Create role mapping under ldap config object
Each ldap config object should be have its own
mapping object.
This is to align with the redfish.
https://redfish.dmtf.org/schemas/AccountService.v1_4_0.json
As per redfish, Each config will have it's own
"RemoteRoleMapping".
Mapping object should be persisted and restores
when the phosphor-ldap-conf restarts.
TestedBy:
Unit Tested.
Creation of privilege mapping.
Persist the priv-mapping.
Restores the priv-mapping.
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I5ab4aeffae61f9cc57c1338f94784d0fe5607cd3
diff --git a/phosphor-ldap-config/ldap_config.hpp b/phosphor-ldap-config/ldap_config.hpp
index 0d2adf1..cbd2e04 100644
--- a/phosphor-ldap-config/ldap_config.hpp
+++ b/phosphor-ldap-config/ldap_config.hpp
@@ -4,14 +4,18 @@
#include <xyz/openbmc_project/Object/Enable/server.hpp>
#include <xyz/openbmc_project/User/Ldap/Create/server.hpp>
#include <xyz/openbmc_project/User/Ldap/Config/server.hpp>
+#include <xyz/openbmc_project/User/PrivilegeMapper/server.hpp>
#include <xyz/openbmc_project/Common/error.hpp>
+#include "ldap_mapper_entry.hpp"
#include <phosphor-logging/log.hpp>
#include <phosphor-logging/elog.hpp>
#include <phosphor-logging/elog-errors.hpp>
#include <sdbusplus/bus.hpp>
#include <sdbusplus/server/object.hpp>
-#include <string>
+
#include <filesystem>
+#include <set>
+#include <string>
namespace phosphor
{
@@ -22,10 +26,16 @@
using namespace sdbusplus::xyz::openbmc_project::Common::Error;
using ConfigIface = sdbusplus::xyz::openbmc_project::User::Ldap::server::Config;
using EnableIface = sdbusplus::xyz::openbmc_project::Object::server::Enable;
-using Ifaces = sdbusplus::server::object::object<ConfigIface, EnableIface>;
using CreateIface = sdbusplus::server::object::object<
sdbusplus::xyz::openbmc_project::User::Ldap::server::Create>;
namespace fs = std::filesystem;
+using MapperIface =
+ sdbusplus::xyz::openbmc_project::User::server::PrivilegeMapper;
+
+using Ifaces =
+ sdbusplus::server::object::object<ConfigIface, EnableIface, MapperIface>;
+using ObjectPath = sdbusplus::message::object_path;
+
class ConfigMgr;
class MockConfigMgr;
@@ -189,6 +199,49 @@
*/
bool enableService(bool value);
+ /** @brief Creates a mapping for the group to the privilege
+ *
+ * @param[in] groupName - Group Name to which the privilege needs to be
+ * assigned.
+ * @param[in] privilege - The privilege role associated with the group.
+ *
+ * @return On success return the D-Bus object path of the created privilege
+ * mapper entry.
+ */
+ ObjectPath create(std::string groupName, std::string privilege) override;
+
+ /** @brief Delete privilege mapping for LDAP group
+ *
+ * This method deletes the privilege mapping
+ *
+ * @param[in] id - id of the object which needs to be deleted.
+ */
+ void deletePrivilegeMapper(Id id);
+
+ /** @brief Check if LDAP group privilege mapping requested is valid
+ *
+ * Check if the privilege mapping already exists for the LDAP group name
+ * and group name is empty.
+ *
+ * @param[in] groupName - LDAP group name
+ *
+ * @return throw exception if the conditions are not met.
+ */
+ void checkPrivilegeMapper(const std::string& groupName);
+
+ /** @brief Check if the privilege level is a valid one
+ *
+ * @param[in] privilege - Privilege level
+ *
+ * @return throw exception if the conditions are not met.
+ */
+ void checkPrivilegeLevel(const std::string& privilege);
+
+ /** @brief Construct LDAP mapper entry D-Bus objects from their persisted
+ * representations.
+ */
+ void restoreRoleMapping();
+
private:
bool secureLDAP;
std::string lDAPBindPassword{};
@@ -207,6 +260,16 @@
/** @brief reference to config manager object */
ConfigMgr& parent;
+ /** @brief Id of the last privilege mapper entry */
+ Id entryId = 0;
+
+ /** @brief container to hold privilege mapper objects */
+ std::map<Id, std::unique_ptr<LDAPMapperEntry>> PrivilegeMapperList;
+
+ /** @brief available privileges container */
+ std::set<std::string> privMgr = {"priv-admin", "priv-operator", "priv-user",
+ "priv-callback"};
+
friend class MockConfigMgr;
};