blob: edf3cf7ef252c3e1d253d2e5bd34375ce7528a6b [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01001/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010017
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080018#include "app.hpp"
19#include "dbus_utility.hpp"
20#include "error_messages.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070021#include "generated/enums/account_service.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080022#include "openbmc_dbus_rest.hpp"
23#include "persistent_data.hpp"
24#include "query.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070025#include "registries/privilege_registry.hpp"
Ed Tanous3ccb3ad2023-01-13 17:40:03 -080026#include "utils/dbus_utils.hpp"
27#include "utils/json_utils.hpp"
Ed Tanous0ec8b832022-03-14 14:56:47 -070028
Jonathan Doman1e1e5982021-06-11 09:36:17 -070029#include <sdbusplus/asio/property.hpp>
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +020030#include <sdbusplus/unpack_properties.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -050031
George Liu2b731192023-01-11 16:27:13 +080032#include <array>
Abhishek Patelc7229812022-02-01 10:07:15 -060033#include <optional>
Ed Tanous3544d2a2023-08-06 18:12:20 -070034#include <ranges>
Abhishek Patelc7229812022-02-01 10:07:15 -060035#include <string>
George Liu2b731192023-01-11 16:27:13 +080036#include <string_view>
Abhishek Patelc7229812022-02-01 10:07:15 -060037#include <vector>
38
Ed Tanous1abe55e2018-09-05 08:30:59 -070039namespace redfish
40{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +010041
Ed Tanous23a21a12020-07-25 04:45:05 +000042constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +053043 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -070044constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +053045 "/xyz/openbmc_project/user/ldap/active_directory";
46
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +053047constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +053048constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
49constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
50constexpr const char* ldapConfigInterface =
51 "xyz.openbmc_project.User.Ldap.Config";
52constexpr const char* ldapCreateInterface =
53 "xyz.openbmc_project.User.Ldap.Create";
54constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +053055constexpr const char* ldapPrivMapperInterface =
56 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +053057
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060058struct LDAPRoleMapData
59{
60 std::string groupName;
61 std::string privilege;
62};
63
Ratan Gupta6973a582018-12-13 18:25:44 +053064struct LDAPConfigData
65{
Ed Tanous47f29342024-03-19 12:18:06 -070066 std::string uri;
67 std::string bindDN;
68 std::string baseDN;
69 std::string searchScope;
70 std::string serverType;
Ratan Gupta6973a582018-12-13 18:25:44 +053071 bool serviceEnabled = false;
Ed Tanous47f29342024-03-19 12:18:06 -070072 std::string userNameAttribute;
73 std::string groupAttribute;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060074 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +053075};
76
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060077inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053078{
79 if (role == "priv-admin")
80 {
81 return "Administrator";
82 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070083 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053084 {
AppaRao Pulic80fee52019-10-16 14:49:36 +053085 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +053086 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070087 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +053088 {
89 return "Operator";
90 }
91 return "";
92}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -060093inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +053094{
95 if (role == "Administrator")
96 {
97 return "priv-admin";
98 }
Ed Tanous3174e4d2020-10-07 11:41:22 -070099 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530100 {
101 return "priv-user";
102 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700103 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530104 {
105 return "priv-operator";
106 }
107 return "";
108}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700109
Abhishek Patelc7229812022-02-01 10:07:15 -0600110/**
111 * @brief Maps user group names retrieved from D-Bus object to
112 * Account Types.
113 *
114 * @param[in] userGroups List of User groups
115 * @param[out] res AccountTypes populated
116 *
117 * @return true in case of success, false if UserGroups contains
118 * invalid group name(s).
119 */
120inline bool translateUserGroup(const std::vector<std::string>& userGroups,
121 crow::Response& res)
122{
123 std::vector<std::string> accountTypes;
124 for (const auto& userGroup : userGroups)
125 {
126 if (userGroup == "redfish")
127 {
128 accountTypes.emplace_back("Redfish");
129 accountTypes.emplace_back("WebUI");
130 }
131 else if (userGroup == "ipmi")
132 {
133 accountTypes.emplace_back("IPMI");
134 }
135 else if (userGroup == "ssh")
136 {
Abhishek Patelc7229812022-02-01 10:07:15 -0600137 accountTypes.emplace_back("ManagerConsole");
138 }
Ninad Palsule3e72c202023-03-27 17:19:55 -0500139 else if (userGroup == "hostconsole")
140 {
141 // The hostconsole group controls who can access the host console
142 // port via ssh and websocket.
143 accountTypes.emplace_back("HostConsole");
144 }
Abhishek Patelc7229812022-02-01 10:07:15 -0600145 else if (userGroup == "web")
146 {
147 // 'web' is one of the valid groups in the UserGroups property of
148 // the user account in the D-Bus object. This group is currently not
149 // doing anything, and is considered to be equivalent to 'redfish'.
150 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
151 // AccountTypes, so do nothing here...
152 }
153 else
154 {
Ed Tanous8ece0e42024-01-02 13:16:50 -0800155 // Invalid user group name. Caller throws an exception.
Abhishek Patelc7229812022-02-01 10:07:15 -0600156 return false;
157 }
158 }
159
160 res.jsonValue["AccountTypes"] = std::move(accountTypes);
161 return true;
162}
163
Abhishek Patel58345852022-02-02 08:54:25 -0600164/**
165 * @brief Builds User Groups from the Account Types
166 *
167 * @param[in] asyncResp Async Response
168 * @param[in] accountTypes List of Account Types
169 * @param[out] userGroups List of User Groups mapped from Account Types
170 *
171 * @return true if Account Types mapped to User Groups, false otherwise.
172 */
173inline bool
174 getUserGroupFromAccountType(crow::Response& res,
175 const std::vector<std::string>& accountTypes,
176 std::vector<std::string>& userGroups)
177{
178 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
179 bool redfishType = false;
180 bool webUIType = false;
181
182 for (const auto& accountType : accountTypes)
183 {
184 if (accountType == "Redfish")
185 {
186 redfishType = true;
187 }
188 else if (accountType == "WebUI")
189 {
190 webUIType = true;
191 }
192 else if (accountType == "IPMI")
193 {
194 userGroups.emplace_back("ipmi");
195 }
196 else if (accountType == "HostConsole")
197 {
198 userGroups.emplace_back("hostconsole");
199 }
200 else if (accountType == "ManagerConsole")
201 {
202 userGroups.emplace_back("ssh");
203 }
204 else
205 {
206 // Invalid Account Type
207 messages::propertyValueNotInList(res, "AccountTypes", accountType);
208 return false;
209 }
210 }
211
212 // Both Redfish and WebUI Account Types are needed to PATCH
213 if (redfishType ^ webUIType)
214 {
Ed Tanous62598e32023-07-17 17:06:25 -0700215 BMCWEB_LOG_ERROR(
216 "Missing Redfish or WebUI Account Type to set redfish User Group");
Abhishek Patel58345852022-02-02 08:54:25 -0600217 messages::strictAccountTypes(res, "AccountTypes");
218 return false;
219 }
220
221 if (redfishType && webUIType)
222 {
223 userGroups.emplace_back("redfish");
224 }
225
226 return true;
227}
228
229/**
230 * @brief Sets UserGroups property of the user based on the Account Types
231 *
232 * @param[in] accountTypes List of User Account Types
233 * @param[in] asyncResp Async Response
234 * @param[in] dbusObjectPath D-Bus Object Path
235 * @param[in] userSelf true if User is updating OWN Account Types
236 */
237inline void
238 patchAccountTypes(const std::vector<std::string>& accountTypes,
239 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
240 const std::string& dbusObjectPath, bool userSelf)
241{
242 // Check if User is disabling own Redfish Account Type
243 if (userSelf &&
244 (accountTypes.cend() ==
245 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
246 {
Ed Tanous62598e32023-07-17 17:06:25 -0700247 BMCWEB_LOG_ERROR(
248 "User disabling OWN Redfish Account Type is not allowed");
Abhishek Patel58345852022-02-02 08:54:25 -0600249 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
250 return;
251 }
252
253 std::vector<std::string> updatedUserGroups;
254 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
255 updatedUserGroups))
256 {
257 // Problem in mapping Account Types to User Groups, Error already
258 // logged.
259 return;
260 }
Ed Tanousd02aad32024-02-13 14:43:34 -0800261 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
262 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
263 "UserGroups", "AccountTypes", updatedUserGroups);
Abhishek Patel58345852022-02-02 08:54:25 -0600264}
265
zhanghch058d1b46d2021-04-01 11:18:24 +0800266inline void userErrorMessageHandler(
267 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
268 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000269{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000270 if (e == nullptr)
271 {
272 messages::internalError(asyncResp->res);
273 return;
274 }
275
Manojkiran Eda055806b2020-11-03 09:36:28 +0530276 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000277 if (strcmp(errorMessage,
278 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
279 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800280 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000281 "UserName", newUser);
282 }
283 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
284 "UserNameDoesNotExist") == 0)
285 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +0800286 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000287 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700288 else if ((strcmp(errorMessage,
289 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
290 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800291 (strcmp(
292 errorMessage,
293 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
294 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000295 {
296 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
297 }
298 else if (strcmp(errorMessage,
299 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
300 {
301 messages::createLimitReachedForResource(asyncResp->res);
302 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000303 else
304 {
Gunnar Millsb8ad5832023-10-02 16:26:07 -0500305 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000306 messages::internalError(asyncResp->res);
307 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000308}
309
Ed Tanous81ce6092020-12-17 16:54:55 +0000310inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000311 const LDAPConfigData& confData,
312 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530313{
Ed Tanous49cc2632024-03-20 12:49:15 -0700314 nlohmann::json::object_t ldap;
Ed Tanous14766872022-03-15 10:44:42 -0700315 ldap["ServiceEnabled"] = confData.serviceEnabled;
Ed Tanous49cc2632024-03-20 12:49:15 -0700316 nlohmann::json::array_t serviceAddresses;
317 serviceAddresses.emplace_back(confData.uri);
318 ldap["ServiceAddresses"] = std::move(serviceAddresses);
319
320 nlohmann::json::object_t authentication;
321 authentication["AuthenticationType"] =
Ed Tanous0ec8b832022-03-14 14:56:47 -0700322 account_service::AuthenticationTypes::UsernameAndPassword;
Ed Tanous49cc2632024-03-20 12:49:15 -0700323 authentication["Username"] = confData.bindDN;
324 authentication["Password"] = nullptr;
325 ldap["Authentication"] = std::move(authentication);
Ed Tanous14766872022-03-15 10:44:42 -0700326
Ed Tanous49cc2632024-03-20 12:49:15 -0700327 nlohmann::json::object_t ldapService;
328 nlohmann::json::object_t searchSettings;
329 nlohmann::json::array_t baseDistinguishedNames;
330 baseDistinguishedNames.emplace_back(confData.baseDN);
Ed Tanous14766872022-03-15 10:44:42 -0700331
Ed Tanous49cc2632024-03-20 12:49:15 -0700332 searchSettings["BaseDistinguishedNames"] =
333 std::move(baseDistinguishedNames);
334 searchSettings["UsernameAttribute"] = confData.userNameAttribute;
335 searchSettings["GroupsAttribute"] = confData.groupAttribute;
336 ldapService["SearchSettings"] = std::move(searchSettings);
337 ldap["LDAPService"] = std::move(ldapService);
338
339 nlohmann::json::array_t roleMapArray;
Ed Tanous9eb808c2022-01-25 10:19:23 -0800340 for (const auto& obj : confData.groupRoleList)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600341 {
Ed Tanous62598e32023-07-17 17:06:25 -0700342 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
Ed Tanous613dabe2022-07-09 11:17:36 -0700343
Ed Tanous613dabe2022-07-09 11:17:36 -0700344 nlohmann::json::object_t remoteGroup;
345 remoteGroup["RemoteGroup"] = obj.second.groupName;
Jorge Cisneros329f0342022-11-04 16:26:25 +0000346 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
347 roleMapArray.emplace_back(std::move(remoteGroup));
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600348 }
Ed Tanous49cc2632024-03-20 12:49:15 -0700349
350 ldap["RemoteRoleMapping"] = std::move(roleMapArray);
351
352 jsonResponse[ldapType].update(ldap);
Ratan Gupta6973a582018-12-13 18:25:44 +0530353}
354
355/**
Ratan Gupta06785242019-07-26 22:30:16 +0530356 * @brief validates given JSON input and then calls appropriate method to
357 * create, to delete or to set Rolemapping object based on the given input.
358 *
359 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000360inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800361 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530362 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700363 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530364{
365 for (size_t index = 0; index < input.size(); index++)
366 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700367 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530368
369 if (thisJson.is_null())
370 {
371 // delete the existing object
372 if (index < roleMapObjData.size())
373 {
374 crow::connections::systemBus->async_method_call(
375 [asyncResp, roleMapObjData, serverType,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800376 index](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700377 if (ec)
378 {
Ed Tanous62598e32023-07-17 17:06:25 -0700379 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700380 messages::internalError(asyncResp->res);
381 return;
382 }
Patrick Williams89492a12023-05-10 07:51:34 -0500383 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
384 [index] = nullptr;
Patrick Williams5a39f772023-10-20 11:20:21 -0500385 },
Ratan Gupta06785242019-07-26 22:30:16 +0530386 ldapDbusService, roleMapObjData[index].first,
387 "xyz.openbmc_project.Object.Delete", "Delete");
388 }
389 else
390 {
Ed Tanous62598e32023-07-17 17:06:25 -0700391 BMCWEB_LOG_ERROR("Can't delete the object");
Ed Tanous2e8c4bd2022-06-27 12:59:12 -0700392 messages::propertyValueTypeError(asyncResp->res, thisJson,
393 "RemoteRoleMapping/" +
394 std::to_string(index));
Ratan Gupta06785242019-07-26 22:30:16 +0530395 return;
396 }
397 }
398 else if (thisJson.empty())
399 {
400 // Don't do anything for the empty objects,parse next json
401 // eg {"RemoteRoleMapping",[{}]}
402 }
403 else
404 {
405 // update/create the object
406 std::optional<std::string> remoteGroup;
407 std::optional<std::string> localRole;
408
Ed Tanousf23b7292020-10-15 09:41:17 -0700409 // This is a copy, but it's required in this case because of how
410 // readJson is structured
411 nlohmann::json thisJsonCopy = thisJson;
412 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
413 "RemoteGroup", remoteGroup, "LocalRole",
414 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530415 {
416 continue;
417 }
418
419 // Update existing RoleMapping Object
420 if (index < roleMapObjData.size())
421 {
Ed Tanous62598e32023-07-17 17:06:25 -0700422 BMCWEB_LOG_DEBUG("Update Role Map Object");
Ratan Gupta06785242019-07-26 22:30:16 +0530423 // If "RemoteGroup" info is provided
424 if (remoteGroup)
425 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800426 setDbusProperty(
427 asyncResp, ldapDbusService, roleMapObjData[index].first,
George Liu9ae226f2023-06-21 17:56:46 +0800428 "xyz.openbmc_project.User.PrivilegeMapperEntry",
Ed Tanousd02aad32024-02-13 14:43:34 -0800429 "GroupName",
430 std::format("RemoteRoleMapping/{}/RemoteGroup", index),
431 *remoteGroup);
Ratan Gupta06785242019-07-26 22:30:16 +0530432 }
433
434 // If "LocalRole" info is provided
435 if (localRole)
436 {
Ed Tanousd02aad32024-02-13 14:43:34 -0800437 setDbusProperty(
438 asyncResp, ldapDbusService, roleMapObjData[index].first,
George Liu9ae226f2023-06-21 17:56:46 +0800439 "xyz.openbmc_project.User.PrivilegeMapperEntry",
Ed Tanousd02aad32024-02-13 14:43:34 -0800440 "Privilege",
441 std::format("RemoteRoleMapping/{}/LocalRole", index),
442 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530443 }
444 }
445 // Create a new RoleMapping Object.
446 else
447 {
Ed Tanous62598e32023-07-17 17:06:25 -0700448 BMCWEB_LOG_DEBUG(
449 "setRoleMappingProperties: Creating new Object");
Patrick Williams89492a12023-05-10 07:51:34 -0500450 std::string pathString = "RemoteRoleMapping/" +
451 std::to_string(index);
Ratan Gupta06785242019-07-26 22:30:16 +0530452
453 if (!localRole)
454 {
455 messages::propertyMissing(asyncResp->res,
456 pathString + "/LocalRole");
457 continue;
458 }
459 if (!remoteGroup)
460 {
461 messages::propertyMissing(asyncResp->res,
462 pathString + "/RemoteGroup");
463 continue;
464 }
465
466 std::string dbusObjectPath;
467 if (serverType == "ActiveDirectory")
468 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700469 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530470 }
471 else if (serverType == "LDAP")
472 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000473 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530474 }
475
Ed Tanous62598e32023-07-17 17:06:25 -0700476 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
477 *localRole);
Ratan Gupta06785242019-07-26 22:30:16 +0530478
479 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700480 [asyncResp, serverType, localRole,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -0800481 remoteGroup](const boost::system::error_code& ec) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700482 if (ec)
483 {
Ed Tanous62598e32023-07-17 17:06:25 -0700484 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700485 messages::internalError(asyncResp->res);
486 return;
487 }
488 nlohmann::json& remoteRoleJson =
489 asyncResp->res
490 .jsonValue[serverType]["RemoteRoleMapping"];
491 nlohmann::json::object_t roleMapEntry;
492 roleMapEntry["LocalRole"] = *localRole;
493 roleMapEntry["RemoteGroup"] = *remoteGroup;
Patrick Williamsb2ba3072023-05-12 10:27:39 -0500494 remoteRoleJson.emplace_back(std::move(roleMapEntry));
Patrick Williams5a39f772023-10-20 11:20:21 -0500495 },
Ratan Gupta06785242019-07-26 22:30:16 +0530496 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700497 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530498 getPrivilegeFromRoleId(std::move(*localRole)));
499 }
500 }
501 }
502}
503
504/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530505 * Function that retrieves all properties for LDAP config object
506 * into JSON
507 */
508template <typename CallbackFunc>
509inline void getLDAPConfigData(const std::string& ldapType,
510 CallbackFunc&& callback)
511{
George Liu2b731192023-01-11 16:27:13 +0800512 constexpr std::array<std::string_view, 2> interfaces = {
513 ldapEnableInterface, ldapConfigInterface};
Ratan Gupta6973a582018-12-13 18:25:44 +0530514
George Liu2b731192023-01-11 16:27:13 +0800515 dbus::utility::getDbusObject(
516 ldapConfigObjectName, interfaces,
517 [callback, ldapType](const boost::system::error_code& ec,
Ed Tanousb9d36b42022-02-26 21:42:46 -0800518 const dbus::utility::MapperGetObject& resp) {
Ed Tanous002d39b2022-05-31 08:59:27 -0700519 if (ec || resp.empty())
520 {
Carson Labradobf2dded2023-08-10 00:37:06 +0000521 BMCWEB_LOG_WARNING(
Ed Tanous62598e32023-07-17 17:06:25 -0700522 "DBUS response error during getting of service name: {}", ec);
Ed Tanous002d39b2022-05-31 08:59:27 -0700523 LDAPConfigData empty{};
524 callback(false, empty, ldapType);
525 return;
526 }
527 std::string service = resp.begin()->first;
George Liu5eb468d2023-06-20 17:03:24 +0800528 sdbusplus::message::object_path path(ldapRootObject);
529 dbus::utility::getManagedObjects(
530 service, path,
Ed Tanous002d39b2022-05-31 08:59:27 -0700531 [callback,
Ed Tanous8b242752023-06-27 17:17:13 -0700532 ldapType](const boost::system::error_code& ec2,
Ed Tanous002d39b2022-05-31 08:59:27 -0700533 const dbus::utility::ManagedObjectType& ldapObjects) {
534 LDAPConfigData confData{};
Ed Tanous8b242752023-06-27 17:17:13 -0700535 if (ec2)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600536 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700537 callback(false, confData, ldapType);
Carson Labradobf2dded2023-08-10 00:37:06 +0000538 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600539 return;
540 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600541
Ed Tanous002d39b2022-05-31 08:59:27 -0700542 std::string ldapDbusType;
543 std::string searchString;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600544
Ed Tanous002d39b2022-05-31 08:59:27 -0700545 if (ldapType == "LDAP")
546 {
547 ldapDbusType =
548 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
549 searchString = "openldap";
550 }
551 else if (ldapType == "ActiveDirectory")
552 {
553 ldapDbusType =
554 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
555 searchString = "active_directory";
556 }
557 else
558 {
Ed Tanous62598e32023-07-17 17:06:25 -0700559 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}",
560 ldapType);
Ed Tanous002d39b2022-05-31 08:59:27 -0700561 callback(false, confData, ldapType);
562 return;
563 }
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600564
Ed Tanous002d39b2022-05-31 08:59:27 -0700565 std::string ldapEnableInterfaceStr = ldapEnableInterface;
566 std::string ldapConfigInterfaceStr = ldapConfigInterface;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600567
Ed Tanous002d39b2022-05-31 08:59:27 -0700568 for (const auto& object : ldapObjects)
569 {
570 // let's find the object whose ldap type is equal to the
571 // given type
572 if (object.first.str.find(searchString) == std::string::npos)
573 {
574 continue;
575 }
576
577 for (const auto& interface : object.second)
578 {
579 if (interface.first == ldapEnableInterfaceStr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600580 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700581 // rest of the properties are string.
582 for (const auto& property : interface.second)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600583 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700584 if (property.first == "Enabled")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600585 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700586 const bool* value =
587 std::get_if<bool>(&property.second);
588 if (value == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600589 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700590 continue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600591 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700592 confData.serviceEnabled = *value;
593 break;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600594 }
595 }
596 }
Ed Tanous002d39b2022-05-31 08:59:27 -0700597 else if (interface.first == ldapConfigInterfaceStr)
598 {
Ed Tanous002d39b2022-05-31 08:59:27 -0700599 for (const auto& property : interface.second)
600 {
601 const std::string* strValue =
602 std::get_if<std::string>(&property.second);
603 if (strValue == nullptr)
604 {
605 continue;
606 }
607 if (property.first == "LDAPServerURI")
608 {
609 confData.uri = *strValue;
610 }
611 else if (property.first == "LDAPBindDN")
612 {
613 confData.bindDN = *strValue;
614 }
615 else if (property.first == "LDAPBaseDN")
616 {
617 confData.baseDN = *strValue;
618 }
619 else if (property.first == "LDAPSearchScope")
620 {
621 confData.searchScope = *strValue;
622 }
623 else if (property.first == "GroupNameAttribute")
624 {
625 confData.groupAttribute = *strValue;
626 }
627 else if (property.first == "UserNameAttribute")
628 {
629 confData.userNameAttribute = *strValue;
630 }
631 else if (property.first == "LDAPType")
632 {
633 confData.serverType = *strValue;
634 }
635 }
636 }
637 else if (interface.first ==
638 "xyz.openbmc_project.User.PrivilegeMapperEntry")
639 {
640 LDAPRoleMapData roleMapData{};
641 for (const auto& property : interface.second)
642 {
643 const std::string* strValue =
644 std::get_if<std::string>(&property.second);
645
646 if (strValue == nullptr)
647 {
648 continue;
649 }
650
651 if (property.first == "GroupName")
652 {
653 roleMapData.groupName = *strValue;
654 }
655 else if (property.first == "Privilege")
656 {
657 roleMapData.privilege = *strValue;
658 }
659 }
660
661 confData.groupRoleList.emplace_back(object.first.str,
662 roleMapData);
663 }
664 }
665 }
666 callback(true, confData, ldapType);
George Liu2b731192023-01-11 16:27:13 +0800667 });
Patrick Williams5a39f772023-10-20 11:20:21 -0500668 });
Ratan Gupta6973a582018-12-13 18:25:44 +0530669}
670
Ed Tanous6c51eab2021-06-03 12:30:29 -0700671/**
672 * @brief parses the authentication section under the LDAP
673 * @param input JSON data
674 * @param asyncResp pointer to the JSON response
675 * @param userName userName to be filled from the given JSON.
676 * @param password password to be filled from the given JSON.
677 */
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700678inline void parseLDAPAuthenticationJson(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700679 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
680 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700681{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700682 std::optional<std::string> authType;
683
684 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
685 authType, "Username", username, "Password",
686 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700687 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700688 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700689 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700690 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530691 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700692 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530693 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700694 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530695 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700696 messages::propertyValueNotInList(asyncResp->res, *authType,
697 "AuthenticationType");
698 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530699 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700700}
701/**
702 * @brief parses the LDAPService section under the LDAP
703 * @param input JSON data
704 * @param asyncResp pointer to the JSON response
705 * @param baseDNList baseDN to be filled from the given JSON.
706 * @param userNameAttribute userName to be filled from the given JSON.
707 * @param groupaAttribute password to be filled from the given JSON.
708 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530709
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700710inline void
711 parseLDAPServiceJson(nlohmann::json input,
712 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
713 std::optional<std::vector<std::string>>& baseDNList,
714 std::optional<std::string>& userNameAttribute,
715 std::optional<std::string>& groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700716{
717 std::optional<nlohmann::json> searchSettings;
718
719 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
720 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530721 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700722 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530723 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700724 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530725 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700726 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530727 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700728 if (!json_util::readJson(*searchSettings, asyncResp->res,
729 "BaseDistinguishedNames", baseDNList,
730 "UsernameAttribute", userNameAttribute,
731 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530732 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700733 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530734 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700735}
736/**
737 * @brief updates the LDAP server address and updates the
738 json response with the new value.
739 * @param serviceAddressList address to be updated.
740 * @param asyncResp pointer to the JSON response
741 * @param ldapServerElementName Type of LDAP
742 server(openLDAP/ActiveDirectory)
743 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530744
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700745inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700746 const std::vector<std::string>& serviceAddressList,
747 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
748 const std::string& ldapServerElementName,
749 const std::string& ldapConfigObject)
750{
Ed Tanousd02aad32024-02-13 14:43:34 -0800751 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
752 ldapConfigInterface, "LDAPServerURI",
753 ldapServerElementName + "/ServiceAddress",
754 serviceAddressList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700755}
756/**
757 * @brief updates the LDAP Bind DN and updates the
758 json response with the new value.
759 * @param username name of the user which needs to be updated.
760 * @param asyncResp pointer to the JSON response
761 * @param ldapServerElementName Type of LDAP
762 server(openLDAP/ActiveDirectory)
763 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530764
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700765inline void
766 handleUserNamePatch(const std::string& username,
767 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
768 const std::string& ldapServerElementName,
769 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700770{
Ed Tanousd02aad32024-02-13 14:43:34 -0800771 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
772 ldapConfigInterface, "LDAPBindDN",
773 ldapServerElementName + "/Authentication/Username",
774 username);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700775}
776
777/**
778 * @brief updates the LDAP password
779 * @param password : ldap password which needs to be updated.
780 * @param asyncResp pointer to the JSON response
781 * @param ldapServerElementName Type of LDAP
782 * server(openLDAP/ActiveDirectory)
783 */
784
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700785inline void
786 handlePasswordPatch(const std::string& password,
787 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
788 const std::string& ldapServerElementName,
789 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700790{
Ed Tanousd02aad32024-02-13 14:43:34 -0800791 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
792 ldapConfigInterface, "LDAPBindDNPassword",
793 ldapServerElementName + "/Authentication/Password",
794 password);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700795}
796
797/**
798 * @brief updates the LDAP BaseDN and updates the
799 json response with the new value.
800 * @param baseDNList baseDN list which needs to be updated.
801 * @param asyncResp pointer to the JSON response
802 * @param ldapServerElementName Type of LDAP
803 server(openLDAP/ActiveDirectory)
804 */
805
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700806inline void
807 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
808 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
809 const std::string& ldapServerElementName,
810 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700811{
Ed Tanousd02aad32024-02-13 14:43:34 -0800812 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
813 ldapConfigInterface, "LDAPBaseDN",
814 ldapServerElementName +
815 "/LDAPService/SearchSettings/BaseDistinguishedNames",
816 baseDNList.front());
Ed Tanous6c51eab2021-06-03 12:30:29 -0700817}
818/**
819 * @brief updates the LDAP user name attribute and updates the
820 json response with the new value.
821 * @param userNameAttribute attribute to be updated.
822 * @param asyncResp pointer to the JSON response
823 * @param ldapServerElementName Type of LDAP
824 server(openLDAP/ActiveDirectory)
825 */
826
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700827inline void
828 handleUserNameAttrPatch(const std::string& userNameAttribute,
829 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
830 const std::string& ldapServerElementName,
831 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700832{
Ed Tanousd02aad32024-02-13 14:43:34 -0800833 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
834 ldapConfigInterface, "UserNameAttribute",
835 ldapServerElementName +
836 "LDAPService/SearchSettings/UsernameAttribute",
837 userNameAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700838}
839/**
840 * @brief updates the LDAP group attribute and updates the
841 json response with the new value.
842 * @param groupsAttribute attribute to be updated.
843 * @param asyncResp pointer to the JSON response
844 * @param ldapServerElementName Type of LDAP
845 server(openLDAP/ActiveDirectory)
846 */
847
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700848inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700849 const std::string& groupsAttribute,
850 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
851 const std::string& ldapServerElementName,
852 const std::string& ldapConfigObject)
853{
Ed Tanousd02aad32024-02-13 14:43:34 -0800854 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
855 ldapConfigInterface, "GroupNameAttribute",
856 ldapServerElementName +
857 "/LDAPService/SearchSettings/GroupsAttribute",
858 groupsAttribute);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700859}
860/**
861 * @brief updates the LDAP service enable and updates the
862 json response with the new value.
863 * @param input JSON data.
864 * @param asyncResp pointer to the JSON response
865 * @param ldapServerElementName Type of LDAP
866 server(openLDAP/ActiveDirectory)
867 */
868
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700869inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700870 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
871 const std::string& ldapServerElementName,
872 const std::string& ldapConfigObject)
873{
Ed Tanousd02aad32024-02-13 14:43:34 -0800874 setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject,
875 ldapEnableInterface, "Enabled",
876 ldapServerElementName + "/ServiceEnabled", serviceEnabled);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700877}
878
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700879inline void
880 handleAuthMethodsPatch(nlohmann::json& input,
881 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700882{
883 std::optional<bool> basicAuth;
884 std::optional<bool> cookie;
885 std::optional<bool> sessionToken;
886 std::optional<bool> xToken;
887 std::optional<bool> tls;
888
889 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
890 "Cookie", cookie, "SessionToken", sessionToken,
891 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530892 {
Ed Tanous62598e32023-07-17 17:06:25 -0700893 BMCWEB_LOG_ERROR("Cannot read values from AuthMethod tag");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700894 return;
895 }
896
897 // Make a copy of methods configuration
898 persistent_data::AuthConfigMethods authMethodsConfig =
899 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
900
901 if (basicAuth)
902 {
903#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
904 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800905 asyncResp->res,
906 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700907 return;
908#endif
909 authMethodsConfig.basic = *basicAuth;
910 }
911
912 if (cookie)
913 {
914#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800915 messages::actionNotSupported(
916 asyncResp->res,
917 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700918 return;
919#endif
920 authMethodsConfig.cookie = *cookie;
921 }
922
923 if (sessionToken)
924 {
925#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
926 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800927 asyncResp->res,
928 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700929 return;
930#endif
931 authMethodsConfig.sessionToken = *sessionToken;
932 }
933
934 if (xToken)
935 {
936#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800937 messages::actionNotSupported(
938 asyncResp->res,
939 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700940 return;
941#endif
942 authMethodsConfig.xtoken = *xToken;
943 }
944
945 if (tls)
946 {
947#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800948 messages::actionNotSupported(
949 asyncResp->res,
950 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700951 return;
952#endif
953 authMethodsConfig.tls = *tls;
954 }
955
956 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
957 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
958 !authMethodsConfig.tls)
959 {
960 // Do not allow user to disable everything
961 messages::actionNotSupported(asyncResp->res,
962 "of disabling all available methods");
963 return;
964 }
965
966 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
967 authMethodsConfig);
968 // Save configuration immediately
969 persistent_data::getConfig().writeData();
970
971 messages::success(asyncResp->res);
972}
973
974/**
975 * @brief Get the required values from the given JSON, validates the
976 * value and create the LDAP config object.
977 * @param input JSON data
978 * @param asyncResp pointer to the JSON response
979 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
980 */
981
982inline void handleLDAPPatch(nlohmann::json& input,
983 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
984 const std::string& serverType)
985{
986 std::string dbusObjectPath;
987 if (serverType == "ActiveDirectory")
988 {
989 dbusObjectPath = adConfigObject;
990 }
991 else if (serverType == "LDAP")
992 {
993 dbusObjectPath = ldapConfigObjectName;
994 }
995 else
996 {
997 return;
998 }
999
1000 std::optional<nlohmann::json> authentication;
1001 std::optional<nlohmann::json> ldapService;
1002 std::optional<std::vector<std::string>> serviceAddressList;
1003 std::optional<bool> serviceEnabled;
1004 std::optional<std::vector<std::string>> baseDNList;
1005 std::optional<std::string> userNameAttribute;
1006 std::optional<std::string> groupsAttribute;
1007 std::optional<std::string> userName;
1008 std::optional<std::string> password;
1009 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1010
1011 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1012 authentication, "LDAPService", ldapService,
1013 "ServiceAddresses", serviceAddressList,
1014 "ServiceEnabled", serviceEnabled,
1015 "RemoteRoleMapping", remoteRoleMapData))
1016 {
1017 return;
1018 }
1019
1020 if (authentication)
1021 {
1022 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1023 password);
1024 }
1025 if (ldapService)
1026 {
1027 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1028 userNameAttribute, groupsAttribute);
1029 }
1030 if (serviceAddressList)
1031 {
Ed Tanous26f69762022-01-25 09:49:11 -08001032 if (serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +05301033 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001034 messages::propertyValueNotInList(
1035 asyncResp->res, *serviceAddressList, "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +00001036 return;
1037 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001038 }
1039 if (baseDNList)
1040 {
Ed Tanous26f69762022-01-25 09:49:11 -08001041 if (baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +05301042 {
Ed Tanouse2616cc2022-06-27 12:45:55 -07001043 messages::propertyValueNotInList(asyncResp->res, *baseDNList,
Ed Tanous6c51eab2021-06-03 12:30:29 -07001044 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +05301045 return;
1046 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001047 }
Ratan Gupta8a07d282019-03-16 08:33:47 +05301048
Ed Tanous6c51eab2021-06-03 12:30:29 -07001049 // nothing to update, then return
1050 if (!userName && !password && !serviceAddressList && !baseDNList &&
1051 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1052 !remoteRoleMapData)
1053 {
1054 return;
1055 }
1056
1057 // Get the existing resource first then keep modifying
1058 // whenever any property gets updated.
Ed Tanous002d39b2022-05-31 08:59:27 -07001059 getLDAPConfigData(
1060 serverType,
1061 [asyncResp, userName, password, baseDNList, userNameAttribute,
1062 groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath,
1063 remoteRoleMapData](bool success, const LDAPConfigData& confData,
1064 const std::string& serverT) {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001065 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301066 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001067 messages::internalError(asyncResp->res);
1068 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +05301069 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001070 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1071 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301072 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001073 // Disable the service first and update the rest of
1074 // the properties.
1075 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301076 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001077
Ratan Gupta8a07d282019-03-16 08:33:47 +05301078 if (serviceAddressList)
1079 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001080 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1081 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301082 }
Ed Tanous6c51eab2021-06-03 12:30:29 -07001083 if (userName)
1084 {
1085 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1086 }
1087 if (password)
1088 {
1089 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1090 }
1091
Ratan Gupta8a07d282019-03-16 08:33:47 +05301092 if (baseDNList)
1093 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001094 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1095 }
1096 if (userNameAttribute)
1097 {
1098 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1099 dbusObjectPath);
1100 }
1101 if (groupsAttribute)
1102 {
1103 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1104 dbusObjectPath);
1105 }
1106 if (serviceEnabled)
1107 {
1108 // if user has given the value as true then enable
1109 // the service. if user has given false then no-op
1110 // as service is already stopped.
1111 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +05301112 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001113 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1114 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +05301115 }
1116 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001117 else
1118 {
Ed Tanous6c51eab2021-06-03 12:30:29 -07001119 // if user has not given the service enabled value
1120 // then revert it to the same state as it was
1121 // before.
1122 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1123 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +00001124 }
Ed Tanous04ae99e2018-09-20 15:54:36 -07001125
Ed Tanous6c51eab2021-06-03 12:30:29 -07001126 if (remoteRoleMapData)
1127 {
1128 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1129 *remoteRoleMapData);
1130 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001131 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001132}
1133
Abhishek Patel58345852022-02-02 08:54:25 -06001134inline void updateUserProperties(
1135 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1136 const std::optional<std::string>& password,
1137 const std::optional<bool>& enabled,
1138 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1139 std::optional<std::vector<std::string>> accountTypes, bool userSelf)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001140{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +05301141 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1142 tempObjPath /= username;
1143 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001144
1145 dbus::utility::checkDbusPathExists(
Ed Tanous618c14b2022-06-30 17:44:25 -07001146 dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled,
Abhishek Patel58345852022-02-02 08:54:25 -06001147 locked, accountTypes(std::move(accountTypes)),
1148 userSelf, asyncResp{std::move(asyncResp)}](int rc) {
Patrick Williams5a39f772023-10-20 11:20:21 -05001149 if (rc <= 0)
1150 {
1151 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1152 username);
1153 return;
1154 }
1155
1156 if (password)
1157 {
1158 int retval = pamUpdatePassword(username, *password);
1159
1160 if (retval == PAM_USER_UNKNOWN)
Ed Tanous6c51eab2021-06-03 12:30:29 -07001161 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001162 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1163 username);
Patrick Williams5a39f772023-10-20 11:20:21 -05001164 }
1165 else if (retval == PAM_AUTHTOK_ERR)
1166 {
1167 // If password is invalid
1168 messages::propertyValueFormatError(asyncResp->res, nullptr,
1169 "Password");
1170 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1171 }
1172 else if (retval != PAM_SUCCESS)
1173 {
1174 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -07001175 return;
1176 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001177 else
Ed Tanous618c14b2022-06-30 17:44:25 -07001178 {
Patrick Williams5a39f772023-10-20 11:20:21 -05001179 messages::success(asyncResp->res);
Ed Tanous618c14b2022-06-30 17:44:25 -07001180 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001181 }
Ed Tanous618c14b2022-06-30 17:44:25 -07001182
Patrick Williams5a39f772023-10-20 11:20:21 -05001183 if (enabled)
1184 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001185 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1186 dbusObjectPath,
1187 "xyz.openbmc_project.User.Attributes",
1188 "UserEnabled", "Enabled", *enabled);
Patrick Williams5a39f772023-10-20 11:20:21 -05001189 }
1190
1191 if (roleId)
1192 {
1193 std::string priv = getPrivilegeFromRoleId(*roleId);
1194 if (priv.empty())
1195 {
1196 messages::propertyValueNotInList(asyncResp->res, true,
1197 "Locked");
1198 return;
Ed Tanous618c14b2022-06-30 17:44:25 -07001199 }
Ed Tanousd02aad32024-02-13 14:43:34 -08001200 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1201 dbusObjectPath,
1202 "xyz.openbmc_project.User.Attributes",
1203 "UserPrivilege", "RoleId", priv);
Patrick Williams5a39f772023-10-20 11:20:21 -05001204 }
1205
1206 if (locked)
1207 {
1208 // admin can unlock the account which is locked by
1209 // successive authentication failures but admin should
1210 // not be allowed to lock an account.
1211 if (*locked)
Abhishek Patel58345852022-02-02 08:54:25 -06001212 {
Patrick Williams5a39f772023-10-20 11:20:21 -05001213 messages::propertyValueNotInList(asyncResp->res, "true",
1214 "Locked");
1215 return;
Abhishek Patel58345852022-02-02 08:54:25 -06001216 }
Ed Tanousd02aad32024-02-13 14:43:34 -08001217 setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager",
1218 dbusObjectPath,
1219 "xyz.openbmc_project.User.Attributes",
1220 "UserLockedForFailedAttempt", "Locked", *locked);
Patrick Williams5a39f772023-10-20 11:20:21 -05001221 }
1222
1223 if (accountTypes)
1224 {
1225 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1226 userSelf);
1227 }
1228 });
Ed Tanous6c51eab2021-06-03 12:30:29 -07001229}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07001230
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001231inline void handleAccountServiceHead(
1232 App& app, const crow::Request& req,
1233 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001234{
1235 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1236 {
1237 return;
1238 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001239 asyncResp->res.addHeader(
1240 boost::beast::http::field::link,
1241 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1242}
1243
1244inline void
1245 handleAccountServiceGet(App& app, const crow::Request& req,
1246 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1247{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001248 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1249 {
1250 return;
1251 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001252
1253 if (req.session == nullptr)
1254 {
1255 messages::internalError(asyncResp->res);
1256 return;
1257 }
1258
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001259 asyncResp->res.addHeader(
1260 boost::beast::http::field::link,
1261 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1262
Ed Tanous1ef4c342022-05-12 16:12:36 -07001263 const persistent_data::AuthConfigMethods& authMethodsConfig =
1264 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1265
1266 nlohmann::json& json = asyncResp->res.jsonValue;
1267 json["@odata.id"] = "/redfish/v1/AccountService";
1268 json["@odata.type"] = "#AccountService."
1269 "v1_10_0.AccountService";
1270 json["Id"] = "AccountService";
1271 json["Name"] = "Account Service";
1272 json["Description"] = "Account Service";
1273 json["ServiceEnabled"] = true;
1274 json["MaxPasswordLength"] = 20;
1275 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1276 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
1277 json["Oem"]["OpenBMC"]["@odata.type"] =
Ed Tanous5b5574a2022-09-26 19:53:36 -07001278 "#OpenBMCAccountService.v1_0_0.AccountService";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001279 json["Oem"]["OpenBMC"]["@odata.id"] =
1280 "/redfish/v1/AccountService#/Oem/OpenBMC";
1281 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1282 authMethodsConfig.basic;
1283 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1284 authMethodsConfig.sessionToken;
1285 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1286 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1287 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1288
1289 // /redfish/v1/AccountService/LDAP/Certificates is something only
1290 // ConfigureManager can access then only display when the user has
1291 // permissions ConfigureManager
1292 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001293 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001294
1295 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1296 effectiveUserPrivileges))
1297 {
1298 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1299 "/redfish/v1/AccountService/LDAP/Certificates";
1300 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001301 sdbusplus::asio::getAllProperties(
1302 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1303 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001304 [asyncResp](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001305 const dbus::utility::DBusPropertiesMap& propertiesList) {
1306 if (ec)
1307 {
1308 messages::internalError(asyncResp->res);
1309 return;
1310 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001311
Ed Tanous62598e32023-07-17 17:06:25 -07001312 BMCWEB_LOG_DEBUG("Got {}properties for AccountService",
1313 propertiesList.size());
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001314
1315 const uint8_t* minPasswordLength = nullptr;
1316 const uint32_t* accountUnlockTimeout = nullptr;
1317 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1318
1319 const bool success = sdbusplus::unpackPropertiesNoThrow(
1320 dbus_utils::UnpackErrorPrinter(), propertiesList,
1321 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1322 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1323 maxLoginAttemptBeforeLockout);
1324
1325 if (!success)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001326 {
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001327 messages::internalError(asyncResp->res);
1328 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001329 }
Krzysztof Grobelnyd1bde9e2022-09-07 10:40:51 +02001330
1331 if (minPasswordLength != nullptr)
1332 {
1333 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1334 }
1335
1336 if (accountUnlockTimeout != nullptr)
1337 {
1338 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1339 *accountUnlockTimeout;
1340 }
1341
1342 if (maxLoginAttemptBeforeLockout != nullptr)
1343 {
1344 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1345 *maxLoginAttemptBeforeLockout;
1346 }
Patrick Williams5a39f772023-10-20 11:20:21 -05001347 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001348
Ed Tanous02cad962022-06-30 16:50:15 -07001349 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001350 const std::string& ldapType) {
1351 if (!success)
1352 {
1353 return;
1354 }
1355 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1356 };
1357
1358 getLDAPConfigData("LDAP", callback);
1359 getLDAPConfigData("ActiveDirectory", callback);
1360}
1361
1362inline void handleAccountServicePatch(
1363 App& app, const crow::Request& req,
1364 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1365{
1366 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1367 {
1368 return;
1369 }
1370 std::optional<uint32_t> unlockTimeout;
1371 std::optional<uint16_t> lockoutThreshold;
1372 std::optional<uint8_t> minPasswordLength;
1373 std::optional<uint16_t> maxPasswordLength;
1374 std::optional<nlohmann::json> ldapObject;
1375 std::optional<nlohmann::json> activeDirectoryObject;
1376 std::optional<nlohmann::json> oemObject;
1377
1378 if (!json_util::readJsonPatch(
1379 req, asyncResp->res, "AccountLockoutDuration", unlockTimeout,
1380 "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength",
1381 maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP",
1382 ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem",
1383 oemObject))
1384 {
1385 return;
1386 }
1387
1388 if (minPasswordLength)
1389 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001390 setDbusProperty(
1391 asyncResp, "xyz.openbmc_project.User.Manager",
1392 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001393 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
Ed Tanousd02aad32024-02-13 14:43:34 -08001394 "MinPasswordLength", *minPasswordLength);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001395 }
1396
1397 if (maxPasswordLength)
1398 {
1399 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1400 }
1401
1402 if (ldapObject)
1403 {
1404 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1405 }
1406
1407 if (std::optional<nlohmann::json> oemOpenBMCObject;
1408 oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1409 oemOpenBMCObject))
1410 {
1411 if (std::optional<nlohmann::json> authMethodsObject;
1412 oemOpenBMCObject &&
1413 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1414 "AuthMethods", authMethodsObject))
1415 {
1416 if (authMethodsObject)
1417 {
1418 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1419 }
1420 }
1421 }
1422
1423 if (activeDirectoryObject)
1424 {
1425 handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory");
1426 }
1427
1428 if (unlockTimeout)
1429 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001430 setDbusProperty(
1431 asyncResp, "xyz.openbmc_project.User.Manager",
1432 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
Ed Tanous1ef4c342022-05-12 16:12:36 -07001433 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
Ed Tanousd02aad32024-02-13 14:43:34 -08001434 "AccountLockoutDuration", *unlockTimeout);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001435 }
1436 if (lockoutThreshold)
1437 {
Ed Tanousd02aad32024-02-13 14:43:34 -08001438 setDbusProperty(
1439 asyncResp, "xyz.openbmc_project.User.Manager",
1440 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
George Liu9ae226f2023-06-21 17:56:46 +08001441 "xyz.openbmc_project.User.AccountPolicy",
Ed Tanousd02aad32024-02-13 14:43:34 -08001442 "MaxLoginAttemptBeforeLockout", "AccountLockoutThreshold",
1443 *lockoutThreshold);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001444 }
1445}
1446
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001447inline void handleAccountCollectionHead(
Ed Tanous1ef4c342022-05-12 16:12:36 -07001448 App& app, const crow::Request& req,
1449 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1450{
1451 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1452 {
1453 return;
1454 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001455 asyncResp->res.addHeader(
1456 boost::beast::http::field::link,
1457 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1458}
1459
1460inline void handleAccountCollectionGet(
1461 App& app, const crow::Request& req,
1462 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1463{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001464 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1465 {
1466 return;
1467 }
Ninad Palsule3e72c202023-03-27 17:19:55 -05001468
1469 if (req.session == nullptr)
1470 {
1471 messages::internalError(asyncResp->res);
1472 return;
1473 }
1474
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001475 asyncResp->res.addHeader(
1476 boost::beast::http::field::link,
1477 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001478
1479 asyncResp->res.jsonValue["@odata.id"] =
1480 "/redfish/v1/AccountService/Accounts";
1481 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1482 "ManagerAccountCollection";
1483 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1484 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1485
1486 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001487 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001488
1489 std::string thisUser;
1490 if (req.session)
1491 {
1492 thisUser = req.session->username;
1493 }
George Liu5eb468d2023-06-20 17:03:24 +08001494 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1495 dbus::utility::getManagedObjects(
1496 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001497 [asyncResp, thisUser, effectiveUserPrivileges](
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001498 const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001499 const dbus::utility::ManagedObjectType& users) {
1500 if (ec)
1501 {
1502 messages::internalError(asyncResp->res);
1503 return;
1504 }
1505
1506 bool userCanSeeAllAccounts =
1507 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1508
1509 bool userCanSeeSelf =
1510 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1511
1512 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1513 memberArray = nlohmann::json::array();
1514
1515 for (const auto& userpath : users)
1516 {
1517 std::string user = userpath.first.filename();
1518 if (user.empty())
1519 {
1520 messages::internalError(asyncResp->res);
Ed Tanous62598e32023-07-17 17:06:25 -07001521 BMCWEB_LOG_ERROR("Invalid firmware ID");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001522
1523 return;
1524 }
1525
1526 // As clarified by Redfish here:
1527 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1528 // Users without ConfigureUsers, only see their own
1529 // account. Users with ConfigureUsers, see all
1530 // accounts.
1531 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1532 {
1533 nlohmann::json::object_t member;
Ed Tanous3b327802023-08-14 09:23:43 -07001534 member["@odata.id"] = boost::urls::format(
1535 "/redfish/v1/AccountService/Accounts/{}", user);
Patrick Williamsb2ba3072023-05-12 10:27:39 -05001536 memberArray.emplace_back(std::move(member));
Ed Tanous1ef4c342022-05-12 16:12:36 -07001537 }
1538 }
1539 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
Patrick Williams5a39f772023-10-20 11:20:21 -05001540 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001541}
1542
Ninad Palsule97e90da2023-05-17 14:04:52 -05001543inline void processAfterCreateUser(
1544 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1545 const std::string& username, const std::string& password,
1546 const boost::system::error_code& ec, sdbusplus::message_t& m)
1547{
1548 if (ec)
1549 {
1550 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1551 return;
1552 }
1553
1554 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1555 {
1556 // At this point we have a user that's been
1557 // created, but the password set
1558 // failed.Something is wrong, so delete the user
1559 // that we've already created
1560 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1561 tempObjPath /= username;
1562 const std::string userPath(tempObjPath);
1563
1564 crow::connections::systemBus->async_method_call(
1565 [asyncResp, password](const boost::system::error_code& ec3) {
1566 if (ec3)
1567 {
1568 messages::internalError(asyncResp->res);
1569 return;
1570 }
1571
1572 // If password is invalid
Jason M. Bills9bd80832023-08-30 15:19:41 -07001573 messages::propertyValueFormatError(asyncResp->res, nullptr,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001574 "Password");
Patrick Williams5a39f772023-10-20 11:20:21 -05001575 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001576 "xyz.openbmc_project.User.Manager", userPath,
1577 "xyz.openbmc_project.Object.Delete", "Delete");
1578
Ed Tanous62598e32023-07-17 17:06:25 -07001579 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
Ninad Palsule97e90da2023-05-17 14:04:52 -05001580 return;
1581 }
1582
1583 messages::created(asyncResp->res);
1584 asyncResp->res.addHeader("Location",
1585 "/redfish/v1/AccountService/Accounts/" + username);
1586}
1587
1588inline void processAfterGetAllGroups(
1589 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1590 const std::string& username, const std::string& password,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001591 const std::string& roleId, bool enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001592 std::optional<std::vector<std::string>> accountTypes,
Ninad Palsule97e90da2023-05-17 14:04:52 -05001593 const std::vector<std::string>& allGroupsList)
Ninad Palsule97e90da2023-05-17 14:04:52 -05001594{
Ninad Palsule3e72c202023-03-27 17:19:55 -05001595 std::vector<std::string> userGroups;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001596 std::vector<std::string> accountTypeUserGroups;
1597
1598 // If user specified account types then convert them to unix user groups
1599 if (accountTypes)
1600 {
1601 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1602 accountTypeUserGroups))
1603 {
1604 // Problem in mapping Account Types to User Groups, Error already
1605 // logged.
1606 return;
1607 }
1608 }
1609
Ninad Palsule3e72c202023-03-27 17:19:55 -05001610 for (const auto& grp : allGroupsList)
1611 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001612 // If user specified the account type then only accept groups which are
1613 // in the account types group list.
1614 if (!accountTypeUserGroups.empty())
1615 {
1616 bool found = false;
1617 for (const auto& grp1 : accountTypeUserGroups)
1618 {
1619 if (grp == grp1)
1620 {
1621 found = true;
1622 break;
1623 }
1624 }
1625 if (!found)
1626 {
1627 continue;
1628 }
1629 }
1630
Ninad Palsule3e72c202023-03-27 17:19:55 -05001631 // Console access is provided to the user who is a member of
1632 // hostconsole group and has a administrator role. So, set
1633 // hostconsole group only for the administrator.
Ninad Palsule9ba73932023-06-01 16:38:57 -05001634 if ((grp == "hostconsole") && (roleId != "priv-admin"))
Ninad Palsule3e72c202023-03-27 17:19:55 -05001635 {
Ninad Palsule9ba73932023-06-01 16:38:57 -05001636 if (!accountTypeUserGroups.empty())
1637 {
Ed Tanous62598e32023-07-17 17:06:25 -07001638 BMCWEB_LOG_ERROR(
1639 "Only administrator can get HostConsole access");
Ninad Palsule9ba73932023-06-01 16:38:57 -05001640 asyncResp->res.result(boost::beast::http::status::bad_request);
1641 return;
1642 }
1643 continue;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001644 }
Ninad Palsule9ba73932023-06-01 16:38:57 -05001645 userGroups.emplace_back(grp);
1646 }
1647
1648 // Make sure user specified groups are valid. This is internal error because
1649 // it some inconsistencies between user manager and bmcweb.
1650 if (!accountTypeUserGroups.empty() &&
1651 accountTypeUserGroups.size() != userGroups.size())
1652 {
1653 messages::internalError(asyncResp->res);
1654 return;
Ninad Palsule3e72c202023-03-27 17:19:55 -05001655 }
Ninad Palsule97e90da2023-05-17 14:04:52 -05001656 crow::connections::systemBus->async_method_call(
1657 [asyncResp, username, password](const boost::system::error_code& ec2,
1658 sdbusplus::message_t& m) {
1659 processAfterCreateUser(asyncResp, username, password, ec2, m);
Patrick Williams5a39f772023-10-20 11:20:21 -05001660 },
Ninad Palsule97e90da2023-05-17 14:04:52 -05001661 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
Ninad Palsule3e72c202023-03-27 17:19:55 -05001662 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
Ed Tanouse01d0c32023-06-30 13:21:32 -07001663 roleId, enabled);
Ninad Palsule97e90da2023-05-17 14:04:52 -05001664}
1665
Ed Tanous1ef4c342022-05-12 16:12:36 -07001666inline void handleAccountCollectionPost(
1667 App& app, const crow::Request& req,
1668 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1669{
1670 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1671 {
1672 return;
1673 }
1674 std::string username;
1675 std::string password;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001676 std::optional<std::string> roleIdJson;
1677 std::optional<bool> enabledJson;
Ninad Palsule9ba73932023-06-01 16:38:57 -05001678 std::optional<std::vector<std::string>> accountTypes;
Ed Tanouse01d0c32023-06-30 13:21:32 -07001679 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
1680 "Password", password, "RoleId", roleIdJson,
1681 "Enabled", enabledJson, "AccountTypes",
1682 accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001683 {
1684 return;
1685 }
1686
Ed Tanouse01d0c32023-06-30 13:21:32 -07001687 std::string roleId = roleIdJson.value_or("User");
1688 std::string priv = getPrivilegeFromRoleId(roleId);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001689 if (priv.empty())
1690 {
Ed Tanouse01d0c32023-06-30 13:21:32 -07001691 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001692 return;
1693 }
Asmitha Karunanithi239adf82022-03-25 02:59:03 -05001694 roleId = priv;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001695
Ed Tanouse01d0c32023-06-30 13:21:32 -07001696 bool enabled = enabledJson.value_or(true);
1697
Ed Tanous1ef4c342022-05-12 16:12:36 -07001698 // Reading AllGroups property
1699 sdbusplus::asio::getProperty<std::vector<std::string>>(
1700 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1701 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1702 "AllGroups",
Ninad Palsule9ba73932023-06-01 16:38:57 -05001703 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1704 accountTypes](const boost::system::error_code& ec,
1705 const std::vector<std::string>& allGroupsList) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001706 if (ec)
1707 {
Ed Tanous62598e32023-07-17 17:06:25 -07001708 BMCWEB_LOG_DEBUG("ERROR with async_method_call");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001709 messages::internalError(asyncResp->res);
1710 return;
1711 }
1712
1713 if (allGroupsList.empty())
1714 {
1715 messages::internalError(asyncResp->res);
1716 return;
1717 }
1718
Ninad Palsule97e90da2023-05-17 14:04:52 -05001719 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
Ninad Palsule9ba73932023-06-01 16:38:57 -05001720 accountTypes, allGroupsList);
Patrick Williams5a39f772023-10-20 11:20:21 -05001721 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001722}
1723
1724inline void
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001725 handleAccountHead(App& app, const crow::Request& req,
1726 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1727 const std::string& /*accountName*/)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001728{
1729 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1730 {
1731 return;
1732 }
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001733 asyncResp->res.addHeader(
1734 boost::beast::http::field::link,
1735 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1736}
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001737
Ed Tanous4c7d4d32022-07-07 15:29:35 -07001738inline void
1739 handleAccountGet(App& app, const crow::Request& req,
1740 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1741 const std::string& accountName)
1742{
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001743 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1744 {
1745 return;
1746 }
1747 asyncResp->res.addHeader(
1748 boost::beast::http::field::link,
1749 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1750
Ed Tanous1ef4c342022-05-12 16:12:36 -07001751#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1752 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001753 messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001754 return;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001755#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
Jiaqing Zhaoafd369c2023-03-07 15:12:22 +08001756
Ed Tanous1ef4c342022-05-12 16:12:36 -07001757 if (req.session == nullptr)
1758 {
1759 messages::internalError(asyncResp->res);
1760 return;
1761 }
1762 if (req.session->username != accountName)
1763 {
1764 // At this point we've determined that the user is trying to
1765 // modify a user that isn't them. We need to verify that they
1766 // have permissions to modify other users, so re-run the auth
1767 // check with the same permissions, minus ConfigureSelf.
1768 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001769 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001770 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1771 "ConfigureManager"};
1772 if (!effectiveUserPrivileges.isSupersetOf(
1773 requiredPermissionsToChangeNonSelf))
1774 {
Ed Tanous62598e32023-07-17 17:06:25 -07001775 BMCWEB_LOG_DEBUG("GET Account denied access");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001776 messages::insufficientPrivilege(asyncResp->res);
1777 return;
1778 }
1779 }
1780
George Liu5eb468d2023-06-20 17:03:24 +08001781 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1782 dbus::utility::getManagedObjects(
1783 "xyz.openbmc_project.User.Manager", path,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001784 [asyncResp,
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001785 accountName](const boost::system::error_code& ec,
Ed Tanous1ef4c342022-05-12 16:12:36 -07001786 const dbus::utility::ManagedObjectType& users) {
1787 if (ec)
1788 {
1789 messages::internalError(asyncResp->res);
1790 return;
1791 }
Ed Tanous3544d2a2023-08-06 18:12:20 -07001792 const auto userIt = std::ranges::find_if(
Michael Shen80f79a42023-08-24 13:41:53 +00001793 users,
1794 [accountName](
1795 const std::pair<sdbusplus::message::object_path,
1796 dbus::utility::DBusInterfacesMap>& user) {
1797 return accountName == user.first.filename();
Patrick Williams5a39f772023-10-20 11:20:21 -05001798 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001799
1800 if (userIt == users.end())
1801 {
1802 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1803 accountName);
1804 return;
1805 }
1806
1807 asyncResp->res.jsonValue["@odata.type"] =
Abhishek Patel58345852022-02-02 08:54:25 -06001808 "#ManagerAccount.v1_7_0.ManagerAccount";
Ed Tanous1ef4c342022-05-12 16:12:36 -07001809 asyncResp->res.jsonValue["Name"] = "User Account";
1810 asyncResp->res.jsonValue["Description"] = "User Account";
1811 asyncResp->res.jsonValue["Password"] = nullptr;
Abhishek Patel58345852022-02-02 08:54:25 -06001812 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
Ed Tanous1ef4c342022-05-12 16:12:36 -07001813
1814 for (const auto& interface : userIt->second)
1815 {
1816 if (interface.first == "xyz.openbmc_project.User.Attributes")
1817 {
1818 for (const auto& property : interface.second)
1819 {
1820 if (property.first == "UserEnabled")
1821 {
1822 const bool* userEnabled =
1823 std::get_if<bool>(&property.second);
1824 if (userEnabled == nullptr)
1825 {
Ed Tanous62598e32023-07-17 17:06:25 -07001826 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001827 messages::internalError(asyncResp->res);
1828 return;
1829 }
1830 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
1831 }
1832 else if (property.first == "UserLockedForFailedAttempt")
1833 {
1834 const bool* userLocked =
1835 std::get_if<bool>(&property.second);
1836 if (userLocked == nullptr)
1837 {
Ed Tanous62598e32023-07-17 17:06:25 -07001838 BMCWEB_LOG_ERROR("UserLockedForF"
1839 "ailedAttempt "
1840 "wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001841 messages::internalError(asyncResp->res);
1842 return;
1843 }
1844 asyncResp->res.jsonValue["Locked"] = *userLocked;
1845 asyncResp->res
1846 .jsonValue["Locked@Redfish.AllowableValues"] = {
1847 "false"}; // can only unlock accounts
1848 }
1849 else if (property.first == "UserPrivilege")
1850 {
1851 const std::string* userPrivPtr =
1852 std::get_if<std::string>(&property.second);
1853 if (userPrivPtr == nullptr)
1854 {
Ed Tanous62598e32023-07-17 17:06:25 -07001855 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
1856 "string");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001857 messages::internalError(asyncResp->res);
1858 return;
1859 }
1860 std::string role = getRoleIdFromPrivilege(*userPrivPtr);
1861 if (role.empty())
1862 {
Ed Tanous62598e32023-07-17 17:06:25 -07001863 BMCWEB_LOG_ERROR("Invalid user role");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001864 messages::internalError(asyncResp->res);
1865 return;
1866 }
1867 asyncResp->res.jsonValue["RoleId"] = role;
1868
1869 nlohmann::json& roleEntry =
1870 asyncResp->res.jsonValue["Links"]["Role"];
Ed Tanous3b327802023-08-14 09:23:43 -07001871 roleEntry["@odata.id"] = boost::urls::format(
1872 "/redfish/v1/AccountService/Roles/{}", role);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001873 }
1874 else if (property.first == "UserPasswordExpired")
1875 {
1876 const bool* userPasswordExpired =
1877 std::get_if<bool>(&property.second);
1878 if (userPasswordExpired == nullptr)
1879 {
Ed Tanous62598e32023-07-17 17:06:25 -07001880 BMCWEB_LOG_ERROR(
1881 "UserPasswordExpired wasn't a bool");
Ed Tanous1ef4c342022-05-12 16:12:36 -07001882 messages::internalError(asyncResp->res);
1883 return;
1884 }
1885 asyncResp->res.jsonValue["PasswordChangeRequired"] =
1886 *userPasswordExpired;
1887 }
Abhishek Patelc7229812022-02-01 10:07:15 -06001888 else if (property.first == "UserGroups")
1889 {
1890 const std::vector<std::string>* userGroups =
1891 std::get_if<std::vector<std::string>>(
1892 &property.second);
1893 if (userGroups == nullptr)
1894 {
Ed Tanous62598e32023-07-17 17:06:25 -07001895 BMCWEB_LOG_ERROR(
1896 "userGroups wasn't a string vector");
Abhishek Patelc7229812022-02-01 10:07:15 -06001897 messages::internalError(asyncResp->res);
1898 return;
1899 }
1900 if (!translateUserGroup(*userGroups, asyncResp->res))
1901 {
Ed Tanous62598e32023-07-17 17:06:25 -07001902 BMCWEB_LOG_ERROR("userGroups mapping failed");
Abhishek Patelc7229812022-02-01 10:07:15 -06001903 messages::internalError(asyncResp->res);
1904 return;
1905 }
1906 }
Ed Tanous1ef4c342022-05-12 16:12:36 -07001907 }
1908 }
1909 }
1910
Ed Tanous3b327802023-08-14 09:23:43 -07001911 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
1912 "/redfish/v1/AccountService/Accounts/{}", accountName);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001913 asyncResp->res.jsonValue["Id"] = accountName;
1914 asyncResp->res.jsonValue["UserName"] = accountName;
Patrick Williams5a39f772023-10-20 11:20:21 -05001915 });
Ed Tanous1ef4c342022-05-12 16:12:36 -07001916}
1917
1918inline void
Gunnar Mills20fc3072023-01-27 15:13:36 -06001919 handleAccountDelete(App& app, const crow::Request& req,
1920 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1921 const std::string& username)
Ed Tanous1ef4c342022-05-12 16:12:36 -07001922{
1923 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1924 {
1925 return;
1926 }
1927
1928#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1929 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001930 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001931 return;
1932
1933#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1934 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1935 tempObjPath /= username;
1936 const std::string userPath(tempObjPath);
1937
1938 crow::connections::systemBus->async_method_call(
Ed Tanous5e7e2dc2023-02-16 10:37:01 -08001939 [asyncResp, username](const boost::system::error_code& ec) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07001940 if (ec)
1941 {
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001942 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
Ed Tanous1ef4c342022-05-12 16:12:36 -07001943 username);
1944 return;
1945 }
1946
1947 messages::accountRemoved(asyncResp->res);
Patrick Williams5a39f772023-10-20 11:20:21 -05001948 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07001949 "xyz.openbmc_project.User.Manager", userPath,
1950 "xyz.openbmc_project.Object.Delete", "Delete");
1951}
1952
1953inline void
1954 handleAccountPatch(App& app, const crow::Request& req,
1955 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1956 const std::string& username)
1957{
1958 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1959 {
1960 return;
1961 }
1962#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1963 // If authentication is disabled, there are no user accounts
Jiaqing Zhaod8a5d5d2022-08-05 16:21:51 +08001964 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001965 return;
1966
1967#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1968 std::optional<std::string> newUserName;
1969 std::optional<std::string> password;
1970 std::optional<bool> enabled;
1971 std::optional<std::string> roleId;
1972 std::optional<bool> locked;
Abhishek Patel58345852022-02-02 08:54:25 -06001973 std::optional<std::vector<std::string>> accountTypes;
1974
1975 bool userSelf = (username == req.session->username);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001976
1977 if (req.session == nullptr)
1978 {
1979 messages::internalError(asyncResp->res);
1980 return;
1981 }
1982
1983 Privileges effectiveUserPrivileges =
Ninad Palsule3e72c202023-03-27 17:19:55 -05001984 redfish::getUserPrivileges(*req.session);
Ed Tanous1ef4c342022-05-12 16:12:36 -07001985 Privileges configureUsers = {"ConfigureUsers"};
1986 bool userHasConfigureUsers =
1987 effectiveUserPrivileges.isSupersetOf(configureUsers);
1988 if (userHasConfigureUsers)
1989 {
1990 // Users with ConfigureUsers can modify for all users
Abhishek Patel58345852022-02-02 08:54:25 -06001991 if (!json_util::readJsonPatch(
1992 req, asyncResp->res, "UserName", newUserName, "Password",
1993 password, "RoleId", roleId, "Enabled", enabled, "Locked",
1994 locked, "AccountTypes", accountTypes))
Ed Tanous1ef4c342022-05-12 16:12:36 -07001995 {
1996 return;
1997 }
1998 }
1999 else
2000 {
2001 // ConfigureSelf accounts can only modify their own account
Abhishek Patel58345852022-02-02 08:54:25 -06002002 if (!userSelf)
Ed Tanous1ef4c342022-05-12 16:12:36 -07002003 {
2004 messages::insufficientPrivilege(asyncResp->res);
2005 return;
2006 }
2007
2008 // ConfigureSelf accounts can only modify their password
2009 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2010 password))
2011 {
2012 return;
2013 }
2014 }
2015
2016 // if user name is not provided in the patch method or if it
2017 // matches the user name in the URI, then we are treating it as
2018 // updating user properties other then username. If username
2019 // provided doesn't match the URI, then we are treating this as
2020 // user rename request.
2021 if (!newUserName || (newUserName.value() == username))
2022 {
2023 updateUserProperties(asyncResp, username, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06002024 locked, accountTypes, userSelf);
Ed Tanous1ef4c342022-05-12 16:12:36 -07002025 return;
2026 }
2027 crow::connections::systemBus->async_method_call(
2028 [asyncResp, username, password(std::move(password)),
2029 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
Abhishek Patel58345852022-02-02 08:54:25 -06002030 locked, userSelf, accountTypes(std::move(accountTypes))](
Ed Tanouse81de512023-06-27 17:07:00 -07002031 const boost::system::error_code& ec, sdbusplus::message_t& m) {
Ed Tanous1ef4c342022-05-12 16:12:36 -07002032 if (ec)
2033 {
2034 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2035 username);
2036 return;
2037 }
2038
2039 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
Abhishek Patel58345852022-02-02 08:54:25 -06002040 locked, accountTypes, userSelf);
Patrick Williams5a39f772023-10-20 11:20:21 -05002041 },
Ed Tanous1ef4c342022-05-12 16:12:36 -07002042 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2043 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2044 *newUserName);
2045}
2046
Ed Tanous6c51eab2021-06-03 12:30:29 -07002047inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -07002048{
Ed Tanous6c51eab2021-06-03 12:30:29 -07002049 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002050 .privileges(redfish::privileges::headAccountService)
2051 .methods(boost::beast::http::verb::head)(
2052 std::bind_front(handleAccountServiceHead, std::ref(app)));
2053
2054 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -07002055 .privileges(redfish::privileges::getAccountService)
Ed Tanous002d39b2022-05-31 08:59:27 -07002056 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002057 std::bind_front(handleAccountServiceGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002058
Ed Tanousf5ffd802021-07-19 10:55:33 -07002059 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -06002060 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -07002061 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002062 std::bind_front(handleAccountServicePatch, std::ref(app)));
Ed Tanousf5ffd802021-07-19 10:55:33 -07002063
Ed Tanous6c51eab2021-06-03 12:30:29 -07002064 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002065 .privileges(redfish::privileges::headManagerAccountCollection)
2066 .methods(boost::beast::http::verb::head)(
2067 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2068
2069 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002070 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002071 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002072 std::bind_front(handleAccountCollectionGet, std::ref(app)));
Ed Tanous06e086d2018-09-19 17:19:52 -07002073
Ed Tanous6c51eab2021-06-03 12:30:29 -07002074 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -07002075 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous002d39b2022-05-31 08:59:27 -07002076 .methods(boost::beast::http::verb::post)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002077 std::bind_front(handleAccountCollectionPost, std::ref(app)));
Ed Tanous002d39b2022-05-31 08:59:27 -07002078
2079 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous4c7d4d32022-07-07 15:29:35 -07002080 .privileges(redfish::privileges::headManagerAccount)
2081 .methods(boost::beast::http::verb::head)(
2082 std::bind_front(handleAccountHead, std::ref(app)));
2083
2084 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanous002d39b2022-05-31 08:59:27 -07002085 .privileges(redfish::privileges::getManagerAccount)
2086 .methods(boost::beast::http::verb::get)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002087 std::bind_front(handleAccountGet, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002088
2089 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002090 // TODO this privilege should be using the generated endpoints, but
2091 // because of the special handling of ConfigureSelf, it's not able to
2092 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -07002093 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2094 .methods(boost::beast::http::verb::patch)(
Ed Tanous1ef4c342022-05-12 16:12:36 -07002095 std::bind_front(handleAccountPatch, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002096
2097 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -07002098 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -07002099 .methods(boost::beast::http::verb::delete_)(
Gunnar Mills20fc3072023-01-27 15:13:36 -06002100 std::bind_front(handleAccountDelete, std::ref(app)));
Ed Tanous6c51eab2021-06-03 12:30:29 -07002101}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +01002102
Ed Tanous1abe55e2018-09-05 08:30:59 -07002103} // namespace redfish