Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / eae855c74b30085f6ac1094f6087c6b3913a9a69 / . / redfish-core / lib / account_service.hpp
blob: d89710b1a303c135d559c522800a8a7de208c47d [file] [log] [blame]
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#pragma once
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]17
John Edward Broadbent7e860f12021-04-08 15:57:16 -0700[diff] [blame]18#include <app.hpp>
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]19#include <dbus_utility.hpp>
Ed Tanous65b0dc32018-09-19 16:04:03 -0700[diff] [blame]20#include <error_messages.hpp>
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]21#include <openbmc_dbus_rest.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]22#include <persistent_data.hpp>
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]23#include <registries/privilege_registry.hpp>
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]24#include <sdbusplus/asio/property.hpp>
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]25#include <utils/json_utils.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]26
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]27namespace redfish
28{
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]29
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]30constexpr const char* ldapConfigObjectName =
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]31 "/xyz/openbmc_project/user/ldap/openldap";
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]32constexpr const char* adConfigObject =
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]33 "/xyz/openbmc_project/user/ldap/active_directory";
34
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]35constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]36constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
37constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
38constexpr const char* ldapConfigInterface =
39 "xyz.openbmc_project.User.Ldap.Config";
40constexpr const char* ldapCreateInterface =
41 "xyz.openbmc_project.User.Ldap.Create";
42constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]43constexpr const char* ldapPrivMapperInterface =
44 "xyz.openbmc_project.User.PrivilegeMapper";
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]45constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager";
46constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties";
47constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper";
48constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper";
49constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper";
50
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]51struct LDAPRoleMapData
52{
53 std::string groupName;
54 std::string privilege;
55};
56
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]57struct LDAPConfigData
58{
59 std::string uri{};
60 std::string bindDN{};
61 std::string baseDN{};
62 std::string searchScope{};
63 std::string serverType{};
64 bool serviceEnabled = false;
65 std::string userNameAttribute{};
66 std::string groupAttribute{};
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]67 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]68};
69
Przemyslaw Czarnowski107077d2019-07-11 10:16:43 +0200[diff] [blame]70using DbusInterfaceType = boost::container::flat_map<
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]71 std::string,
72 boost::container::flat_map<std::string, dbus::utility::DbusVariantType>>;
Przemyslaw Czarnowski107077d2019-07-11 10:16:43 +0200[diff] [blame]73
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]74using GetObjectType =
75 std::vector<std::pair<std::string, std::vector<std::string>>>;
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]76
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]77inline std::string getRoleIdFromPrivilege(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]78{
79 if (role == "priv-admin")
80 {
81 return "Administrator";
82 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]83 if (role == "priv-user")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]84 {
AppaRao Pulic80fee52019-10-16 14:49:36 +0530[diff] [blame]85 return "ReadOnly";
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]86 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]87 if (role == "priv-operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]88 {
89 return "Operator";
90 }
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]91 if (role.empty() || (role == "priv-noaccess"))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]92 {
93 return "NoAccess";
94 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]95 return "";
96}
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]97inline std::string getPrivilegeFromRoleId(std::string_view role)
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]98{
99 if (role == "Administrator")
100 {
101 return "priv-admin";
102 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]103 if (role == "ReadOnly")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]104 {
105 return "priv-user";
106 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]107 if (role == "Operator")
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]108 {
109 return "priv-operator";
110 }
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]111 if ((role == "NoAccess") || (role.empty()))
jayaprakash Mutyalae9e6d242019-07-29 11:59:08 +0000[diff] [blame]112 {
113 return "priv-noaccess";
114 }
AppaRao Puli84e12cb2018-10-11 01:28:15 +0530[diff] [blame]115 return "";
116}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]117
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]118inline void userErrorMessageHandler(
119 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
120 const std::string& newUser, const std::string& username)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]121{
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]122 if (e == nullptr)
123 {
124 messages::internalError(asyncResp->res);
125 return;
126 }
127
Manojkiran Eda055806b2020-11-03 09:36:28 +0530[diff] [blame]128 const char* errorMessage = e->name;
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]129 if (strcmp(errorMessage,
130 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
131 {
132 messages::resourceAlreadyExists(asyncResp->res,
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]133 "#ManagerAccount.v1_4_0.ManagerAccount",
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]134 "UserName", newUser);
135 }
136 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
137 "UserNameDoesNotExist") == 0)
138 {
139 messages::resourceNotFound(
Gunnar Mills8114bd42020-06-11 20:55:21 -0500[diff] [blame]140 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username);
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]141 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]142 else if ((strcmp(errorMessage,
143 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
144 0) ||
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]145 (strcmp(
146 errorMessage,
147 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
148 0))
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]149 {
150 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
151 }
152 else if (strcmp(errorMessage,
153 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
154 {
155 messages::createLimitReachedForResource(asyncResp->res);
156 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]157 else
158 {
159 messages::internalError(asyncResp->res);
160 }
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]161}
162
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]163inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]164 const LDAPConfigData& confData,
165 const std::string& ldapType)
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]166{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]167 std::string service =
168 (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService";
Marri Devender Rao37cce912019-02-20 01:05:22 -0600[diff] [blame]169 nlohmann::json ldap = {
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]170 {"ServiceEnabled", confData.serviceEnabled},
171 {"ServiceAddresses", nlohmann::json::array({confData.uri})},
172 {"Authentication",
173 {{"AuthenticationType", "UsernameAndPassword"},
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]174 {"Username", confData.bindDN},
175 {"Password", nullptr}}},
176 {"LDAPService",
177 {{"SearchSettings",
178 {{"BaseDistinguishedNames",
179 nlohmann::json::array({confData.baseDN})},
180 {"UsernameAttribute", confData.userNameAttribute},
181 {"GroupsAttribute", confData.groupAttribute}}}}},
182 };
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]183
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]184 jsonResponse[ldapType].update(ldap);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]185
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]186 nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"];
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]187 roleMapArray = nlohmann::json::array();
188 for (auto& obj : confData.groupRoleList)
189 {
190 BMCWEB_LOG_DEBUG << "Pushing the data groupName="
191 << obj.second.groupName << "\n";
192 roleMapArray.push_back(
193 {nlohmann::json::array({"RemoteGroup", obj.second.groupName}),
194 nlohmann::json::array(
195 {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})});
196 }
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]197}
198
199/**
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]200 * @brief validates given JSON input and then calls appropriate method to
201 * create, to delete or to set Rolemapping object based on the given input.
202 *
203 */
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]204inline void handleRoleMapPatch(
zhanghch058d1b46d2021-04-01 11:18:24 +0800[diff] [blame]205 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]206 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]207 const std::string& serverType, const std::vector<nlohmann::json>& input)
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]208{
209 for (size_t index = 0; index < input.size(); index++)
210 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]211 const nlohmann::json& thisJson = input[index];
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]212
213 if (thisJson.is_null())
214 {
215 // delete the existing object
216 if (index < roleMapObjData.size())
217 {
218 crow::connections::systemBus->async_method_call(
219 [asyncResp, roleMapObjData, serverType,
220 index](const boost::system::error_code ec) {
221 if (ec)
222 {
223 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
224 messages::internalError(asyncResp->res);
225 return;
226 }
227 asyncResp->res
228 .jsonValue[serverType]["RemoteRoleMapping"][index] =
229 nullptr;
230 },
231 ldapDbusService, roleMapObjData[index].first,
232 "xyz.openbmc_project.Object.Delete", "Delete");
233 }
234 else
235 {
236 BMCWEB_LOG_ERROR << "Can't delete the object";
237 messages::propertyValueTypeError(
Ed Tanous71f52d92021-02-19 08:51:17 -0800[diff] [blame]238 asyncResp->res,
239 thisJson.dump(2, ' ', true,
240 nlohmann::json::error_handler_t::replace),
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]241 "RemoteRoleMapping/" + std::to_string(index));
242 return;
243 }
244 }
245 else if (thisJson.empty())
246 {
247 // Don't do anything for the empty objects,parse next json
248 // eg {"RemoteRoleMapping",[{}]}
249 }
250 else
251 {
252 // update/create the object
253 std::optional<std::string> remoteGroup;
254 std::optional<std::string> localRole;
255
Ed Tanousf23b7292020-10-15 09:41:17 -0700[diff] [blame]256 // This is a copy, but it's required in this case because of how
257 // readJson is structured
258 nlohmann::json thisJsonCopy = thisJson;
259 if (!json_util::readJson(thisJsonCopy, asyncResp->res,
260 "RemoteGroup", remoteGroup, "LocalRole",
261 localRole))
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]262 {
263 continue;
264 }
265
266 // Update existing RoleMapping Object
267 if (index < roleMapObjData.size())
268 {
269 BMCWEB_LOG_DEBUG << "Update Role Map Object";
270 // If "RemoteGroup" info is provided
271 if (remoteGroup)
272 {
273 crow::connections::systemBus->async_method_call(
274 [asyncResp, roleMapObjData, serverType, index,
275 remoteGroup](const boost::system::error_code ec) {
276 if (ec)
277 {
278 BMCWEB_LOG_ERROR << "DBUS response error: "
279 << ec;
280 messages::internalError(asyncResp->res);
281 return;
282 }
283 asyncResp->res
284 .jsonValue[serverType]["RemoteRoleMapping"]
285 [index]["RemoteGroup"] = *remoteGroup;
286 },
287 ldapDbusService, roleMapObjData[index].first,
288 propertyInterface, "Set",
289 "xyz.openbmc_project.User.PrivilegeMapperEntry",
290 "GroupName",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]291 dbus::utility::DbusVariantType(
292 std::move(*remoteGroup)));
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]293 }
294
295 // If "LocalRole" info is provided
296 if (localRole)
297 {
298 crow::connections::systemBus->async_method_call(
299 [asyncResp, roleMapObjData, serverType, index,
300 localRole](const boost::system::error_code ec) {
301 if (ec)
302 {
303 BMCWEB_LOG_ERROR << "DBUS response error: "
304 << ec;
305 messages::internalError(asyncResp->res);
306 return;
307 }
308 asyncResp->res
309 .jsonValue[serverType]["RemoteRoleMapping"]
310 [index]["LocalRole"] = *localRole;
311 },
312 ldapDbusService, roleMapObjData[index].first,
313 propertyInterface, "Set",
314 "xyz.openbmc_project.User.PrivilegeMapperEntry",
315 "Privilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]316 dbus::utility::DbusVariantType(
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]317 getPrivilegeFromRoleId(std::move(*localRole))));
318 }
319 }
320 // Create a new RoleMapping Object.
321 else
322 {
323 BMCWEB_LOG_DEBUG
324 << "setRoleMappingProperties: Creating new Object";
325 std::string pathString =
326 "RemoteRoleMapping/" + std::to_string(index);
327
328 if (!localRole)
329 {
330 messages::propertyMissing(asyncResp->res,
331 pathString + "/LocalRole");
332 continue;
333 }
334 if (!remoteGroup)
335 {
336 messages::propertyMissing(asyncResp->res,
337 pathString + "/RemoteGroup");
338 continue;
339 }
340
341 std::string dbusObjectPath;
342 if (serverType == "ActiveDirectory")
343 {
Ed Tanous2c70f802020-09-28 14:29:23 -0700[diff] [blame]344 dbusObjectPath = adConfigObject;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]345 }
346 else if (serverType == "LDAP")
347 {
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]348 dbusObjectPath = ldapConfigObjectName;
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]349 }
350
351 BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup
352 << ",LocalRole=" << *localRole;
353
354 crow::connections::systemBus->async_method_call(
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]355 [asyncResp, serverType, localRole,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]356 remoteGroup](const boost::system::error_code ec) {
357 if (ec)
358 {
359 BMCWEB_LOG_ERROR << "DBUS response error: " << ec;
360 messages::internalError(asyncResp->res);
361 return;
362 }
363 nlohmann::json& remoteRoleJson =
364 asyncResp->res
365 .jsonValue[serverType]["RemoteRoleMapping"];
366 remoteRoleJson.push_back(
367 {{"LocalRole", *localRole},
368 {"RemoteGroup", *remoteGroup}});
369 },
370 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]371 "Create", *remoteGroup,
Ratan Gupta06785242019-07-26 22:30:16 +0530[diff] [blame]372 getPrivilegeFromRoleId(std::move(*localRole)));
373 }
374 }
375 }
376}
377
378/**
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]379 * Function that retrieves all properties for LDAP config object
380 * into JSON
381 */
382template <typename CallbackFunc>
383inline void getLDAPConfigData(const std::string& ldapType,
384 CallbackFunc&& callback)
385{
Ratan Guptaab828d72019-04-22 14:18:33 +0530[diff] [blame]386
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]387 const std::array<const char*, 2> interfaces = {ldapEnableInterface,
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]388 ldapConfigInterface};
389
390 crow::connections::systemBus->async_method_call(
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]391 [callback, ldapType](const boost::system::error_code ec,
392 const GetObjectType& resp) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]393 if (ec || resp.empty())
394 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]395 BMCWEB_LOG_ERROR
396 << "DBUS response error during getting of service name: "
397 << ec;
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]398 LDAPConfigData empty{};
399 callback(false, empty, ldapType);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]400 return;
401 }
402 std::string service = resp.begin()->first;
403 crow::connections::systemBus->async_method_call(
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]404 [callback, ldapType](
405 const boost::system::error_code errorCode,
406 const dbus::utility::ManagedObjectType& ldapObjects) {
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]407 LDAPConfigData confData{};
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]408 if (errorCode)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]409 {
410 callback(false, confData, ldapType);
411 BMCWEB_LOG_ERROR << "D-Bus responses error: "
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]412 << errorCode;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]413 return;
414 }
415
416 std::string ldapDbusType;
417 std::string searchString;
418
419 if (ldapType == "LDAP")
420 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]421 ldapDbusType =
422 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]423 searchString = "openldap";
424 }
425 else if (ldapType == "ActiveDirectory")
426 {
427 ldapDbusType =
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]428 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]429 searchString = "active_directory";
430 }
431 else
432 {
433 BMCWEB_LOG_ERROR
434 << "Can't get the DbusType for the given type="
435 << ldapType;
436 callback(false, confData, ldapType);
437 return;
438 }
439
440 std::string ldapEnableInterfaceStr = ldapEnableInterface;
441 std::string ldapConfigInterfaceStr = ldapConfigInterface;
442
443 for (const auto& object : ldapObjects)
444 {
445 // let's find the object whose ldap type is equal to the
446 // given type
447 if (object.first.str.find(searchString) ==
448 std::string::npos)
449 {
450 continue;
451 }
452
453 for (const auto& interface : object.second)
454 {
455 if (interface.first == ldapEnableInterfaceStr)
456 {
457 // rest of the properties are string.
458 for (const auto& property : interface.second)
459 {
460 if (property.first == "Enabled")
461 {
462 const bool* value =
463 std::get_if<bool>(&property.second);
464 if (value == nullptr)
465 {
466 continue;
467 }
468 confData.serviceEnabled = *value;
469 break;
470 }
471 }
472 }
473 else if (interface.first == ldapConfigInterfaceStr)
474 {
475
476 for (const auto& property : interface.second)
477 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]478 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]479 std::get_if<std::string>(
480 &property.second);
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]481 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]482 {
483 continue;
484 }
485 if (property.first == "LDAPServerURI")
486 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]487 confData.uri = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]488 }
489 else if (property.first == "LDAPBindDN")
490 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]491 confData.bindDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]492 }
493 else if (property.first == "LDAPBaseDN")
494 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]495 confData.baseDN = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]496 }
497 else if (property.first ==
498 "LDAPSearchScope")
499 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]500 confData.searchScope = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]501 }
502 else if (property.first ==
503 "GroupNameAttribute")
504 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]505 confData.groupAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]506 }
507 else if (property.first ==
508 "UserNameAttribute")
509 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]510 confData.userNameAttribute = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]511 }
512 else if (property.first == "LDAPType")
513 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]514 confData.serverType = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]515 }
516 }
517 }
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]518 else if (
519 interface.first ==
520 "xyz.openbmc_project.User.PrivilegeMapperEntry")
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]521 {
522 LDAPRoleMapData roleMapData{};
523 for (const auto& property : interface.second)
524 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]525 const std::string* strValue =
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]526 std::get_if<std::string>(
527 &property.second);
528
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]529 if (strValue == nullptr)
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]530 {
531 continue;
532 }
533
534 if (property.first == "GroupName")
535 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]536 roleMapData.groupName = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]537 }
538 else if (property.first == "Privilege")
539 {
Ed Tanous271584a2019-07-09 16:24:22 -0700[diff] [blame]540 roleMapData.privilege = *strValue;
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]541 }
542 }
543
Ed Tanous0f0353b2019-10-24 11:37:51 -0700[diff] [blame]544 confData.groupRoleList.emplace_back(
545 object.first.str, roleMapData);
Nagaraju Goruganti54fc5872019-01-30 05:11:00 -0600[diff] [blame]546 }
547 }
548 }
549 callback(true, confData, ldapType);
550 },
551 service, ldapRootObject, dbusObjManagerIntf,
552 "GetManagedObjects");
553 },
554 mapperBusName, mapperObjectPath, mapperIntf, "GetObject",
Ed Tanous23a21a12020-07-25 04:45:05 +0000[diff] [blame]555 ldapConfigObjectName, interfaces);
Ratan Gupta6973a582018-12-13 18:25:44 +0530[diff] [blame]556}
557
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]558/**
559 * @brief parses the authentication section under the LDAP
560 * @param input JSON data
561 * @param asyncResp pointer to the JSON response
562 * @param userName userName to be filled from the given JSON.
563 * @param password password to be filled from the given JSON.
564 */
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]565inline void parseLDAPAuthenticationJson(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]566 nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
567 std::optional<std::string>& username, std::optional<std::string>& password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]568{
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]569 std::optional<std::string> authType;
570
571 if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
572 authType, "Username", username, "Password",
573 password))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]574 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]575 return;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]576 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]577 if (!authType)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]578 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]579 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]580 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]581 if (*authType != "UsernameAndPassword")
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]582 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]583 messages::propertyValueNotInList(asyncResp->res, *authType,
584 "AuthenticationType");
585 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]586 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]587}
588/**
589 * @brief parses the LDAPService section under the LDAP
590 * @param input JSON data
591 * @param asyncResp pointer to the JSON response
592 * @param baseDNList baseDN to be filled from the given JSON.
593 * @param userNameAttribute userName to be filled from the given JSON.
594 * @param groupaAttribute password to be filled from the given JSON.
595 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]596
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]597inline void
598 parseLDAPServiceJson(nlohmann::json input,
599 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
600 std::optional<std::vector<std::string>>& baseDNList,
601 std::optional<std::string>& userNameAttribute,
602 std::optional<std::string>& groupsAttribute)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]603{
604 std::optional<nlohmann::json> searchSettings;
605
606 if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
607 searchSettings))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]608 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]609 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]610 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]611 if (!searchSettings)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]612 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]613 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]614 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]615 if (!json_util::readJson(*searchSettings, asyncResp->res,
616 "BaseDistinguishedNames", baseDNList,
617 "UsernameAttribute", userNameAttribute,
618 "GroupsAttribute", groupsAttribute))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]619 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]620 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]621 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]622}
623/**
624 * @brief updates the LDAP server address and updates the
625 json response with the new value.
626 * @param serviceAddressList address to be updated.
627 * @param asyncResp pointer to the JSON response
628 * @param ldapServerElementName Type of LDAP
629 server(openLDAP/ActiveDirectory)
630 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]631
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]632inline void handleServiceAddressPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]633 const std::vector<std::string>& serviceAddressList,
634 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
635 const std::string& ldapServerElementName,
636 const std::string& ldapConfigObject)
637{
638 crow::connections::systemBus->async_method_call(
639 [asyncResp, ldapServerElementName,
640 serviceAddressList](const boost::system::error_code ec) {
641 if (ec)
642 {
643 BMCWEB_LOG_DEBUG
644 << "Error Occurred in updating the service address";
645 messages::internalError(asyncResp->res);
646 return;
647 }
648 std::vector<std::string> modifiedserviceAddressList = {
649 serviceAddressList.front()};
650 asyncResp->res
651 .jsonValue[ldapServerElementName]["ServiceAddresses"] =
652 modifiedserviceAddressList;
653 if ((serviceAddressList).size() > 1)
654 {
655 messages::propertyValueModified(asyncResp->res,
656 "ServiceAddresses",
657 serviceAddressList.front());
658 }
659 BMCWEB_LOG_DEBUG << "Updated the service address";
660 },
661 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
662 ldapConfigInterface, "LDAPServerURI",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]663 dbus::utility::DbusVariantType(serviceAddressList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]664}
665/**
666 * @brief updates the LDAP Bind DN and updates the
667 json response with the new value.
668 * @param username name of the user which needs to be updated.
669 * @param asyncResp pointer to the JSON response
670 * @param ldapServerElementName Type of LDAP
671 server(openLDAP/ActiveDirectory)
672 */
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]673
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]674inline void
675 handleUserNamePatch(const std::string& username,
676 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
677 const std::string& ldapServerElementName,
678 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]679{
680 crow::connections::systemBus->async_method_call(
681 [asyncResp, username,
682 ldapServerElementName](const boost::system::error_code ec) {
683 if (ec)
684 {
685 BMCWEB_LOG_DEBUG << "Error occurred in updating the username";
686 messages::internalError(asyncResp->res);
687 return;
688 }
689 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
690 ["Username"] = username;
691 BMCWEB_LOG_DEBUG << "Updated the username";
692 },
693 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]694 ldapConfigInterface, "LDAPBindDN",
695 dbus::utility::DbusVariantType(username));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]696}
697
698/**
699 * @brief updates the LDAP password
700 * @param password : ldap password which needs to be updated.
701 * @param asyncResp pointer to the JSON response
702 * @param ldapServerElementName Type of LDAP
703 * server(openLDAP/ActiveDirectory)
704 */
705
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]706inline void
707 handlePasswordPatch(const std::string& password,
708 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
709 const std::string& ldapServerElementName,
710 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]711{
712 crow::connections::systemBus->async_method_call(
713 [asyncResp, password,
714 ldapServerElementName](const boost::system::error_code ec) {
715 if (ec)
716 {
717 BMCWEB_LOG_DEBUG << "Error occurred in updating the password";
718 messages::internalError(asyncResp->res);
719 return;
720 }
721 asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
722 ["Password"] = "";
723 BMCWEB_LOG_DEBUG << "Updated the password";
724 },
725 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
726 ldapConfigInterface, "LDAPBindDNPassword",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]727 dbus::utility::DbusVariantType(password));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]728}
729
730/**
731 * @brief updates the LDAP BaseDN and updates the
732 json response with the new value.
733 * @param baseDNList baseDN list which needs to be updated.
734 * @param asyncResp pointer to the JSON response
735 * @param ldapServerElementName Type of LDAP
736 server(openLDAP/ActiveDirectory)
737 */
738
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]739inline void
740 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
741 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
742 const std::string& ldapServerElementName,
743 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]744{
745 crow::connections::systemBus->async_method_call(
746 [asyncResp, baseDNList,
747 ldapServerElementName](const boost::system::error_code ec) {
748 if (ec)
749 {
750 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN";
751 messages::internalError(asyncResp->res);
752 return;
753 }
754 auto& serverTypeJson =
755 asyncResp->res.jsonValue[ldapServerElementName];
756 auto& searchSettingsJson =
757 serverTypeJson["LDAPService"]["SearchSettings"];
758 std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
759 searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
760 if (baseDNList.size() > 1)
761 {
762 messages::propertyValueModified(asyncResp->res,
763 "BaseDistinguishedNames",
764 baseDNList.front());
765 }
766 BMCWEB_LOG_DEBUG << "Updated the base DN";
767 },
768 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
769 ldapConfigInterface, "LDAPBaseDN",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]770 dbus::utility::DbusVariantType(baseDNList.front()));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]771}
772/**
773 * @brief updates the LDAP user name attribute and updates the
774 json response with the new value.
775 * @param userNameAttribute attribute to be updated.
776 * @param asyncResp pointer to the JSON response
777 * @param ldapServerElementName Type of LDAP
778 server(openLDAP/ActiveDirectory)
779 */
780
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]781inline void
782 handleUserNameAttrPatch(const std::string& userNameAttribute,
783 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
784 const std::string& ldapServerElementName,
785 const std::string& ldapConfigObject)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]786{
787 crow::connections::systemBus->async_method_call(
788 [asyncResp, userNameAttribute,
789 ldapServerElementName](const boost::system::error_code ec) {
790 if (ec)
791 {
792 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
793 "username attribute";
794 messages::internalError(asyncResp->res);
795 return;
796 }
797 auto& serverTypeJson =
798 asyncResp->res.jsonValue[ldapServerElementName];
799 auto& searchSettingsJson =
800 serverTypeJson["LDAPService"]["SearchSettings"];
801 searchSettingsJson["UsernameAttribute"] = userNameAttribute;
802 BMCWEB_LOG_DEBUG << "Updated the user name attr.";
803 },
804 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
805 ldapConfigInterface, "UserNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]806 dbus::utility::DbusVariantType(userNameAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]807}
808/**
809 * @brief updates the LDAP group attribute and updates the
810 json response with the new value.
811 * @param groupsAttribute attribute to be updated.
812 * @param asyncResp pointer to the JSON response
813 * @param ldapServerElementName Type of LDAP
814 server(openLDAP/ActiveDirectory)
815 */
816
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]817inline void handleGroupNameAttrPatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]818 const std::string& groupsAttribute,
819 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
820 const std::string& ldapServerElementName,
821 const std::string& ldapConfigObject)
822{
823 crow::connections::systemBus->async_method_call(
824 [asyncResp, groupsAttribute,
825 ldapServerElementName](const boost::system::error_code ec) {
826 if (ec)
827 {
828 BMCWEB_LOG_DEBUG << "Error Occurred in Updating the "
829 "groupname attribute";
830 messages::internalError(asyncResp->res);
831 return;
832 }
833 auto& serverTypeJson =
834 asyncResp->res.jsonValue[ldapServerElementName];
835 auto& searchSettingsJson =
836 serverTypeJson["LDAPService"]["SearchSettings"];
837 searchSettingsJson["GroupsAttribute"] = groupsAttribute;
838 BMCWEB_LOG_DEBUG << "Updated the groupname attr";
839 },
840 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
841 ldapConfigInterface, "GroupNameAttribute",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]842 dbus::utility::DbusVariantType(groupsAttribute));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]843}
844/**
845 * @brief updates the LDAP service enable and updates the
846 json response with the new value.
847 * @param input JSON data.
848 * @param asyncResp pointer to the JSON response
849 * @param ldapServerElementName Type of LDAP
850 server(openLDAP/ActiveDirectory)
851 */
852
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]853inline void handleServiceEnablePatch(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]854 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
855 const std::string& ldapServerElementName,
856 const std::string& ldapConfigObject)
857{
858 crow::connections::systemBus->async_method_call(
859 [asyncResp, serviceEnabled,
860 ldapServerElementName](const boost::system::error_code ec) {
861 if (ec)
862 {
863 BMCWEB_LOG_DEBUG
864 << "Error Occurred in Updating the service enable";
865 messages::internalError(asyncResp->res);
866 return;
867 }
868 asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
869 serviceEnabled;
870 BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled;
871 },
872 ldapDbusService, ldapConfigObject, propertyInterface, "Set",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]873 ldapEnableInterface, "Enabled",
874 dbus::utility::DbusVariantType(serviceEnabled));
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]875}
876
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]877inline void
878 handleAuthMethodsPatch(nlohmann::json& input,
879 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]880{
881 std::optional<bool> basicAuth;
882 std::optional<bool> cookie;
883 std::optional<bool> sessionToken;
884 std::optional<bool> xToken;
885 std::optional<bool> tls;
886
887 if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
888 "Cookie", cookie, "SessionToken", sessionToken,
889 "XToken", xToken, "TLS", tls))
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]890 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]891 BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
892 return;
893 }
894
895 // Make a copy of methods configuration
896 persistent_data::AuthConfigMethods authMethodsConfig =
897 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
898
899 if (basicAuth)
900 {
901#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
902 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]903 asyncResp->res,
904 "Setting BasicAuth when basic-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]905 return;
906#endif
907 authMethodsConfig.basic = *basicAuth;
908 }
909
910 if (cookie)
911 {
912#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]913 messages::actionNotSupported(
914 asyncResp->res,
915 "Setting Cookie when cookie-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]916 return;
917#endif
918 authMethodsConfig.cookie = *cookie;
919 }
920
921 if (sessionToken)
922 {
923#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
924 messages::actionNotSupported(
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]925 asyncResp->res,
926 "Setting SessionToken when session-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]927 return;
928#endif
929 authMethodsConfig.sessionToken = *sessionToken;
930 }
931
932 if (xToken)
933 {
934#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]935 messages::actionNotSupported(
936 asyncResp->res,
937 "Setting XToken when xtoken-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]938 return;
939#endif
940 authMethodsConfig.xtoken = *xToken;
941 }
942
943 if (tls)
944 {
945#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]946 messages::actionNotSupported(
947 asyncResp->res,
948 "Setting TLS when mutual-tls-auth feature is disabled");
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]949 return;
950#endif
951 authMethodsConfig.tls = *tls;
952 }
953
954 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
955 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
956 !authMethodsConfig.tls)
957 {
958 // Do not allow user to disable everything
959 messages::actionNotSupported(asyncResp->res,
960 "of disabling all available methods");
961 return;
962 }
963
964 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
965 authMethodsConfig);
966 // Save configuration immediately
967 persistent_data::getConfig().writeData();
968
969 messages::success(asyncResp->res);
970}
971
972/**
973 * @brief Get the required values from the given JSON, validates the
974 * value and create the LDAP config object.
975 * @param input JSON data
976 * @param asyncResp pointer to the JSON response
977 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
978 */
979
980inline void handleLDAPPatch(nlohmann::json& input,
981 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
982 const std::string& serverType)
983{
984 std::string dbusObjectPath;
985 if (serverType == "ActiveDirectory")
986 {
987 dbusObjectPath = adConfigObject;
988 }
989 else if (serverType == "LDAP")
990 {
991 dbusObjectPath = ldapConfigObjectName;
992 }
993 else
994 {
995 return;
996 }
997
998 std::optional<nlohmann::json> authentication;
999 std::optional<nlohmann::json> ldapService;
1000 std::optional<std::vector<std::string>> serviceAddressList;
1001 std::optional<bool> serviceEnabled;
1002 std::optional<std::vector<std::string>> baseDNList;
1003 std::optional<std::string> userNameAttribute;
1004 std::optional<std::string> groupsAttribute;
1005 std::optional<std::string> userName;
1006 std::optional<std::string> password;
1007 std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1008
1009 if (!json_util::readJson(input, asyncResp->res, "Authentication",
1010 authentication, "LDAPService", ldapService,
1011 "ServiceAddresses", serviceAddressList,
1012 "ServiceEnabled", serviceEnabled,
1013 "RemoteRoleMapping", remoteRoleMapData))
1014 {
1015 return;
1016 }
1017
1018 if (authentication)
1019 {
1020 parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1021 password);
1022 }
1023 if (ldapService)
1024 {
1025 parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1026 userNameAttribute, groupsAttribute);
1027 }
1028 if (serviceAddressList)
1029 {
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]1030 if (serviceAddressList->empty())
Ratan Guptaeb2bbe52019-04-22 14:27:01 +0530[diff] [blame]1031 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1032 messages::propertyValueNotInList(asyncResp->res, "[]",
1033 "ServiceAddress");
Ed Tanouscb13a392020-07-25 19:02:03 +0000[diff] [blame]1034 return;
1035 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1036 }
1037 if (baseDNList)
1038 {
Ed Tanous26f69762022-01-25 09:49:11 -0800[diff] [blame]1039 if (baseDNList->empty())
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1040 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1041 messages::propertyValueNotInList(asyncResp->res, "[]",
1042 "BaseDistinguishedNames");
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1043 return;
1044 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1045 }
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1046
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1047 // nothing to update, then return
1048 if (!userName && !password && !serviceAddressList && !baseDNList &&
1049 !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1050 !remoteRoleMapData)
1051 {
1052 return;
1053 }
1054
1055 // Get the existing resource first then keep modifying
1056 // whenever any property gets updated.
1057 getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList,
1058 userNameAttribute, groupsAttribute,
1059 serviceAddressList, serviceEnabled,
1060 dbusObjectPath, remoteRoleMapData](
1061 bool success,
1062 const LDAPConfigData& confData,
1063 const std::string& serverT) {
1064 if (!success)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1065 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1066 messages::internalError(asyncResp->res);
1067 return;
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1068 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1069 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1070 if (confData.serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1071 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1072 // Disable the service first and update the rest of
1073 // the properties.
1074 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1075 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1076
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1077 if (serviceAddressList)
1078 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1079 handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1080 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1081 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1082 if (userName)
1083 {
1084 handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1085 }
1086 if (password)
1087 {
1088 handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1089 }
1090
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1091 if (baseDNList)
1092 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1093 handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1094 }
1095 if (userNameAttribute)
1096 {
1097 handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1098 dbusObjectPath);
1099 }
1100 if (groupsAttribute)
1101 {
1102 handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1103 dbusObjectPath);
1104 }
1105 if (serviceEnabled)
1106 {
1107 // if user has given the value as true then enable
1108 // the service. if user has given false then no-op
1109 // as service is already stopped.
1110 if (*serviceEnabled)
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1111 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1112 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1113 dbusObjectPath);
Ratan Gupta8a07d282019-03-16 08:33:47 +0530[diff] [blame]1114 }
1115 }
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1116 else
1117 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1118 // if user has not given the service enabled value
1119 // then revert it to the same state as it was
1120 // before.
1121 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1122 serverT, dbusObjectPath);
jayaprakash Mutyala96200602020-04-08 11:09:10 +0000[diff] [blame]1123 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1124
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1125 if (remoteRoleMapData)
1126 {
1127 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1128 *remoteRoleMapData);
1129 }
1130 });
1131}
1132
1133inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,
1134 const std::string& username,
1135 std::optional<std::string> password,
1136 std::optional<bool> enabled,
1137 std::optional<std::string> roleId,
1138 std::optional<bool> locked)
1139{
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1140 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1141 tempObjPath /= username;
1142 std::string dbusObjectPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1143
1144 dbus::utility::checkDbusPathExists(
1145 dbusObjectPath,
Ed Tanous11063332021-09-24 11:55:44 -0700[diff] [blame]1146 [dbusObjectPath, username, password(std::move(password)),
1147 roleId(std::move(roleId)), enabled, locked,
1148 asyncResp{std::move(asyncResp)}](int rc) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1149 if (!rc)
1150 {
1151 messages::resourceNotFound(
1152 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1153 username);
1154 return;
1155 }
1156
1157 if (password)
1158 {
1159 int retval = pamUpdatePassword(username, *password);
1160
1161 if (retval == PAM_USER_UNKNOWN)
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1162 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1163 messages::resourceNotFound(
1164 asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
1165 username);
1166 }
1167 else if (retval == PAM_AUTHTOK_ERR)
1168 {
1169 // If password is invalid
1170 messages::propertyValueFormatError(asyncResp->res,
1171 *password, "Password");
1172 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1173 }
1174 else if (retval != PAM_SUCCESS)
1175 {
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1176 messages::internalError(asyncResp->res);
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1177 return;
1178 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1179 }
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1180
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1181 if (enabled)
1182 {
1183 crow::connections::systemBus->async_method_call(
1184 [asyncResp](const boost::system::error_code ec) {
1185 if (ec)
1186 {
1187 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1188 messages::internalError(asyncResp->res);
1189 return;
1190 }
1191 messages::success(asyncResp->res);
1192 return;
1193 },
1194 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1195 "org.freedesktop.DBus.Properties", "Set",
1196 "xyz.openbmc_project.User.Attributes", "UserEnabled",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1197 dbus::utility::DbusVariantType{*enabled});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1198 }
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1199
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1200 if (roleId)
1201 {
1202 std::string priv = getPrivilegeFromRoleId(*roleId);
1203 if (priv.empty())
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1204 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1205 messages::propertyValueNotInList(asyncResp->res, *roleId,
1206 "RoleId");
1207 return;
1208 }
1209 if (priv == "priv-noaccess")
1210 {
1211 priv = "";
1212 }
1213
1214 crow::connections::systemBus->async_method_call(
1215 [asyncResp](const boost::system::error_code ec) {
1216 if (ec)
1217 {
1218 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1219 messages::internalError(asyncResp->res);
1220 return;
1221 }
1222 messages::success(asyncResp->res);
1223 },
1224 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1225 "org.freedesktop.DBus.Properties", "Set",
1226 "xyz.openbmc_project.User.Attributes", "UserPrivilege",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1227 dbus::utility::DbusVariantType{priv});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1228 }
1229
1230 if (locked)
1231 {
1232 // admin can unlock the account which is locked by
1233 // successive authentication failures but admin should
1234 // not be allowed to lock an account.
1235 if (*locked)
1236 {
1237 messages::propertyValueNotInList(asyncResp->res, "true",
1238 "Locked");
Ed Tanous04ae99e2018-09-20 15:54:36 -0700[diff] [blame]1239 return;
1240 }
1241
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1242 crow::connections::systemBus->async_method_call(
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1243 [asyncResp](const boost::system::error_code ec) {
1244 if (ec)
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1245 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1246 BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec;
1247 messages::internalError(asyncResp->res);
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1248 return;
1249 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1250 messages::success(asyncResp->res);
1251 return;
Ayushi Smriti599c71d2019-08-23 17:43:18 +0000[diff] [blame]1252 },
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1253 "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(),
1254 "org.freedesktop.DBus.Properties", "Set",
1255 "xyz.openbmc_project.User.Attributes",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1256 "UserLockedForFailedAttempt",
1257 dbus::utility::DbusVariantType{*locked});
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1258 }
1259 });
1260}
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1261
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1262inline void requestAccountServiceRoutes(App& app)
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1263{
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1264
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1265 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1266 .privileges(redfish::privileges::getAccountService)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1267 .methods(
Abhishek Patel72048782021-06-02 09:53:24 -0500[diff] [blame]1268 boost::beast::http::verb::get)([](const crow::Request& req,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1269 const std::shared_ptr<
1270 bmcweb::AsyncResp>& asyncResp)
1271 -> void {
1272 const persistent_data::AuthConfigMethods& authMethodsConfig =
1273 persistent_data::SessionStore::getInstance()
1274 .getAuthMethodsConfig();
Ed Tanousb9b2e0b2018-09-13 13:47:50 -0700[diff] [blame]1275
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1276 asyncResp->res.jsonValue = {
1277 {"@odata.id", "/redfish/v1/AccountService"},
1278 {"@odata.type", "#AccountService."
1279 "v1_5_0.AccountService"},
1280 {"Id", "AccountService"},
1281 {"Name", "Account Service"},
1282 {"Description", "Account Service"},
1283 {"ServiceEnabled", true},
1284 {"MaxPasswordLength", 20},
1285 {"Accounts",
1286 {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
1287 {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
1288 {"Oem",
1289 {{"OpenBMC",
1290 {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
Ed Tanousd8e3c292021-09-21 18:01:43 -0700[diff] [blame]1291 {"@odata.id", "/redfish/v1/AccountService#/Oem/OpenBMC"},
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1292 {"AuthMethods",
1293 {
1294 {"BasicAuth", authMethodsConfig.basic},
1295 {"SessionToken", authMethodsConfig.sessionToken},
1296 {"XToken", authMethodsConfig.xtoken},
1297 {"Cookie", authMethodsConfig.cookie},
1298 {"TLS", authMethodsConfig.tls},
Abhishek Patel72048782021-06-02 09:53:24 -0500[diff] [blame]1299 }}}}}}};
1300 // /redfish/v1/AccountService/LDAP/Certificates is something only
1301 // ConfigureManager can access then only display when the user has
1302 // permissions ConfigureManager
1303 Privileges effectiveUserPrivileges =
1304 redfish::getUserPrivileges(req.userRole);
1305
1306 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1307 effectiveUserPrivileges))
1308 {
1309 asyncResp->res.jsonValue["LDAP"] = {
1310 {"Certificates",
1311 {{"@odata.id",
1312 "/redfish/v1/AccountService/LDAP/Certificates"}}}};
1313 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1314 crow::connections::systemBus->async_method_call(
1315 [asyncResp](
1316 const boost::system::error_code ec,
1317 const std::vector<
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1318 std::pair<std::string, dbus::utility::DbusVariantType>>&
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1319 propertiesList) {
1320 if (ec)
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]1321 {
1322 messages::internalError(asyncResp->res);
1323 return;
1324 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1325 BMCWEB_LOG_DEBUG << "Got " << propertiesList.size()
1326 << "properties for AccountService";
1327 for (const std::pair<std::string,
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1328 dbus::utility::DbusVariantType>&
1329 property : propertiesList)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1330 {
1331 if (property.first == "MinPasswordLength")
1332 {
1333 const uint8_t* value =
1334 std::get_if<uint8_t>(&property.second);
1335 if (value != nullptr)
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1336 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1337 asyncResp->res.jsonValue["MinPasswordLength"] =
1338 *value;
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1339 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1340 }
1341 if (property.first == "AccountUnlockTimeout")
1342 {
1343 const uint32_t* value =
1344 std::get_if<uint32_t>(&property.second);
1345 if (value != nullptr)
1346 {
1347 asyncResp->res
1348 .jsonValue["AccountLockoutDuration"] =
1349 *value;
1350 }
1351 }
1352 if (property.first == "MaxLoginAttemptBeforeLockout")
1353 {
1354 const uint16_t* value =
1355 std::get_if<uint16_t>(&property.second);
1356 if (value != nullptr)
1357 {
1358 asyncResp->res
1359 .jsonValue["AccountLockoutThreshold"] =
1360 *value;
1361 }
1362 }
1363 }
1364 },
1365 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1366 "org.freedesktop.DBus.Properties", "GetAll",
1367 "xyz.openbmc_project.User.AccountPolicy");
1368
1369 auto callback = [asyncResp](bool success, LDAPConfigData& confData,
1370 const std::string& ldapType) {
1371 if (!success)
1372 {
1373 return;
1374 }
1375 parseLDAPConfigData(asyncResp->res.jsonValue, confData,
1376 ldapType);
1377 };
1378
1379 getLDAPConfigData("LDAP", callback);
1380 getLDAPConfigData("ActiveDirectory", callback);
1381 });
1382
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1383 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
Gunnar Mills1ec43ee2022-01-04 15:39:52 -0600[diff] [blame]1384 .privileges(redfish::privileges::patchAccountService)
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1385 .methods(boost::beast::http::verb::patch)(
1386 [](const crow::Request& req,
1387 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1388 std::optional<uint32_t> unlockTimeout;
1389 std::optional<uint16_t> lockoutThreshold;
1390 std::optional<uint16_t> minPasswordLength;
1391 std::optional<uint16_t> maxPasswordLength;
1392 std::optional<nlohmann::json> ldapObject;
1393 std::optional<nlohmann::json> activeDirectoryObject;
1394 std::optional<nlohmann::json> oemObject;
1395
1396 if (!json_util::readJson(
1397 req, asyncResp->res, "AccountLockoutDuration",
1398 unlockTimeout, "AccountLockoutThreshold",
1399 lockoutThreshold, "MaxPasswordLength",
1400 maxPasswordLength, "MinPasswordLength",
1401 minPasswordLength, "LDAP", ldapObject,
1402 "ActiveDirectory", activeDirectoryObject, "Oem",
1403 oemObject))
1404 {
1405 return;
1406 }
1407
1408 if (minPasswordLength)
1409 {
1410 messages::propertyNotWritable(asyncResp->res,
1411 "MinPasswordLength");
1412 }
1413
1414 if (maxPasswordLength)
1415 {
1416 messages::propertyNotWritable(asyncResp->res,
1417 "MaxPasswordLength");
1418 }
1419
1420 if (ldapObject)
1421 {
1422 handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1423 }
1424
1425 if (std::optional<nlohmann::json> oemOpenBMCObject;
1426 oemObject &&
1427 json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1428 oemOpenBMCObject))
1429 {
1430 if (std::optional<nlohmann::json> authMethodsObject;
1431 oemOpenBMCObject &&
1432 json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1433 "AuthMethods", authMethodsObject))
1434 {
1435 if (authMethodsObject)
1436 {
1437 handleAuthMethodsPatch(*authMethodsObject,
1438 asyncResp);
1439 }
1440 }
1441 }
1442
1443 if (activeDirectoryObject)
1444 {
1445 handleLDAPPatch(*activeDirectoryObject, asyncResp,
1446 "ActiveDirectory");
1447 }
1448
1449 if (unlockTimeout)
1450 {
1451 crow::connections::systemBus->async_method_call(
1452 [asyncResp](const boost::system::error_code ec) {
1453 if (ec)
1454 {
1455 messages::internalError(asyncResp->res);
1456 return;
1457 }
1458 messages::success(asyncResp->res);
1459 },
1460 "xyz.openbmc_project.User.Manager",
1461 "/xyz/openbmc_project/user",
1462 "org.freedesktop.DBus.Properties", "Set",
1463 "xyz.openbmc_project.User.AccountPolicy",
1464 "AccountUnlockTimeout",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1465 dbus::utility::DbusVariantType(*unlockTimeout));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1466 }
1467 if (lockoutThreshold)
1468 {
1469 crow::connections::systemBus->async_method_call(
1470 [asyncResp](const boost::system::error_code ec) {
1471 if (ec)
1472 {
1473 messages::internalError(asyncResp->res);
1474 return;
1475 }
1476 messages::success(asyncResp->res);
1477 },
1478 "xyz.openbmc_project.User.Manager",
1479 "/xyz/openbmc_project/user",
1480 "org.freedesktop.DBus.Properties", "Set",
1481 "xyz.openbmc_project.User.AccountPolicy",
1482 "MaxLoginAttemptBeforeLockout",
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1483 dbus::utility::DbusVariantType(*lockoutThreshold));
Ed Tanousf5ffd802021-07-19 10:55:33 -0700[diff] [blame]1484 }
1485 });
1486
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1487 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1488 .privileges(redfish::privileges::getManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1489 .methods(boost::beast::http::verb::get)(
1490 [](const crow::Request& req,
1491 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
1492 asyncResp->res.jsonValue = {
1493 {"@odata.id", "/redfish/v1/AccountService/Accounts"},
1494 {"@odata.type", "#ManagerAccountCollection."
1495 "ManagerAccountCollection"},
1496 {"Name", "Accounts Collection"},
1497 {"Description", "BMC User Accounts"}};
1498
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1499 Privileges effectiveUserPrivileges =
1500 redfish::getUserPrivileges(req.userRole);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1501
JunLin Chenf5e29f32021-12-08 16:47:04 +0800[diff] [blame]1502 std::string thisUser;
1503 if (req.session)
1504 {
1505 thisUser = req.session->username;
1506 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1507 crow::connections::systemBus->async_method_call(
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1508 [asyncResp, thisUser, effectiveUserPrivileges](
1509 const boost::system::error_code ec,
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1510 const dbus::utility::ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1511 if (ec)
1512 {
1513 messages::internalError(asyncResp->res);
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1514 return;
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1515 }
Ed Tanous9712f8a2018-09-21 13:38:49 -0700[diff] [blame]1516
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1517 bool userCanSeeAllAccounts =
1518 effectiveUserPrivileges.isSupersetOf(
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1519 {"ConfigureUsers"});
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1520
1521 bool userCanSeeSelf =
1522 effectiveUserPrivileges.isSupersetOf(
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1523 {"ConfigureSelf"});
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1524
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1525 nlohmann::json& memberArray =
1526 asyncResp->res.jsonValue["Members"];
1527 memberArray = nlohmann::json::array();
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1528
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1529 for (auto& userpath : users)
1530 {
1531 std::string user = userpath.first.filename();
1532 if (user.empty())
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1533 {
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1534 messages::internalError(asyncResp->res);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1535 BMCWEB_LOG_ERROR << "Invalid firmware ID";
1536
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1537 return;
1538 }
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1539
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1540 // As clarified by Redfish here:
1541 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1542 // Users without ConfigureUsers, only see their own
1543 // account. Users with ConfigureUsers, see all
1544 // accounts.
Ed Tanouscef1ddf2021-06-03 13:45:10 -0700[diff] [blame]1545 if (userCanSeeAllAccounts ||
1546 (thisUser == user && userCanSeeSelf))
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1547 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1548 memberArray.push_back(
1549 {{"@odata.id",
1550 "/redfish/v1/AccountService/Accounts/" +
1551 user}});
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1552 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1553 }
1554 asyncResp->res.jsonValue["Members@odata.count"] =
1555 memberArray.size();
1556 },
1557 "xyz.openbmc_project.User.Manager",
1558 "/xyz/openbmc_project/user",
1559 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
Ratan Gupta24c85422019-01-30 19:41:24 +0530[diff] [blame]1560 });
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1561
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1562 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1563 .privileges(redfish::privileges::postManagerAccountCollection)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1564 .methods(boost::beast::http::verb::post)([](const crow::Request& req,
1565 const std::shared_ptr<
1566 bmcweb::AsyncResp>&
1567 asyncResp) -> void {
1568 std::string username;
1569 std::string password;
1570 std::optional<std::string> roleId("User");
1571 std::optional<bool> enabled = true;
1572 if (!json_util::readJson(req, asyncResp->res, "UserName", username,
1573 "Password", password, "RoleId", roleId,
1574 "Enabled", enabled))
1575 {
1576 return;
1577 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1578
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1579 std::string priv = getPrivilegeFromRoleId(*roleId);
1580 if (priv.empty())
1581 {
1582 messages::propertyValueNotInList(asyncResp->res, *roleId,
1583 "RoleId");
1584 return;
1585 }
1586 // TODO: Following override will be reverted once support in
1587 // phosphor-user-manager is added. In order to avoid dependency
1588 // issues, this is added in bmcweb, which will removed, once
1589 // phosphor-user-manager supports priv-noaccess.
1590 if (priv == "priv-noaccess")
1591 {
1592 roleId = "";
1593 }
1594 else
1595 {
1596 roleId = priv;
1597 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1598
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1599 // Reading AllGroups property
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1600 sdbusplus::asio::getProperty<std::vector<std::string>>(
1601 *crow::connections::systemBus,
1602 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1603 "xyz.openbmc_project.User.Manager", "AllGroups",
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1604 [asyncResp, username, password{std::move(password)}, roleId,
Ed Tanous168e20c2021-12-13 14:39:53 -0800[diff] [blame]1605 enabled](const boost::system::error_code ec,
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1606 const std::vector<std::string>& allGroupsList) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1607 if (ec)
1608 {
1609 BMCWEB_LOG_DEBUG << "ERROR with async_method_call";
1610 messages::internalError(asyncResp->res);
1611 return;
1612 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1613
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1614 if (allGroupsList.empty())
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1615 {
1616 messages::internalError(asyncResp->res);
1617 return;
1618 }
1619
1620 crow::connections::systemBus->async_method_call(
1621 [asyncResp, username,
1622 password](const boost::system::error_code ec2,
1623 sdbusplus::message::message& m) {
1624 if (ec2)
1625 {
1626 userErrorMessageHandler(
1627 m.get_error(), asyncResp, username, "");
1628 return;
1629 }
1630
1631 if (pamUpdatePassword(username, password) !=
1632 PAM_SUCCESS)
1633 {
1634 // At this point we have a user that's been
1635 // created, but the password set
1636 // failed.Something is wrong, so delete the user
1637 // that we've already created
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1638 sdbusplus::message::object_path tempObjPath(
1639 rootUserDbusPath);
1640 tempObjPath /= username;
1641 const std::string userPath(tempObjPath);
1642
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1643 crow::connections::systemBus->async_method_call(
1644 [asyncResp, password](
1645 const boost::system::error_code ec3) {
1646 if (ec3)
1647 {
1648 messages::internalError(
1649 asyncResp->res);
1650 return;
1651 }
1652
1653 // If password is invalid
1654 messages::propertyValueFormatError(
1655 asyncResp->res, password,
1656 "Password");
1657 },
1658 "xyz.openbmc_project.User.Manager",
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1659 userPath,
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1660 "xyz.openbmc_project.Object.Delete",
1661 "Delete");
1662
1663 BMCWEB_LOG_ERROR << "pamUpdatePassword Failed";
1664 return;
1665 }
1666
1667 messages::created(asyncResp->res);
1668 asyncResp->res.addHeader(
1669 "Location",
1670 "/redfish/v1/AccountService/Accounts/" +
1671 username);
1672 },
1673 "xyz.openbmc_project.User.Manager",
1674 "/xyz/openbmc_project/user",
1675 "xyz.openbmc_project.User.Manager", "CreateUser",
Jonathan Doman1e1e5982021-06-11 09:36:17 -0700[diff] [blame]1676 username, allGroupsList, *roleId, *enabled);
1677 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1678 });
1679
1680 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1681 .privileges(redfish::privileges::getManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1682 .methods(
1683 boost::beast::http::verb::
1684 get)([](const crow::Request& req,
1685 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1686 const std::string& accountName) -> void {
1687 if (req.session->username != accountName)
1688 {
1689 // At this point we've determined that the user is trying to
1690 // modify a user that isn't them. We need to verify that they
1691 // have permissions to modify other users, so re-run the auth
1692 // check with the same permissions, minus ConfigureSelf.
1693 Privileges effectiveUserPrivileges =
1694 redfish::getUserPrivileges(req.userRole);
1695 Privileges requiredPermissionsToChangeNonSelf = {
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]1696 "ConfigureUsers", "ConfigureManager"};
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1697 if (!effectiveUserPrivileges.isSupersetOf(
1698 requiredPermissionsToChangeNonSelf))
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1699 {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1700 BMCWEB_LOG_DEBUG << "GET Account denied access";
1701 messages::insufficientPrivilege(asyncResp->res);
1702 return;
1703 }
1704 }
1705
1706 crow::connections::systemBus->async_method_call(
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1707 [asyncResp,
1708 accountName](const boost::system::error_code ec,
1709 const dbus::utility::ManagedObjectType& users) {
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1710 if (ec)
1711 {
1712 messages::internalError(asyncResp->res);
1713 return;
1714 }
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1715 const auto userIt = std::find_if(
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1716 users.begin(), users.end(),
1717 [accountName](
1718 const std::pair<sdbusplus::message::object_path,
Ed Tanous711ac7a2021-12-20 09:34:41 -0800[diff] [blame]1719 dbus::utility::DBusInteracesMap>&
1720 user) {
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1721 return !accountName.compare(user.first.filename());
1722 });
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1723
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1724 if (userIt == users.end())
1725 {
1726 messages::resourceNotFound(
1727 asyncResp->res, "ManagerAccount", accountName);
1728 return;
1729 }
1730
1731 asyncResp->res.jsonValue = {
1732 {"@odata.type",
1733 "#ManagerAccount.v1_4_0.ManagerAccount"},
1734 {"Name", "User Account"},
1735 {"Description", "User Account"},
1736 {"Password", nullptr},
1737 {"AccountTypes", {"Redfish"}}};
1738
1739 for (const auto& interface : userIt->second)
1740 {
1741 if (interface.first ==
1742 "xyz.openbmc_project.User.Attributes")
1743 {
1744 for (const auto& property : interface.second)
1745 {
1746 if (property.first == "UserEnabled")
1747 {
1748 const bool* userEnabled =
1749 std::get_if<bool>(&property.second);
1750 if (userEnabled == nullptr)
1751 {
1752 BMCWEB_LOG_ERROR
1753 << "UserEnabled wasn't a bool";
1754 messages::internalError(asyncResp->res);
1755 return;
1756 }
1757 asyncResp->res.jsonValue["Enabled"] =
1758 *userEnabled;
1759 }
1760 else if (property.first ==
1761 "UserLockedForFailedAttempt")
1762 {
1763 const bool* userLocked =
1764 std::get_if<bool>(&property.second);
1765 if (userLocked == nullptr)
1766 {
1767 BMCWEB_LOG_ERROR << "UserLockedForF"
1768 "ailedAttempt "
1769 "wasn't a bool";
1770 messages::internalError(asyncResp->res);
1771 return;
1772 }
1773 asyncResp->res.jsonValue["Locked"] =
1774 *userLocked;
1775 asyncResp->res.jsonValue
1776 ["Locked@Redfish.AllowableValues"] = {
1777 "false"}; // can only unlock accounts
1778 }
1779 else if (property.first == "UserPrivilege")
1780 {
1781 const std::string* userPrivPtr =
1782 std::get_if<std::string>(
1783 &property.second);
1784 if (userPrivPtr == nullptr)
1785 {
1786 BMCWEB_LOG_ERROR
1787 << "UserPrivilege wasn't a "
1788 "string";
1789 messages::internalError(asyncResp->res);
1790 return;
1791 }
1792 std::string role =
1793 getRoleIdFromPrivilege(*userPrivPtr);
1794 if (role.empty())
1795 {
1796 BMCWEB_LOG_ERROR << "Invalid user role";
1797 messages::internalError(asyncResp->res);
1798 return;
1799 }
1800 asyncResp->res.jsonValue["RoleId"] = role;
1801
1802 asyncResp->res.jsonValue["Links"]["Role"] =
1803 {{"@odata.id",
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]1804 "/redfish/v1/AccountService/Roles/" +
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1805 role}};
1806 }
1807 else if (property.first ==
1808 "UserPasswordExpired")
1809 {
1810 const bool* userPasswordExpired =
1811 std::get_if<bool>(&property.second);
1812 if (userPasswordExpired == nullptr)
1813 {
George Liu0fda0f12021-11-16 10:06:17 +0800[diff] [blame]1814 BMCWEB_LOG_ERROR
1815 << "UserPasswordExpired wasn't a bool";
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1816 messages::internalError(asyncResp->res);
1817 return;
1818 }
1819 asyncResp->res
1820 .jsonValue["PasswordChangeRequired"] =
1821 *userPasswordExpired;
1822 }
1823 }
1824 }
1825 }
1826
1827 asyncResp->res.jsonValue["@odata.id"] =
1828 "/redfish/v1/AccountService/Accounts/" + accountName;
1829 asyncResp->res.jsonValue["Id"] = accountName;
1830 asyncResp->res.jsonValue["UserName"] = accountName;
1831 },
1832 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1833 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects");
1834 });
1835
1836 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1837 // TODO this privilege should be using the generated endpoints, but
1838 // because of the special handling of ConfigureSelf, it's not able to
1839 // yet
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1840 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
1841 .methods(boost::beast::http::verb::patch)(
1842 [](const crow::Request& req,
1843 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1844 const std::string& username) -> void {
1845 std::optional<std::string> newUserName;
1846 std::optional<std::string> password;
1847 std::optional<bool> enabled;
1848 std::optional<std::string> roleId;
1849 std::optional<bool> locked;
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1850
1851 Privileges effectiveUserPrivileges =
1852 redfish::getUserPrivileges(req.userRole);
1853 Privileges configureUsers = {"ConfigureUsers"};
1854 bool userHasConfigureUsers =
1855 effectiveUserPrivileges.isSupersetOf(configureUsers);
1856 if (userHasConfigureUsers)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1857 {
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1858 // Users with ConfigureUsers can modify for all users
1859 if (!json_util::readJson(req, asyncResp->res, "UserName",
1860 newUserName, "Password", password,
1861 "RoleId", roleId, "Enabled",
1862 enabled, "Locked", locked))
1863 {
1864 return;
1865 }
Ed Tanous06e086d2018-09-19 17:19:52 -0700[diff] [blame]1866 }
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1867 else
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1868 {
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1869 // ConfigureSelf accounts can only modify their own account
1870 if (username != req.session->username)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1871 {
1872 messages::insufficientPrivilege(asyncResp->res);
1873 return;
1874 }
Ed Tanouse9cc5172021-11-03 14:13:19 +0800[diff] [blame]1875 // ConfigureSelf accounts can only modify their password
1876 if (!json_util::readJson(req, asyncResp->res, "Password",
1877 password))
1878 {
1879 return;
1880 }
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1881 }
1882
1883 // if user name is not provided in the patch method or if it
1884 // matches the user name in the URI, then we are treating it as
1885 // updating user properties other then username. If username
1886 // provided doesn't match the URI, then we are treating this as
1887 // user rename request.
1888 if (!newUserName || (newUserName.value() == username))
1889 {
1890 updateUserProperties(asyncResp, username, password, enabled,
1891 roleId, locked);
1892 return;
1893 }
1894 crow::connections::systemBus->async_method_call(
1895 [asyncResp, username, password(std::move(password)),
1896 roleId(std::move(roleId)), enabled,
1897 newUser{std::string(*newUserName)},
1898 locked](const boost::system::error_code ec,
1899 sdbusplus::message::message& m) {
1900 if (ec)
1901 {
1902 userErrorMessageHandler(m.get_error(), asyncResp,
1903 newUser, username);
1904 return;
1905 }
1906
1907 updateUserProperties(asyncResp, newUser, password,
1908 enabled, roleId, locked);
1909 },
1910 "xyz.openbmc_project.User.Manager",
1911 "/xyz/openbmc_project/user",
1912 "xyz.openbmc_project.User.Manager", "RenameUser", username,
1913 *newUserName);
1914 });
1915
1916 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
Ed Tanoused398212021-06-09 17:05:54 -0700[diff] [blame]1917 .privileges(redfish::privileges::deleteManagerAccount)
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1918 .methods(boost::beast::http::verb::delete_)(
1919 [](const crow::Request& /*req*/,
1920 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1921 const std::string& username) -> void {
P Dheeraj Srujan Kumarb477fd42021-12-16 07:17:51 +0530[diff] [blame]1922 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1923 tempObjPath /= username;
1924 const std::string userPath(tempObjPath);
Ed Tanous6c51eab2021-06-03 12:30:29 -0700[diff] [blame]1925
1926 crow::connections::systemBus->async_method_call(
1927 [asyncResp, username](const boost::system::error_code ec) {
1928 if (ec)
1929 {
1930 messages::resourceNotFound(
1931 asyncResp->res,
1932 "#ManagerAccount.v1_4_0.ManagerAccount",
1933 username);
1934 return;
1935 }
1936
1937 messages::accountRemoved(asyncResp->res);
1938 },
1939 "xyz.openbmc_project.User.Manager", userPath,
1940 "xyz.openbmc_project.Object.Delete", "Delete");
1941 });
1942}
Lewanczyk, Dawid88d16c92018-02-02 14:51:09 +0100[diff] [blame]1943
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]1944} // namespace redfish