54:25 -0600164/**
165 * @brief Builds User Groups from the Account Types
166 *
167 * @param[in] asyncResp Async Response
168 * @param[in] accountTypes List of Account Types
169 * @param[out] userGroups List of User Groups mapped from Account Types
170 *
171 * @return true if Account Types mapped to User Groups, false otherwise.
172 */
173inline bool
174 getUserGroupFromAccountType(crow::Response& res,
175 const std::vector<std::string>& accountTypes,
176 std::vector<std::string>& userGroups)
177{
178 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
179 bool redfishType = false;
180 bool webUIType = false;
181
182 for (const auto& accountType : accountTypes)
183 {
184 if (accountType == "Redfish")
185 {
186 redfishType = true;
187 }
188 else if (accountType == "WebUI")
189 {
190 webUIType = true;
191 }
192 else if (accountType == "IPMI")
193 {
194 userGroups.emplace_back("ipmi");
195 }
196 else if (accountType == "HostConsole")
197 {
198 userGroups.emplace_back("hostconsole");
199 }
200 else if (accountType == "ManagerConsole")
201 {
202 userGroups.emplace_back("ssh");
203 }
204 else
205 {
206 // Invalid Account Type
207 messages::propertyValueNotInList(res, "AccountTypes", accountType);
208 return false;
209 }
210 }
211
212 // Both Redfish and WebUI Account Types are needed to PATCH
213 if (redfishType ^ webUIType)
214 {
215 BMCWEB_LOG_ERROR
216 << "Missing Redfish or WebUI Account Type to set redfish User Group";
217 messages::strictAccountTypes(res, "AccountTypes");
218 return false;
219 }
220
221 if (redfishType && webUIType)
222 {
223 userGroups.emplace_back("redfish");
224 }
225
226 return true;
227}
228
229/**
230 * @brief Sets UserGroups property of the user based on the Account Types
231 *
232 * @param[in] accountTypes List of User Account Types
233 * @param[in] asyncResp Async Response
234 * @param[in] dbusObjectPath D-Bus Object Path
235 * @param[in] userSelf true if User is updating OWN Account Types
236 */
237inline void
238 patchAccountTypes(const std::vector<std::string>& accountTypes,
239 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
240 const std::string& dbusObjectPath, bool userSelf)
241{
242 // Check if User is disabling own Redfish Account Type
243 if (userSelf &&
244 (accountTypes.cend() ==
245 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
246 {
247 BMCWEB_LOG_ERROR
248 << "User disabling OWN Redfish Account Type is not allowed";
249 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
250 return;
251 }
252
253 std::vector<std::string> updatedUserGroups;
254 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
255 updatedUserGroups))
256 {
257 // Problem in mapping Account Types to User Groups, Error already
258 // logged.
259 return;
260 }
261
262 crow::connections::systemBus->async_method_call(
263 [asyncResp](const boost::system::error_code ec) {
264 if (ec)
265 {
266 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
267 messages::internalError(asyncResp->res);
268 return;
269 }
270 messages::success(asyncResp->res);
271 },
272 "xyz.openbmc_project.User.Manager", dbusObjectPath,
273 "org.freedesktop.DBus.Properties", "Set",
274 "xyz.openbmc_project.User.Attributes", "UserGroups",
275 dbus::utility::DbusVariantType{updatedUserGroups});
276}
277
zhanghch058d1b46d2021-04-01 11:18:24 +0800278inline void userErrorMessageHandler(
279 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
280 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000281{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000282 if (e == nullptr)
283 {
284 messages::internalError(asyncResp->res);
285 return;
286 }
287
Manojkiran Eda055806b2020-11-03 09:36:28 +0530288 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000289 if (strcmp(errorMessage,
290 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
291 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800292 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000293 "UserName", newUser);
294 }
295 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
296 "UserNameDoesNotExist") == 0)
297 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800298 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000299 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700300 else if ((strcmp(errorMessage,
301 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
302 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800303 (strcmp(
304 errorMessage,
305 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
306 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000307 {
308 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
309 }
310 else if (strcmp(errorMessage,
311 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
312 {
313 messages::createLimitReachedForResource(asyncResp->res);
314 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000315 else
316 {
317 messages::internalError(asyncResp->res);
318 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000319}
320
Ed Tanous81ce6092020-12-17 16:54:55 +0000321inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000322 const LDAPConfigData& confData,
323 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530324{
Patrick Williams89492a12023-05-10 07:51:34 -0500325 std::string service = (ldapType == "LDAP") ? "LDAPService"
326 : "ActiveDirectoryService";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600327
Ed Tanous14766872022-03-15 10:44:42 -0700328 nlohmann::json& ldap = jsonResponse[ldapType];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600329
Ed Tanous14766872022-03-15 10:44:42 -0700330 ldap["ServiceEnabled"] = confData.serviceEnabled;
331 ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri});
Ed Tanous0ec8b832022-03-14 14:56:47 -0700332 ldap["Authentication"]["AuthenticationType"] =
333 account_service::AuthenticationTypes::UsernameAndPassword;
Ed Tanous14766872022-03-15 10:44:42 -0700334 ldap["Authentication"]["Username"] = confData.bindDN;
335 ldap["Authentication"]["Password"] = nullptr;
336
337 ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] =
338 nlohmann::json::array({confData.baseDN});
339 ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] =
340 confData.userNameAttribute;
341 ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] =
342 confData.groupAttribute;
343
344 nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600345 roleMapArray = nlohmann::json::array();
Ed Tanous9eb808c2022-01-25 10:19:23 -0800346 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600347 {
348 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
349 << obj.second.groupName << "\n";
Ed Tanous613dabe2022-07-09 11:17:36 -0700350
Ed Tanous613dabe2022-07-09 11:17:36 -0700351 nlohmann::json::object_t remoteGroup;
352 remoteGroup["RemoteGroup"] = obj.second.groupName;
Jorge Cisneros329f0342022-11-04 16:26:25 +0000353 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
354 roleMapArray.emplace_back(std::move(remoteGroup));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600355 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530356}
357
358/**
Ratan Gupta06785242019-07-26 22:30:16 +0530359 * @brief validates given JSON input and then calls appropriate method to
360 * create, to delete or to set Rolemapping object based on the given input.
361 *
362 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000363inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800364 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530365 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700366 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530367{
368 for (size_t index = 0; index < input.size(); index++)
369 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700370 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530371
372 if (thisJson.is_null())
373 {
374 // delete the existing object
375 if (index < roleMapObjData.size())
376 {
377 crow::connections::systemBus->async_method_call(
378 [asyncResp, roleMapObjData, serverType,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800379 index](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700380 if (ec)
381 {
382 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
383 messages::internalError(asyncResp->res);
384 return;
385 }
Patrick Williams89492a12023-05-10 07:51:34 -0500386 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
387 [index] = nullptr;
Ratan Gupta06785242019-07-26 22:30:16 +0530388 },
389 ldapDbusService, roleMapObjData[index].first,
390 "xyz.openbmc_project.Object.Delete", "Delete");
391 }
392 else
393 {
394 BMCWEB_LOG_ERROR << "Can't delete the object";
Ed Tanous2e8c4bd2022-06-27 12:59:12 -0700395 messages::propertyValueTypeError(asyncResp->res, thisJson,
396 "RemoteRoleMapping/" +
397 std::to_string(index));
Ratan Gupta06785242019-07-26 22:30:16 +0530398 return;
399 }
400 }
401 else if (thisJson.empty())
402 {
403 // Don't do anything for the empty objects,parse next json
404 // eg {"RemoteRoleMapping",[{}]}
405 }
406 else
407 {
408 // update/create the object
409 std::optional<std::string> remoteGroup;
410 std::optional<std::string> localRole;
411
Ed Tanousf23b7292020-10-15 09:41:17 -0700412 // This is a copy, but it's required in this case because of how
413 // readJson is structured
414 nlohmann::json thisJsonCopy = thisJson;
415 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
416 "RemoteGroup", remoteGroup, "LocalRole",
417 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530418 {
419 continue;
420 }
421
422 // Update existing RoleMapping Object
423 if (index < roleMapObjData.size())
424 {
425 BMCWEB_LOG_DEBUG << "Update Role Map Object";
426 // If "RemoteGroup" info is provided
427 if (remoteGroup)
428 {
429 crow::connections::systemBus->async_method_call(
430 [asyncResp, roleMapObjData, serverType, index,
Ravi Teja25e055a2022-08-09 03:18:38 -0500431 remoteGroup](const boost::system::error_code& ec,
Patrick Williams7a543892023-06-24 03:07:55 -0500432 const sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700433 if (ec)
434 {
Ravi Teja25e055a2022-08-09 03:18:38 -0500435 const sd_bus_error* dbusError = msg.get_error();
436 if ((dbusError != nullptr) &&
437 (dbusError->name ==
438 std::string_view(
439 "xyz.openbmc_project.Common.Error.InvalidArgument")))
440 {
441 BMCWEB_LOG_WARNING << "DBUS response error: "
442 << ec;
443 messages::propertyValueIncorrect(asyncResp->res,
444 "RemoteGroup",
445 *remoteGroup);
446 return;
447 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700448 messages::internalError(asyncResp->res);
449 return;
450 }
451 asyncResp->res
452 .jsonValue[serverType]["RemoteRoleMapping"][index]
453 ["RemoteGroup"] = *remoteGroup;
Ratan Gupta06785242019-07-26 22:30:16 +0530454 },
455 ldapDbusService, roleMapObjData[index].first,
456 propertyInterface, "Set",
457 "xyz.openbmc_project.User.PrivilegeMapperEntry",
458 "GroupName",
Ed Tanous168e20c2021-12-13 14:39:53 -0800459 dbus::utility::DbusVariantType(
460 std::move(*remoteGroup)));
Ratan Gupta06785242019-07-26 22:30:16 +0530461 }
462
463 // If "LocalRole" info is provided
464 if (localRole)
465 {
466 crow::connections::systemBus->async_method_call(
467 [asyncResp, roleMapObjData, serverType, index,
Ravi Teja25e055a2022-08-09 03:18:38 -0500468 localRole](const boost::system::error_code& ec,
Patrick Williams7a543892023-06-24 03:07:55 -0500469 const sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700470 if (ec)
471 {
Ravi Teja25e055a2022-08-09 03:18:38 -0500472 const sd_bus_error* dbusError = msg.get_error();
473 if ((dbusError != nullptr) &&
474 (dbusError->name ==
475 std::string_view(
476 "xyz.openbmc_project.Common.Error.InvalidArgument")))
477 {
478 BMCWEB_LOG_WARNING << "DBUS response error: "
479 << ec;
480 messages::propertyValueIncorrect(
481 asyncResp->res, "LocalRole", *localRole);
482 return;
483 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700484 messages::internalError(asyncResp->res);
485 return;
486 }
487 asyncResp->res
488 .jsonValue[serverType]["RemoteRoleMapping"][index]
489 ["LocalRole"] = *localRole;
Ratan Gupta06785242019-07-26 22:30:16 +0530490 },
491 ldapDbusService, roleMapObjData[index].first,
492 propertyInterface, "Set",
493 "xyz.openbmc_project.User.PrivilegeMapperEntry",
494 "Privilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800495 dbus::utility::DbusVariantType(
Ratan Gupta06785242019-07-26 22:30:16 +0530496 getPrivilegeFromRoleId(std::move(*localRole))));
497 }
498 }
499 // Create a new RoleMapping Object.
500 else
501 {
502 BMCWEB_LOG_DEBUG
503 << "setRoleMappingProperties: Creating new Object";
Patrick Williams89492a12023-05-10 07:51:34 -0500504 std::string pathString = "RemoteRoleMapping/" +
505 std::to_string(index);
Ratan Gupta06785242019-07-26 22:30:16 +0530506
507 if (!localRole)
508 {
509 messages::propertyMissing(asyncResp->res,
510 pathString + "/LocalRole");
511 continue;
512 }
513 if (!remoteGroup)
514 {
515 messages::propertyMissing(asyncResp->res,
516 pathString + "/RemoteGroup");
517 continue;
518 }
519
520 std::string dbusObjectPath;
521 if (serverType == "ActiveDirectory")
522 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700523 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530524 }
525 else if (serverType == "LDAP")
526 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000527 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530528 }
529
530 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
531 << ",LocalRole=" << *localRole;
532
533 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700534 [asyncResp, serverType, localRole,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800535 remoteGroup](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700536 if (ec)
537 {
538 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
539 messages::internalError(asyncResp->res);
540 return;
541 }
542 nlohmann::json& remoteRoleJson =
543 asyncResp->res
544 .jsonValue[serverType]["RemoteRoleMapping"];
545 nlohmann::json::object_t roleMapEntry;
546 roleMapEntry["LocalRole"] = *localRole;
547 roleMapEntry["RemoteGroup"] = *remoteGroup;
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500548 remoteRoleJson.emplace_back(std::move(roleMapEntry));
Ratan Gupta06785242019-07-26 22:30:16 +0530549 },
550 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700551 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530552 getPrivilegeFromRoleId(std::move(*localRole)));
553 }
554 }
555 }
556}
557
558/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530559 * Function that retrieves all properties for LDAP config object
560 * into JSON
561 */
562template <typename CallbackFunc>
563inline void getLDAPConfigData(const std::string& ldapType,
564 CallbackFunc&& callback)
565{
George Liu2b731192023-01-11 16:27:13 +0800566 constexpr std::array<std::string_view, 2> interfaces = {
567 ldapEnableInterface, ldapConfigInterface};
Ratan Gupta6973a582018-12-13 18:25:44 +0530568
George Liu2b731192023-01-11 16:27:13 +0800569 dbus::utility::getDbusObject(
570 ldapConfigObjectName, interfaces,
571 [callback, ldapType](const boost::system::error_code& ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800572 const dbus::utility::MapperGetObject& resp) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700573 if (ec || resp.empty())
574 {
575 BMCWEB_LOG_ERROR
576 << "DBUS response error during getting of service name: " << ec;
577 LDAPConfigData empty{};
578 callback(false, empty, ldapType);
579 return;
580 }
581 std::string service = resp.begin()->first;
George Liu5eb468d2023-06-20 17:03:24 +0800582 sdbusplus::message::object_path path(ldapRootObject);
583 dbus::utility::getManagedObjects(
584 service, path,
Ed Tanous002d39b2022-05-31 08:59:27 -0700585 [callback,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800586 ldapType](const boost::system::error_code& errorCode,
Ed Tanous002d39b2022-05-31 08:59:27 -0700587 const dbus::utility::ManagedObjectType& ldapObjects) {
588 LDAPConfigData confData{};
589 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600590 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700591 callback(false, confData, ldapType);
592 BMCWEB_LOG_ERROR << "D-Bus responses error: " << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600593 return;
594 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600595
Ed Tanous002d39b2022-05-31 08:59:27 -0700596 std::string ldapDbusType;
597 std::string searchString;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600598
Ed Tanous002d39b2022-05-31 08:59:27 -0700599 if (ldapType == "LDAP")
600 {
601 ldapDbusType =
602 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
603 searchString = "openldap";
604 }
605 else if (ldapType == "ActiveDirectory")
606 {
607 ldapDbusType =
608 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
609 searchString = "active_directory";
610 }
611 else
612 {
613 BMCWEB_LOG_ERROR << "Can't get the DbusType for the given type="
614 << ldapType;
615 callback(false, confData, ldapType);
616 return;
617 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600618
Ed Tanous002d39b2022-05-31 08:59:27 -0700619 std::string ldapEnableInterfaceStr = ldapEnableInterface;
620 std::string ldapConfigInterfaceStr = ldapConfigInterface;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600621
Ed Tanous002d39b2022-05-31 08:59:27 -0700622 for (const auto& object : ldapObjects)
623 {
624 // let's find the object whose ldap type is equal to the
625 // given type
626 if (object.first.str.find(searchString) == std::string::npos)
627 {
628 continue;
629 }
630
631 for (const auto& interface : object.second)
632 {
633 if (interface.first == ldapEnableInterfaceStr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600634 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700635 // rest of the properties are string.
636 for (const auto& property : interface.second)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600637 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700638 if (property.first == "Enabled")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600639 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700640 const bool* value =
641 std::get_if<bool>(&property.second);
642 if (value == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600643 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700644 continue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600645 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700646 confData.serviceEnabled = *value;
647 break;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600648 }
649 }
650 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700651 else if (interface.first == ldapConfigInterfaceStr)
652 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700653 for (const auto& property : interface.second)
654 {
655 const std::string* strValue =
656 std::get_if<std::string>(&property.second);
657 if (strValue == nullptr)
658 {
659 continue;
660 }
661 if (property.first == "LDAPServerURI")
662 {
663 confData.uri = *strValue;
664 }
665 else if (property.first == "LDAPBindDN")
666 {
667 confData.bindDN = *strValue;
668 }
669 else if (property.first == "LDAPBaseDN")
670 {
671 confData.baseDN = *strValue;
672 }
673 else if (property.first == "LDAPSearchScope")
674 {
675 confData.searchScope = *strValue;
676 }
677 else if (property.first == "GroupNameAttribute")
678 {
679 confData.groupAttribute = *strValue;
680 }
681 else if (property.first == "UserNameAttribute")
682 {
683 confData.userNameAttribute = *strValue;
684 }
685 else if (property.first == "LDAPType")
686 {
687 confData.serverType = *strValue;
688 }
689 }
690 }
691 else if (interface.first ==
692 "xyz.openbmc_project.User.PrivilegeMapperEntry")
693 {
694 LDAPRoleMapData roleMapData{};
695 for (const auto& property : interface.second)
696 {
697 const std::string* strValue =
698 std::get_if<std::string>(&property.second);
699
700 if (strValue == nullptr)
701 {
702 continue;
703 }
704
705 if (property.first == "GroupName")
706 {
707 roleMapData.groupName = *strValue;
708 }
709 else if (property.first == "Privilege")
710 {
711 roleMapData.privilege = *strValue;
712 }
713 }
714
715 confData.groupRoleList.emplace_back(object.first.str,
716 roleMapData);
717 }
718 }
719 }
720 callback(true, confData, ldapType);
George Liu5eb468d2023-06-20 17:03:24 +0800721 });
George Liu2b731192023-01-11 16:27:13 +0800722 });
Ratan Gupta6973a582018-12-13 18:25:44 +0530723}
724
Ed Tanous6c51eab2021-06-03 12:30:29 -0700725/**
726 * @brief parses the authentication section under the LDAP
727 * @param input JSON data
728 * @param asyncResp pointer to the JSON response
729 * @param userName userName to be filled from the given JSON.
730 * @param password password to be filled from the given JSON.
731 */
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700732inline void parseLDAPAuthenticationJson(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700733 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
734 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700735{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700736 std::optional<std::string> authType;
737
738 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
739 authType, "Username", username, "Password",
740 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700741 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700742 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700743 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700744 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530745 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700746 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530747 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700748 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530749 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700750 messages::propertyValueNotInList(asyncResp->res, *authType,
751 "AuthenticationType");
752 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530753 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700754}
755/**
756 * @brief parses the LDAPService section under the LDAP
757 * @param input JSON data
758 * @param asyncResp pointer to the JSON response
759 * @param baseDNList baseDN to be filled from the given JSON.
760 * @param userNameAttribute userName to be filled from the given JSON.
761 * @param groupaAttribute password to be filled from the given JSON.
762 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530763
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700764inline void
765 parseLDAPServiceJson(nlohmann::json input,
766 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
767 std::optional<std::vector<std::string>>& baseDNList,
768 std::optional<std::string>& userNameAttribute,
769 std::optional<std::string>& groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700770{
771 std::optional<nlohmann::json> searchSettings;
772
773 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
774 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530775 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700776 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530777 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700778 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530779 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700780 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530781 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700782 if (!json_util::readJson(*searchSettings, asyncResp->res,
783 "BaseDistinguishedNames", baseDNList,
784 "UsernameAttribute", userNameAttribute,
785 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530786 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700787 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530788 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700789}
790/**
791 * @brief updates the LDAP server address and updates the
792 json response with the new value.
793 * @param serviceAddressList address to be updated.
794 * @param asyncResp pointer to the JSON response
795 * @param ldapServerElementName Type of LDAP
796 server(openLDAP/ActiveDirectory)
797 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530798
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700799inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700800 const std::vector<std::string>& serviceAddressList,
801 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
802 const std::string& ldapServerElementName,
803 const std::string& ldapConfigObject)
804{
805 crow::connections::systemBus->async_method_call(
Patrick Williams7a543892023-06-24 03:07:55 -0500806 [asyncResp, ldapServerElementName, serviceAddressList](
807 const boost::system::error_code& ec, sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700808 if (ec)
809 {
Ravi Teja25e055a2022-08-09 03:18:38 -0500810 const sd_bus_error* dbusError = msg.get_error();
811 if ((dbusError != nullptr) &&
812 (dbusError->name ==
813 std::string_view(
814 "xyz.openbmc_project.Common.Error.InvalidArgument")))
815 {
816 BMCWEB_LOG_WARNING
817 << "Error Occurred in updating the service address";
818 messages::propertyValueIncorrect(asyncResp->res,
819 "ServiceAddresses",
820 serviceAddressList.front());
821 return;
822 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700823 messages::internalError(asyncResp->res);
824 return;
825 }
826 std::vector<std::string> modifiedserviceAddressList = {
827 serviceAddressList.front()};
828 asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] =
829 modifiedserviceAddressList;
830 if ((serviceAddressList).size() > 1)
831 {
832 messages::propertyValueModified(asyncResp->res, "ServiceAddresses",
833 serviceAddressList.front());
834 }
835 BMCWEB_LOG_DEBUG << "Updated the service address";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700836 },
837 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
838 ldapConfigInterface, "LDAPServerURI",
Ed Tanous168e20c2021-12-13 14:39:53 -0800839 dbus::utility::DbusVariantType(serviceAddressList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700840}
841/**
842 * @brief updates the LDAP Bind DN and updates the
843 json response with the new value.
844 * @param username name of the user which needs to be updated.
845 * @param asyncResp pointer to the JSON response
846 * @param ldapServerElementName Type of LDAP
847 server(openLDAP/ActiveDirectory)
848 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530849
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700850inline void
851 handleUserNamePatch(const std::string& username,
852 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
853 const std::string& ldapServerElementName,
854 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700855{
856 crow::connections::systemBus->async_method_call(
857 [asyncResp, username,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800858 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700859 if (ec)
860 {
861 BMCWEB_LOG_DEBUG << "Error occurred in updating the username";
862 messages::internalError(asyncResp->res);
863 return;
864 }
Patrick Williams89492a12023-05-10 07:51:34 -0500865 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
866 ["Username"] = username;
Ed Tanous002d39b2022-05-31 08:59:27 -0700867 BMCWEB_LOG_DEBUG << "Updated the username";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700868 },
869 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800870 ldapConfigInterface, "LDAPBindDN",
871 dbus::utility::DbusVariantType(username));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700872}
873
874/**
875 * @brief updates the LDAP password
876 * @param password : ldap password which needs to be updated.
877 * @param asyncResp pointer to the JSON response
878 * @param ldapServerElementName Type of LDAP
879 * server(openLDAP/ActiveDirectory)
880 */
881
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700882inline void
883 handlePasswordPatch(const std::string& password,
884 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
885 const std::string& ldapServerElementName,
886 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700887{
888 crow::connections::systemBus->async_method_call(
889 [asyncResp, password,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800890 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700891 if (ec)
892 {
893 BMCWEB_LOG_DEBUG << "Error occurred in updating the password";
894 messages::internalError(asyncResp->res);
895 return;
896 }
Patrick Williams89492a12023-05-10 07:51:34 -0500897 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
898 ["Password"] = "";
Ed Tanous002d39b2022-05-31 08:59:27 -0700899 BMCWEB_LOG_DEBUG << "Updated the password";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700900 },
901 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
902 ldapConfigInterface, "LDAPBindDNPassword",
Ed Tanous168e20c2021-12-13 14:39:53 -0800903 dbus::utility::DbusVariantType(password));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700904}
905
906/**
907 * @brief updates the LDAP BaseDN and updates the
908 json response with the new value.
909 * @param baseDNList baseDN list which needs to be updated.
910 * @param asyncResp pointer to the JSON response
911 * @param ldapServerElementName Type of LDAP
912 server(openLDAP/ActiveDirectory)
913 */
914
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700915inline void
916 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
917 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
918 const std::string& ldapServerElementName,
919 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700920{
921 crow::connections::systemBus->async_method_call(
922 [asyncResp, baseDNList,
Ravi Teja25e055a2022-08-09 03:18:38 -0500923 ldapServerElementName](const boost::system::error_code& ec,
Patrick Williams7a543892023-06-24 03:07:55 -0500924 const sdbusplus::message_t& msg) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700925 if (ec)
926 {
927 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN";
Ravi Teja25e055a2022-08-09 03:18:38 -0500928 const sd_bus_error* dbusError = msg.get_error();
929 if ((dbusError != nullptr) &&
930 (dbusError->name ==
931 std::string_view(
932 "xyz.openbmc_project.Common.Error.InvalidArgument")))
933 {
934 messages::propertyValueIncorrect(asyncResp->res,
935 "BaseDistinguishedNames",
936 baseDNList.front());
937 return;
938 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700939 messages::internalError(asyncResp->res);
940 return;
941 }
942 auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
943 auto& searchSettingsJson =
944 serverTypeJson["LDAPService"]["SearchSettings"];
945 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
946 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
947 if (baseDNList.size() > 1)
948 {
949 messages::propertyValueModified(
950 asyncResp->res, "BaseDistinguishedNames", baseDNList.front());
951 }
952 BMCWEB_LOG_DEBUG << "Updated the base DN";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700953 },
954 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
955 ldapConfigInterface, "LDAPBaseDN",
Ed Tanous168e20c2021-12-13 14:39:53 -0800956 dbus::utility::DbusVariantType(baseDNList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700957}
958/**
959 * @brief updates the LDAP user name attribute and updates the
960 json response with the new value.
961 * @param userNameAttribute attribute to be updated.
962 * @param asyncResp pointer to the JSON response
963 * @param ldapServerElementName Type of LDAP
964 server(openLDAP/ActiveDirectory)
965 */
966
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700967inline void
968 handleUserNameAttrPatch(const std::string& userNameAttribute,
969 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
970 const std::string& ldapServerElementName,
971 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700972{
973 crow::connections::systemBus->async_method_call(
974 [asyncResp, userNameAttribute,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800975 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700976 if (ec)
977 {
978 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
979 "username attribute";
980 messages::internalError(asyncResp->res);
981 return;
982 }
983 auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
984 auto& searchSettingsJson =
985 serverTypeJson["LDAPService"]["SearchSettings"];
986 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
987 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700988 },
989 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
990 ldapConfigInterface, "UserNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800991 dbus::utility::DbusVariantType(userNameAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700992}
993/**
994 * @brief updates the LDAP group attribute and updates the
995 json response with the new value.
996 * @param groupsAttribute attribute to be updated.
997 * @param asyncResp pointer to the JSON response
998 * @param ldapServerElementName Type of LDAP
999 server(openLDAP/ActiveDirectory)
1000 */
1001
Ed Tanous4f48d5f2021-06-21 08:27:45 -07001002inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -07001003 const std::string& groupsAttribute,
1004 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1005 const std::string& ldapServerElementName,
1006 const std::string& ldapConfigObject)
1007{
1008 crow::connections::systemBus->async_method_call(
1009 [asyncResp, groupsAttribute,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001010 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001011 if (ec)
1012 {
1013 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
1014 "groupname attribute";
1015 messages::internalError(asyncResp->res);
1016 return;
1017 }
1018 auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
1019 auto& searchSettingsJson =
1020 serverTypeJson["LDAPService"]["SearchSettings"];
1021 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
1022 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
Ed Tanous6c51eab2021-06-03 12:30:29 -07001023 },
1024 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
1025 ldapConfigInterface, "GroupNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -08001026 dbus::utility::DbusVariantType(groupsAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -07001027}
1028/**
1029 * @brief updates the LDAP service enable and updates the
1030 json response with the new value.
1031 * @param input JSON data.
1032 * @param asyncResp pointer to the JSON response
1033 * @param ldapServerElementName Type of LDAP
1034 server(openLDAP/ActiveDirectory)
1035 */
1036
Ed Tanous4f48d5f2021-06-21 08:27:45 -07001037inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -07001038 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1039 const std::string& ldapServerElementName,
1040 const std::string& ldapConfigObject)
1041{
1042 crow::connections::systemBus->async_method_call(
1043 [asyncResp, serviceEnabled,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001044 ldapServerElementName](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001045 if (ec)
1046 {
1047 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the service enable";
1048 messages::internalError(asyncResp->res);
1049 return;
1050 }
1051 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
1052 serviceEnabled;
1053 BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled;
Ed Tanous6c51eab2021-06-03 12:30:29 -07001054 },
1055 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -08001056 ldapEnableInterface, "Enabled",
1057 dbus::utility::DbusVariantType(serviceEnabled));
Ed Tanous6c51eab2021-06-03 12:30:29 -07001058}
1059
Ed Tanous4f48d5f2021-06-21 08:27:45 -07001060inline void
1061 handleAuthMethodsPatch(nlohmann::json& input,
1062 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001063{
1064 std::optional<bool> basicAuth;
1065 std::optional<bool> cookie;
1066 std::optional<bool> sessionToken;
1067 std::optional<bool> xToken;
1068 std::optional<bool> tls;
1069
1070 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
1071 "Cookie", cookie, "SessionToken", sessionToken,
1072 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +05301073 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001074 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
1075 return;
1076 }
1077
1078 // Make a copy of methods configuration
1079 persistent_data::AuthConfigMethods authMethodsConfig =
1080 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1081
1082 if (basicAuth)
1083 {
1084#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
1085 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +08001086 asyncResp->res,
1087 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001088 return;
1089#endif
1090 authMethodsConfig.basic = *basicAuth;
1091 }
1092
1093 if (cookie)
1094 {
1095#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +08001096 messages::actionNotSupported(
1097 asyncResp->res,
1098 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001099 return;
1100#endif
1101 authMethodsConfig.cookie = *cookie;
1102 }
1103
1104 if (sessionToken)
1105 {
1106#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
1107 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +08001108 asyncResp->res,
1109 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001110 return;
1111#endif
1112 authMethodsConfig.sessionToken = *sessionToken;
1113 }
1114
1115 if (xToken)
1116 {
1117#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +08001118 messages::actionNotSupported(
1119 asyncResp->res,
1120 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001121 return;
1122#endif
1123 authMethodsConfig.xtoken = *xToken;
1124 }
1125
1126 if (tls)
1127 {
1128#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +08001129 messages::actionNotSupported(
1130 asyncResp->res,
1131 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -07001132 return;
1133#endif
1134 authMethodsConfig.tls = *tls;
1135 }
1136
1137 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
1138 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
1139 !authMethodsConfig.tls)
1140 {
1141 // Do not allow user to disable everything
1142 messages::actionNotSupported(asyncResp->res,
1143 "of disabling all available methods");
1144 return;
1145 }
1146
1147 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
1148 authMethodsConfig);
1149 // Save configuration immediately
1150 persistent_data::getConfig().writeData();
1151
1152 messages::success(asyncResp->res);
1153}
1154
1155/**
1156 * @brief Get the required values from the given JSON, validates the
1157 * value and create the LDAP config object.
1158 * @param input JSON data
1159 * @param asyncResp pointer to the JSON response
1160 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
1161 */
1162
1163inline void handleLDAPPatch(nlohmann::json& input,
1164 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1165 const std::string& serverType)
1166{
1167 std::string dbusObjectPath;
1168 if (serverType == "ActiveDirectory")
1169 {
1170 dbusObjectPath = adConfigObject;
1171 }
1172 else if (serverType == "LDAP")
1173 {
1174 dbusObjectPath = ldapConfigObjectName;
1175 }
1176 else
1177 {
1178 return;
1179 }
1180
1181 std::optional<nlohmann::json> authentication;
1182 std::optional<nlohmann::json> ldapService;
1183 std::optional<std::vector<std::string>> serviceAddressList;
1184 std::optional<bool> serviceEnabled;
1185 std::optional<std::vector<std::string>> baseDNList;
1186 std::optional<std::string> userNameAttribute;
1187 std::optional<std::string> groupsAttribute;
1188 std::optional<std::string> userName;
1189 std::optional<std::string> password;
1190 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1191
1192 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1193 authentication, "LDAPService", ldapService,
1194 "ServiceAddresses", serviceAddressList,
1195 "ServiceEnabled", serviceEnabled,
1196 "RemoteRoleMapping", remoteRoleMapData))
1197 {
1198 return;
1199 }
1200
1201 if (authentication)
1202 {
1203 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1204 password);
1205 }
1206 if (ldapService)
1207 {
1208 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1209 userNameAttribute, groupsAttribute);
1210 }
1211 if (serviceAddressList)
1212 {
Ed Tanous26f69762022-01-25 09:49:11 -08001213 if (serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +05301214 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001215 messages::propertyValueNotInList(
1216 asyncResp->res, *serviceAddressList, "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +00001217 return;
1218 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001219 }
1220 if (baseDNList)
1221 {
Ed Tanous26f69762022-01-25 09:49:11 -08001222 if (baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +05301223 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001224 messages::propertyValueNotInList(asyncResp->res, *baseDNList,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001225 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +05301226 return;
1227 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001228 }
Ratan Gupta8a07d282019-03-16 08:33:47 +05301229
Ed Tanous6c51eab2021-06-03 12:30:29 -07001230 // nothing to update, then return
1231 if (!userName && !password && !serviceAddressList && !baseDNList &&
1232 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1233 !remoteRoleMapData)
1234 {
1235 return;
1236 }
1237
1238 // Get the existing resource first then keep modifying
1239 // whenever any property gets updated.
Ed Tanous002d39b2022-05-31 08:59:27 -07001240 getLDAPConfigData(
1241 serverType,
1242 [asyncResp, userName, password, baseDNList, userNameAttribute,
1243 groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath,
1244 remoteRoleMapData](bool success, const LDAPConfigData& confData,
1245 const std::string& serverT) {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001246 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301247 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001248 messages::internalError(asyncResp->res);
1249 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +05301250 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001251 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1252 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301253 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001254 // Disable the service first and update the rest of
1255 // the properties.
1256 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301257 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001258
Ratan Gupta8a07d282019-03-16 08:33:47 +05301259 if (serviceAddressList)
1260 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001261 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1262 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301263 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001264 if (userName)
1265 {
1266 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1267 }
1268 if (password)
1269 {
1270 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1271 }
1272
Ratan Gupta8a07d282019-03-16 08:33:47 +05301273 if (baseDNList)
1274 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001275 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1276 }
1277 if (userNameAttribute)
1278 {
1279 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1280 dbusObjectPath);
1281 }
1282 if (groupsAttribute)
1283 {
1284 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1285 dbusObjectPath);
1286 }
1287 if (serviceEnabled)
1288 {
1289 // if user has given the value as true then enable
1290 // the service. if user has given false then no-op
1291 // as service is already stopped.
1292 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301293 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001294 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1295 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301296 }
1297 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001298 else
1299 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001300 // if user has not given the service enabled value
1301 // then revert it to the same state as it was
1302 // before.
1303 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1304 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001305 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001306
Ed Tanous6c51eab2021-06-03 12:30:29 -07001307 if (remoteRoleMapData)
1308 {
1309 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1310 *remoteRoleMapData);
1311 }
Ed Tanous002d39b2022-05-31 08:59:27 -07001312 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001313}
1314
Abhishek Patel58345852022-02-02 08:54:25 -06001315inline void updateUserProperties(
1316 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1317 const std::optional<std::string>& password,
1318 const std::optional<bool>& enabled,
1319 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1320 std::optional<std::vector<std::string>> accountTypes, bool userSelf)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001321{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +05301322 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1323 tempObjPath /= username;
1324 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001325
1326 dbus::utility::checkDbusPathExists(
Ed Tanous618c14b2022-06-30 17:44:25 -07001327 dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled,
Abhishek Patel58345852022-02-02 08:54:25 -06001328 locked, accountTypes(std::move(accountTypes)),
1329 userSelf, asyncResp{std::move(asyncResp)}](int rc) {
Ed Tanous618c14b2022-06-30 17:44:25 -07001330 if (rc <= 0)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001331 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001332 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1333 username);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001334 return;
1335 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001336
Ed Tanous618c14b2022-06-30 17:44:25 -07001337 if (password)
1338 {
1339 int retval = pamUpdatePassword(username, *password);
1340
1341 if (retval == PAM_USER_UNKNOWN)
1342 {
1343 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1344 username);
1345 }
1346 else if (retval == PAM_AUTHTOK_ERR)
1347 {
1348 // If password is invalid
1349 messages::propertyValueFormatError(asyncResp->res,
1350 *password, "Password");
1351 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1352 }
1353 else if (retval != PAM_SUCCESS)
1354 {
1355 messages::internalError(asyncResp->res);
1356 return;
1357 }
1358 else
1359 {
1360 messages::success(asyncResp->res);
1361 }
1362 }
1363
1364 if (enabled)
1365 {
1366 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001367 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001368 if (ec)
Ed Tanous04ae99e2018-09-20 15:54:36 -07001369 {
Ed Tanous002d39b2022-05-31 08:59:27 -07001370 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
Ayushi Smriti599c71d2019-08-23 17:43:18 +00001371 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -07001372 return;
1373 }
Ed Tanous002d39b2022-05-31 08:59:27 -07001374 messages::success(asyncResp->res);
1375 return;
Ed Tanous618c14b2022-06-30 17:44:25 -07001376 },
1377 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1378 "org.freedesktop.DBus.Properties", "Set",
1379 "xyz.openbmc_project.User.Attributes", "UserEnabled",
1380 dbus::utility::DbusVariantType{*enabled});
Ed Tanous002d39b2022-05-31 08:59:27 -07001381 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001382
Ed Tanous618c14b2022-06-30 17:44:25 -07001383 if (roleId)
1384 {
1385 std::string priv = getPrivilegeFromRoleId(*roleId);
1386 if (priv.empty())
1387 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001388 messages::propertyValueNotInList(asyncResp->res, true,
1389 "Locked");
Ed Tanous618c14b2022-06-30 17:44:25 -07001390 return;
1391 }
1392
1393 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001394 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001395 if (ec)
Ed Tanous04ae99e2018-09-20 15:54:36 -07001396 {
Ed Tanous002d39b2022-05-31 08:59:27 -07001397 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1398 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001399 return;
1400 }
Ed Tanous002d39b2022-05-31 08:59:27 -07001401 messages::success(asyncResp->res);
Ed Tanous618c14b2022-06-30 17:44:25 -07001402 },
1403 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1404 "org.freedesktop.DBus.Properties", "Set",
1405 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
1406 dbus::utility::DbusVariantType{priv});
Ed Tanous6c51eab2021-06-03 12:30:29 -07001407 }
1408
Ed Tanous618c14b2022-06-30 17:44:25 -07001409 if (locked)
1410 {
1411 // admin can unlock the account which is locked by
1412 // successive authentication failures but admin should
1413 // not be allowed to lock an account.
1414 if (*locked)
1415 {
1416 messages::propertyValueNotInList(asyncResp->res, "true",
1417 "Locked");
1418 return;
1419 }
1420
1421 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001422 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -07001423 if (ec)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001424 {
Ed Tanous002d39b2022-05-31 08:59:27 -07001425 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1426 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -07001427 return;
1428 }
Ed Tanous002d39b2022-05-31 08:59:27 -07001429 messages::success(asyncResp->res);
1430 return;
Ed Tanous618c14b2022-06-30 17:44:25 -07001431 },
1432 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1433 "org.freedesktop.DBus.Properties", "Set",
1434 "xyz.openbmc_project.User.Attributes",
1435 "UserLockedForFailedAttempt",
1436 dbus::utility::DbusVariantType{*locked});
1437 }
Abhishek Patel58345852022-02-02 08:54:25 -06001438
1439 if (accountTypes)
1440 {
1441 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1442 userSelf);
1443 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001444 });
1445}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001446
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001447inline void handleAccountServiceHead(
1448 App& app, const crow::Request& req,
1449 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001450{
1451 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1452 {
1453 return;
1454 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001455 asyncResp->res.addHeader(
1456 boost::beast::http::field::link,
1457 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1458}
1459
1460inline void
1461 handleAccountServiceGet(App& app, const crow::Request& req,
1462 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1463{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001464 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1465 {
1466 return;
1467 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001468
1469 if (req.session == nullptr)
1470 {
1471 messages::internalError(asyncResp->res);
1472 return;
1473 }
1474
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001475 asyncResp->res.addHeader(
1476 boost::beast::http::field::link,
1477 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1478
Ed Tanous1ef4c342022-05-12 16:12:36 -07001479 const persistent_data::AuthConfigMethods& authMethodsConfig =
1480 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1481
1482 nlohmann::json& json = asyncResp->res.jsonValue;
1483 json["@odata.id"] = "/redfish/v1/AccountService";
1484 json["@odata.type"] = "#AccountService."
1485 "v1_10_0.AccountService";
1486 json["Id"] = "AccountService";
1487 json["Name"] = "Account Service";
1488 json["Description"] = "Account Service";
1489 json["ServiceEnabled"] = true;
1490 json["MaxPasswordLength"] = 20;
1491 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1492 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
1493 json["Oem"]["OpenBMC"]["@odata.type"] =
Ed Tanous5b5574a2022-09-26 19:53:36 -07001494 "#OpenBMCAccountService.v1_0_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001495 json["Oem"]["OpenBMC"]["@odata.id"] =
1496 "/redfish/v1/AccountService#/Oem/OpenBMC";
1497 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1498 authMethodsConfig.basic;
1499 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1500 authMethodsConfig.sessionToken;
1501 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1502 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1503 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1504
1505 // /redfish/v1/AccountService/LDAP/Certificates is something only
1506 // ConfigureManager can access then only display when the user has
1507 // permissions ConfigureManager
1508 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001509 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001510
1511 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1512 effectiveUserPrivileges))
1513 {
1514 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1515 "/redfish/v1/AccountService/LDAP/Certificates";
1516 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001517 sdbusplus::asio::getAllProperties(
1518 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1519 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001520 [asyncResp](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001521 const dbus::utility::DBusPropertiesMap& propertiesList) {
1522 if (ec)
1523 {
1524 messages::internalError(asyncResp->res);
1525 return;
1526 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001527
Ed Tanous1ef4c342022-05-12 16:12:36 -07001528 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1529 << "properties for AccountService";
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001530
1531 const uint8_t* minPasswordLength = nullptr;
1532 const uint32_t* accountUnlockTimeout = nullptr;
1533 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1534
1535 const bool success = sdbusplus::unpackPropertiesNoThrow(
1536 dbus_utils::UnpackErrorPrinter(), propertiesList,
1537 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1538 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1539 maxLoginAttemptBeforeLockout);
1540
1541 if (!success)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001542 {
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001543 messages::internalError(asyncResp->res);
1544 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001545 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001546
1547 if (minPasswordLength != nullptr)
1548 {
1549 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1550 }
1551
1552 if (accountUnlockTimeout != nullptr)
1553 {
1554 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1555 *accountUnlockTimeout;
1556 }
1557
1558 if (maxLoginAttemptBeforeLockout != nullptr)
1559 {
1560 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1561 *maxLoginAttemptBeforeLockout;
1562 }
1563 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001564
Ed Tanous02cad962022-06-30 16:50:15 -07001565 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001566 const std::string& ldapType) {
1567 if (!success)
1568 {
1569 return;
1570 }
1571 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1572 };
1573
1574 getLDAPConfigData("LDAP", callback);
1575 getLDAPConfigData("ActiveDirectory", callback);
1576}
1577
1578inline void handleAccountServicePatch(
1579 App& app, const crow::Request& req,
1580 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1581{
1582 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1583 {
1584 return;
1585 }
1586 std::optional<uint32_t> unlockTimeout;
1587 std::optional<uint16_t> lockoutThreshold;
1588 std::optional<uint8_t> minPasswordLength;
1589 std::optional<uint16_t> maxPasswordLength;
1590 std::optional<nlohmann::json> ldapObject;
1591 std::optional<nlohmann::json> activeDirectoryObject;
1592 std::optional<nlohmann::json> oemObject;
1593
1594 if (!json_util::readJsonPatch(
1595 req, asyncResp->res, "AccountLockoutDuration", unlockTimeout,
1596 "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength",
1597 maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP",
1598 ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem",
1599 oemObject))
1600 {
1601 return;
1602 }
1603
1604 if (minPasswordLength)
1605 {
1606 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001607 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001608 if (ec)
1609 {
1610 messages::internalError(asyncResp->res);
1611 return;
1612 }
1613 messages::success(asyncResp->res);
1614 },
1615 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1616 "org.freedesktop.DBus.Properties", "Set",
1617 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
1618 dbus::utility::DbusVariantType(*minPasswordLength));
1619 }
1620
1621 if (maxPasswordLength)
1622 {
1623 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1624 }
1625
1626 if (ldapObject)
1627 {
1628 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1629 }
1630
1631 if (std::optional<nlohmann::json> oemOpenBMCObject;
1632 oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1633 oemOpenBMCObject))
1634 {
1635 if (std::optional<nlohmann::json> authMethodsObject;
1636 oemOpenBMCObject &&
1637 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1638 "AuthMethods", authMethodsObject))
1639 {
1640 if (authMethodsObject)
1641 {
1642 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1643 }
1644 }
1645 }
1646
1647 if (activeDirectoryObject)
1648 {
1649 handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory");
1650 }
1651
1652 if (unlockTimeout)
1653 {
1654 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001655 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001656 if (ec)
1657 {
1658 messages::internalError(asyncResp->res);
1659 return;
1660 }
1661 messages::success(asyncResp->res);
1662 },
1663 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1664 "org.freedesktop.DBus.Properties", "Set",
1665 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
1666 dbus::utility::DbusVariantType(*unlockTimeout));
1667 }
1668 if (lockoutThreshold)
1669 {
1670 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001671 [asyncResp](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001672 if (ec)
1673 {
1674 messages::internalError(asyncResp->res);
1675 return;
1676 }
1677 messages::success(asyncResp->res);
1678 },
1679 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1680 "org.freedesktop.DBus.Properties", "Set",
1681 "xyz.openbmc_project.User.AccountPolicy",
1682 "MaxLoginAttemptBeforeLockout",
1683 dbus::utility::DbusVariantType(*lockoutThreshold));
1684 }
1685}
1686
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001687inline void handleAccountCollectionHead(
Ed Tanous1ef4c342022-05-12 16:12:36 -07001688 App& app, const crow::Request& req,
1689 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1690{
1691 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1692 {
1693 return;
1694 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001695 asyncResp->res.addHeader(
1696 boost::beast::http::field::link,
1697 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1698}
1699
1700inline void handleAccountCollectionGet(
1701 App& app, const crow::Request& req,
1702 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1703{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001704 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1705 {
1706 return;
1707 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001708
1709 if (req.session == nullptr)
1710 {
1711 messages::internalError(asyncResp->res);
1712 return;
1713 }
1714
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001715 asyncResp->res.addHeader(
1716 boost::beast::http::field::link,
1717 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001718
1719 asyncResp->res.jsonValue["@odata.id"] =
1720 "/redfish/v1/AccountService/Accounts";
1721 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1722 "ManagerAccountCollection";
1723 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1724 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1725
1726 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001727 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001728
1729 std::string thisUser;
1730 if (req.session)
1731 {
1732 thisUser = req.session->username;
1733 }
George Liu5eb468d2023-06-20 17:03:24 +08001734 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1735 dbus::utility::getManagedObjects(
1736 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001737 [asyncResp, thisUser, effectiveUserPrivileges](
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001738 const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001739 const dbus::utility::ManagedObjectType& users) {
1740 if (ec)
1741 {
1742 messages::internalError(asyncResp->res);
1743 return;
1744 }
1745
1746 bool userCanSeeAllAccounts =
1747 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1748
1749 bool userCanSeeSelf =
1750 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1751
1752 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1753 memberArray = nlohmann::json::array();
1754
1755 for (const auto& userpath : users)
1756 {
1757 std::string user = userpath.first.filename();
1758 if (user.empty())
1759 {
1760 messages::internalError(asyncResp->res);
1761 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1762
1763 return;
1764 }
1765
1766 // As clarified by Redfish here:
1767 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1768 // Users without ConfigureUsers, only see their own
1769 // account. Users with ConfigureUsers, see all
1770 // accounts.
1771 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1772 {
1773 nlohmann::json::object_t member;
Patrick Williams89492a12023-05-10 07:51:34 -05001774 member["@odata.id"] = "/redfish/v1/AccountService/Accounts/" +
1775 user;
Patrick Williamsb2ba3072023-05-12 10:27:39 -05001776 memberArray.emplace_back(std::move(member));
Ed Tanous1ef4c342022-05-12 16:12:36 -07001777 }
1778 }
1779 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
George Liu5eb468d2023-06-20 17:03:24 +08001780 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001781}
1782
Ninad Palsule97e90da2023-05-17 14:04:52 -05001783inline void processAfterCreateUser(
1784 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1785 const std::string& username, const std::string& password,
1786 const boost::system::error_code& ec, sdbusplus::message_t& m)
1787{
1788 if (ec)
1789 {
1790 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1791 return;
1792 }
1793
1794 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1795 {
1796 // At this point we have a user that's been
1797 // created, but the password set
1798 // failed.Something is wrong, so delete the user
1799 // that we've already created
1800 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1801 tempObjPath /= username;
1802 const std::string userPath(tempObjPath);
1803
1804 crow::connections::systemBus->async_method_call(
1805 [asyncResp, password](const boost::system::error_code& ec3) {
1806 if (ec3)
1807 {
1808 messages::internalError(asyncResp->res);
1809 return;
1810 }
1811
1812 // If password is invalid
1813 messages::propertyValueFormatError(asyncResp->res, password,
1814 "Password");
1815 },
1816 "xyz.openbmc_project.User.Manager", userPath,
1817 "xyz.openbmc_project.Object.Delete", "Delete");
1818
1819 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1820 return;
1821 }
1822
1823 messages::created(asyncResp->res);
1824 asyncResp->res.addHeader("Location",
1825 "/redfish/v1/AccountService/Accounts/" + username);
1826}
1827
1828inline void processAfterGetAllGroups(
1829 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1830 const std::string& username, const std::string& password,
1831 const std::optional<std::string>& roleId, std::optional<bool> enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001832 std::optional<std::vector<std::string>> accountTypes,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001833 const std::vector<std::string>& allGroupsList)
Ninad Palsule97e90da2023-05-17 14:04:52 -05001834{
Ninad Palsule3e72c202023-03-27 17:19:55 -05001835 std::vector<std::string> userGroups;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001836 std::vector<std::string> accountTypeUserGroups;
1837
1838 // If user specified account types then convert them to unix user groups
1839 if (accountTypes)
1840 {
1841 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1842 accountTypeUserGroups))
1843 {
1844 // Problem in mapping Account Types to User Groups, Error already
1845 // logged.
1846 return;
1847 }
1848 }
1849
Ninad Palsule3e72c202023-03-27 17:19:55 -05001850 for (const auto& grp : allGroupsList)
1851 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001852 // If user specified the account type then only accept groups which are
1853 // in the account types group list.
1854 if (!accountTypeUserGroups.empty())
1855 {
1856 bool found = false;
1857 for (const auto& grp1 : accountTypeUserGroups)
1858 {
1859 if (grp == grp1)
1860 {
1861 found = true;
1862 break;
1863 }
1864 }
1865 if (!found)
1866 {
1867 continue;
1868 }
1869 }
1870
Ninad Palsule3e72c202023-03-27 17:19:55 -05001871 // Console access is provided to the user who is a member of
1872 // hostconsole group and has a administrator role. So, set
1873 // hostconsole group only for the administrator.
Ninad Palsule9ba73932023-06-01 16:38:57 -05001874 if ((grp == "hostconsole") && (roleId != "priv-admin"))
Ninad Palsule3e72c202023-03-27 17:19:55 -05001875 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001876 if (!accountTypeUserGroups.empty())
1877 {
1878 BMCWEB_LOG_ERROR
1879 << "Only administrator can get HostConsole access";
1880 asyncResp->res.result(boost::beast::http::status::bad_request);
1881 return;
1882 }
1883 continue;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001884 }
Ninad Palsule9ba73932023-06-01 16:38:57 -05001885 userGroups.emplace_back(grp);
1886 }
1887
1888 // Make sure user specified groups are valid. This is internal error because
1889 // it some inconsistencies between user manager and bmcweb.
1890 if (!accountTypeUserGroups.empty() &&
1891 accountTypeUserGroups.size() != userGroups.size())
1892 {
1893 messages::internalError(asyncResp->res);
1894 return;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001895 }
1896
Ninad Palsule97e90da2023-05-17 14:04:52 -05001897 crow::connections::systemBus->async_method_call(
1898 [asyncResp, username, password](const boost::system::error_code& ec2,
1899 sdbusplus::message_t& m) {
1900 processAfterCreateUser(asyncResp, username, password, ec2, m);
1901 },
1902 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ninad Palsule3e72c202023-03-27 17:19:55 -05001903 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
1904 *roleId, *enabled);
Ninad Palsule97e90da2023-05-17 14:04:52 -05001905}
1906
Ed Tanous1ef4c342022-05-12 16:12:36 -07001907inline void handleAccountCollectionPost(
1908 App& app, const crow::Request& req,
1909 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1910{
1911 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1912 {
1913 return;
1914 }
1915 std::string username;
1916 std::string password;
1917 std::optional<std::string> roleId("User");
1918 std::optional<bool> enabled = true;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001919 std::optional<std::vector<std::string>> accountTypes;
1920 if (!json_util::readJsonPatch(
1921 req, asyncResp->res, "UserName", username, "Password", password,
1922 "RoleId", roleId, "Enabled", enabled, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001923 {
1924 return;
1925 }
1926
1927 std::string priv = getPrivilegeFromRoleId(*roleId);
1928 if (priv.empty())
1929 {
1930 messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId");
1931 return;
1932 }
Asmitha Karunanithi239adf82022-03-25 02:59:03 -05001933 roleId = priv;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001934
1935 // Reading AllGroups property
1936 sdbusplus::asio::getProperty<std::vector<std::string>>(
1937 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1938 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1939 "AllGroups",
Ninad Palsule9ba73932023-06-01 16:38:57 -05001940 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1941 accountTypes](const boost::system::error_code& ec,
1942 const std::vector<std::string>& allGroupsList) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001943 if (ec)
1944 {
1945 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1946 messages::internalError(asyncResp->res);
1947 return;
1948 }
1949
1950 if (allGroupsList.empty())
1951 {
1952 messages::internalError(asyncResp->res);
1953 return;
1954 }
1955
Ninad Palsule97e90da2023-05-17 14:04:52 -05001956 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001957 accountTypes, allGroupsList);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001958 });
1959}
1960
1961inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001962 handleAccountHead(App& app, const crow::Request& req,
1963 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1964 const std::string& /*accountName*/)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001965{
1966 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1967 {
1968 return;
1969 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001970 asyncResp->res.addHeader(
1971 boost::beast::http::field::link,
1972 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1973}
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001974
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001975inline void
1976 handleAccountGet(App& app, const crow::Request& req,
1977 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1978 const std::string& accountName)
1979{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001980 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1981 {
1982 return;
1983 }
1984 asyncResp->res.addHeader(
1985 boost::beast::http::field::link,
1986 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1987
Ed Tanous1ef4c342022-05-12 16:12:36 -07001988#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1989 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001990 messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001991 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001992#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001993
Ed Tanous1ef4c342022-05-12 16:12:36 -07001994 if (req.session == nullptr)
1995 {
1996 messages::internalError(asyncResp->res);
1997 return;
1998 }
1999 if (req.session->username != accountName)
2000 {
2001 // At this point we've determined that the user is trying to
2002 // modify a user that isn't them. We need to verify that they
2003 // have permissions to modify other users, so re-run the auth
2004 // check with the same permissions, minus ConfigureSelf.
2005 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05002006 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002007 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
2008 "ConfigureManager"};
2009 if (!effectiveUserPrivileges.isSupersetOf(
2010 requiredPermissionsToChangeNonSelf))
2011 {
2012 BMCWEB_LOG_DEBUG << "GET Account denied access";
2013 messages::insufficientPrivilege(asyncResp->res);
2014 return;
2015 }
2016 }
2017
George Liu5eb468d2023-06-20 17:03:24 +08002018 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
2019 dbus::utility::getManagedObjects(
2020 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07002021 [asyncResp,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08002022 accountName](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07002023 const dbus::utility::ManagedObjectType& users) {
2024 if (ec)
2025 {
2026 messages::internalError(asyncResp->res);
2027 return;
2028 }
2029 const auto userIt = std::find_if(
2030 users.begin(), users.end(),
2031 [accountName](
2032 const std::pair<sdbusplus::message::object_path,
2033 dbus::utility::DBusInteracesMap>& user) {
2034 return accountName == user.first.filename();
2035 });
2036
2037 if (userIt == users.end())
2038 {
2039 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2040 accountName);
2041 return;
2042 }
2043
2044 asyncResp->res.jsonValue["@odata.type"] =
Abhishek Patel58345852022-02-02 08:54:25 -06002045 "#ManagerAccount.v1_7_0.ManagerAccount";
Ed Tanous1ef4c342022-05-12 16:12:36 -07002046 asyncResp->res.jsonValue["Name"] = "User Account";
2047 asyncResp->res.jsonValue["Description"] = "User Account";
2048 asyncResp->res.jsonValue["Password"] = nullptr;
Abhishek Patel58345852022-02-02 08:54:25 -06002049 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
Ed Tanous1ef4c342022-05-12 16:12:36 -07002050
2051 for (const auto& interface : userIt->second)
2052 {
2053 if (interface.first == "xyz.openbmc_project.User.Attributes")
2054 {
2055 for (const auto& property : interface.second)
2056 {
2057 if (property.first == "UserEnabled")
2058 {
2059 const bool* userEnabled =
2060 std::get_if<bool>(&property.second);
2061 if (userEnabled == nullptr)
2062 {
2063 BMCWEB_LOG_ERROR << "UserEnabled wasn't a bool";
2064 messages::internalError(asyncResp->res);
2065 return;
2066 }
2067 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
2068 }
2069 else if (property.first == "UserLockedForFailedAttempt")
2070 {
2071 const bool* userLocked =
2072 std::get_if<bool>(&property.second);
2073 if (userLocked == nullptr)
2074 {
2075 BMCWEB_LOG_ERROR << "UserLockedForF"
2076 "ailedAttempt "
2077 "wasn't a bool";
2078 messages::internalError(asyncResp->res);
2079 return;
2080 }
2081 asyncResp->res.jsonValue["Locked"] = *userLocked;
2082 asyncResp->res
2083 .jsonValue["Locked@Redfish.AllowableValues"] = {
2084 "false"}; // can only unlock accounts
2085 }
2086 else if (property.first == "UserPrivilege")
2087 {
2088 const std::string* userPrivPtr =
2089 std::get_if<std::string>(&property.second);
2090 if (userPrivPtr == nullptr)
2091 {
2092 BMCWEB_LOG_ERROR << "UserPrivilege wasn't a "
2093 "string";
2094 messages::internalError(asyncResp->res);
2095 return;
2096 }
2097 std::string role = getRoleIdFromPrivilege(*userPrivPtr);
2098 if (role.empty())
2099 {
2100 BMCWEB_LOG_ERROR << "Invalid user role";
2101 messages::internalError(asyncResp->res);
2102 return;
2103 }
2104 asyncResp->res.jsonValue["RoleId"] = role;
2105
2106 nlohmann::json& roleEntry =
2107 asyncResp->res.jsonValue["Links"]["Role"];
2108 roleEntry["@odata.id"] =
2109 "/redfish/v1/AccountService/Roles/" + role;
2110 }
2111 else if (property.first == "UserPasswordExpired")
2112 {
2113 const bool* userPasswordExpired =
2114 std::get_if<bool>(&property.second);
2115 if (userPasswordExpired == nullptr)
2116 {
2117 BMCWEB_LOG_ERROR
2118 << "UserPasswordExpired wasn't a bool";
2119 messages::internalError(asyncResp->res);
2120 return;
2121 }
2122 asyncResp->res.jsonValue["PasswordChangeRequired"] =
2123 *userPasswordExpired;
2124 }
Abhishek Patelc7229812022-02-01 10:07:15 -06002125 else if (property.first == "UserGroups")
2126 {
2127 const std::vector<std::string>* userGroups =
2128 std::get_if<std::vector<std::string>>(
2129 &property.second);
2130 if (userGroups == nullptr)
2131 {
2132 BMCWEB_LOG_ERROR
2133 << "userGroups wasn't a string vector";
2134 messages::internalError(asyncResp->res);
2135 return;
2136 }
2137 if (!translateUserGroup(*userGroups, asyncResp->res))
2138 {
2139 BMCWEB_LOG_ERROR << "userGroups mapping failed";
2140 messages::internalError(asyncResp->res);
2141 return;
2142 }
2143 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07002144 }
2145 }
2146 }
2147
2148 asyncResp->res.jsonValue["@odata.id"] =
2149 "/redfish/v1/AccountService/Accounts/" + accountName;
2150 asyncResp->res.jsonValue["Id"] = accountName;
2151 asyncResp->res.jsonValue["UserName"] = accountName;
George Liu5eb468d2023-06-20 17:03:24 +08002152 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07002153}
2154
2155inline void
Gunnar Mills20fc3072023-01-27 15:13:36 -06002156 handleAccountDelete(App& app, const crow::Request& req,
2157 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2158 const std::string& username)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002159{
2160 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2161 {
2162 return;
2163 }
2164
2165#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2166 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002167 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002168 return;
2169
2170#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2171 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2172 tempObjPath /= username;
2173 const std::string userPath(tempObjPath);
2174
2175 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08002176 [asyncResp, username](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002177 if (ec)
2178 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002179 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
Ed Tanous1ef4c342022-05-12 16:12:36 -07002180 username);
2181 return;
2182 }
2183
2184 messages::accountRemoved(asyncResp->res);
2185 },
2186 "xyz.openbmc_project.User.Manager", userPath,
2187 "xyz.openbmc_project.Object.Delete", "Delete");
2188}
2189
2190inline void
2191 handleAccountPatch(App& app, const crow::Request& req,
2192 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2193 const std::string& username)
2194{
2195 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2196 {
2197 return;
2198 }
2199#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2200 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08002201 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002202 return;
2203
2204#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2205 std::optional<std::string> newUserName;
2206 std::optional<std::string> password;
2207 std::optional<bool> enabled;
2208 std::optional<std::string> roleId;
2209 std::optional<bool> locked;
Abhishek Patel58345852022-02-02 08:54:25 -06002210 std::optional<std::vector<std::string>> accountTypes;
2211
2212 bool userSelf = (username == req.session->username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002213
2214 if (req.session == nullptr)
2215 {
2216 messages::internalError(asyncResp->res);
2217 return;
2218 }
2219
2220 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05002221 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002222 Privileges configureUsers = {"ConfigureUsers"};
2223 bool userHasConfigureUsers =
2224 effectiveUserPrivileges.isSupersetOf(configureUsers);
2225 if (userHasConfigureUsers)
2226 {
2227 // Users with ConfigureUsers can modify for all users
Abhishek Patel58345852022-02-02 08:54:25 -06002228 if (!json_util::readJsonPatch(
2229 req, asyncResp->res, "UserName", newUserName, "Password",
2230 password, "RoleId", roleId, "Enabled", enabled, "Locked",
2231 locked, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07002232 {
2233 return;
2234 }
2235 }
2236 else
2237 {
2238 // ConfigureSelf accounts can only modify their own account
Abhishek Patel58345852022-02-02 08:54:25 -06002239 if (!userSelf)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002240 {
2241 messages::insufficientPrivilege(asyncResp->res);
2242 return;
2243 }
2244
2245 // ConfigureSelf accounts can only modify their password
2246 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2247 password))
2248 {
2249 return;
2250 }
2251 }
2252
2253 // if user name is not provided in the patch method or if it
2254 // matches the user name in the URI, then we are treating it as
2255 // updating user properties other then username. If username
2256 // provided doesn't match the URI, then we are treating this as
2257 // user rename request.
2258 if (!newUserName || (newUserName.value() == username))
2259 {
2260 updateUserProperties(asyncResp, username, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06002261 locked, accountTypes, userSelf);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002262 return;
2263 }
2264 crow::connections::systemBus->async_method_call(
2265 [asyncResp, username, password(std::move(password)),
2266 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
Abhishek Patel58345852022-02-02 08:54:25 -06002267 locked, userSelf, accountTypes(std::move(accountTypes))](
2268 const boost::system::error_code ec, sdbusplus::message_t& m) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002269 if (ec)
2270 {
2271 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2272 username);
2273 return;
2274 }
2275
2276 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06002277 locked, accountTypes, userSelf);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002278 },
2279 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2280 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2281 *newUserName);
2282}
2283
Ed Tanous6c51eab2021-06-03 12:30:29 -07002284inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07002285{
Ed Tanous6c51eab2021-06-03 12:30:29 -07002286 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002287 .privileges(redfish::privileges::headAccountService)
2288 .methods(boost::beast::http::verb::head)(
2289 std::bind_front(handleAccountServiceHead, std::ref(app)));
2290
2291 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -07002292 .privileges(redfish::privileges::getAccountService)
Ed Tanous002d39b2022-05-31 08:59:27 -07002293 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002294 std::bind_front(handleAccountServiceGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002295
Ed Tanousf5ffd802021-07-19 10:55:33 -07002296 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -06002297 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -07002298 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002299 std::bind_front(handleAccountServicePatch, std::ref(app)));
Ed Tanousf5ffd802021-07-19 10:55:33 -07002300
Ed Tanous6c51eab2021-06-03 12:30:29 -07002301 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002302 .privileges(redfish::privileges::headManagerAccountCollection)
2303 .methods(boost::beast::http::verb::head)(
2304 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2305
2306 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002307 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002308 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002309 std::bind_front(handleAccountCollectionGet, std::ref(app)));
Ed Tanous06e086d2018-09-19 17:19:52 -07002310
Ed Tanous6c51eab2021-06-03 12:30:29 -07002311 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002312 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous002d39b2022-05-31 08:59:27 -07002313 .methods(boost::beast::http::verb::post)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002314 std::bind_front(handleAccountCollectionPost, std::ref(app)));
Ed Tanous002d39b2022-05-31 08:59:27 -07002315
2316 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002317 .privileges(redfish::privileges::headManagerAccount)
2318 .methods(boost::beast::http::verb::head)(
2319 std::bind_front(handleAccountHead, std::ref(app)));
2320
2321 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous002d39b2022-05-31 08:59:27 -07002322 .privileges(redfish::privileges::getManagerAccount)
2323 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002324 std::bind_front(handleAccountGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002325
2326 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002327 // TODO this privilege should be using the generated endpoints, but
2328 // because of the special handling of ConfigureSelf, it's not able to
2329 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -07002330 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2331 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002332 std::bind_front(handleAccountPatch, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002333
2334 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002335 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002336 .methods(boost::beast::http::verb::delete_)(
Gunnar Mills20fc3072023-01-27 15:13:36 -06002337 std::bind_front(handleAccountDelete, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002338}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01002339
Ed Tanous1abe55e2018-09-05 08:30:59 -07002340} // namespace redfish