Lines Matching +full:end +full:- +full:user
8 // http://www.apache.org/licenses/LICENSE-2.0
33 #include <phosphor-logging/elog-errors.hpp>
34 #include <phosphor-logging/elog.hpp>
35 #include <phosphor-logging/lg2.hpp>
37 #include <xyz/openbmc_project/User/Common/error.hpp>
52 namespace user namespace
60 static constexpr int failure = -1;
77 "/xyz/openbmc_project/user/ldap";
95 sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameExists;
97 sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameDoesNotExist;
99 sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameGroupFail;
101 sdbusplus::xyz::openbmc_project::User::Common::Error::NoResource;
104 sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameExists;
106 sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameDoesNotExist;
116 // https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md
174 return std::accumulate(std::next(vec.begin()), vec.end(), vec[0], in getCSVFromVector()
194 csvStr.erase(delStrPos - 1, delStr.size() + 1); in removeStringFromCSV()
205 lg2::error("User name is empty"); in isUserExist()
206 elog<InvalidArgument>(Argument::ARGUMENT_NAME("User name"), in isUserExist()
209 if (usersList.find(userName) == usersList.end()) in isUserExist()
220 lg2::error("User '{USERNAME}' does not exist", "USERNAME", userName); in throwForUserDoesNotExist()
230 std::regex("[a-zA-Z_][a-zA-Z_0-9]*"))) in checkAndThrowForDisallowedGroupCreation()
243 lg2::error("User '{USERNAME}' already exists", "USERNAME", userName); in throwForUserExists()
251 if (std::find(groupNames.begin(), groupNames.end(), "ipmi") != in throwForUserNameConstraints()
252 groupNames.end()) in throwForUserNameConstraints()
256 lg2::error("User '{USERNAME}' exceeds IPMI username length limit " in throwForUserNameConstraints()
261 xyz::openbmc_project::User::Common::UserNameGroupFail::REASON( in throwForUserNameConstraints()
267 lg2::error("User '{USERNAME}' exceeds system username length limit " in throwForUserNameConstraints()
271 elog<InvalidArgument>(Argument::ARGUMENT_NAME("User name"), in throwForUserNameConstraints()
275 std::regex("[a-zA-Z_][a-zA-Z_0-9]*"))) in throwForUserNameConstraints()
278 elog<InvalidArgument>(Argument::ARGUMENT_NAME("User name"), in throwForUserNameConstraints()
286 if (std::find(groupNames.begin(), groupNames.end(), "ipmi") != in throwForMaxGrpUserCount()
287 groupNames.end()) in throwForMaxGrpUserCount()
291 lg2::error("IPMI user limit reached"); in throwForMaxGrpUserCount()
293 xyz::openbmc_project::User::Common::NoResource::REASON( in throwForMaxGrpUserCount()
294 "IPMI user limit reached")); in throwForMaxGrpUserCount()
299 if (usersList.size() > 0 && (usersList.size() - getIpmiUsersCount()) >= in throwForMaxGrpUserCount()
300 (maxSystemUsers - ipmiMaxUsers)) in throwForMaxGrpUserCount()
302 lg2::error("Non-ipmi User limit reached"); in throwForMaxGrpUserCount()
304 xyz::openbmc_project::User::Common::NoResource::REASON( in throwForMaxGrpUserCount()
305 "Non-ipmi user limit reached")); in throwForMaxGrpUserCount()
314 (std::find(privMgr.begin(), privMgr.end(), priv) == privMgr.end())) in throwForInvalidPrivilege()
326 if (std::find(groupsMgr.begin(), groupsMgr.end(), group) == in throwForInvalidGroups()
327 groupsMgr.end()) in throwForInvalidGroups()
339 predefinedGroups.end()}; in readAllGroupsOnSystem()
345 std::string group(gr->gr_name); in readAllGroupsOnSystem()
350 allGroups.push_back(gr->gr_name); in readAllGroupsOnSystem()
366 // All user management lock has to be based on /etc/shadow in createUser()
367 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in createUser()
375 // treat privilege as a group - This is to avoid using different file to in createUser()
391 lg2::error("Unable to create new user '{USERNAME}'", "USERNAME", in createUser()
400 std::sort(groupNames.begin(), groupNames.end()); in createUser()
402 userName, std::make_unique<phosphor::user::Users>( in createUser()
405 lg2::info("User '{USERNAME}' created successfully", "USERNAME", userName); in createUser()
411 // All user management lock has to be based on /etc/shadow in deleteUser()
412 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in deleteUser()
416 // Clear user fail records in deleteUser()
423 lg2::error("Delete User '{USERNAME}' failed", "USERNAME", userName); in deleteUser()
429 lg2::info("User '{USERNAME}' deleted successfully", "USERNAME", userName); in deleteUser()
435 if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) == in checkDeleteGroupConstraints()
436 groupsMgr.end()) in checkDeleteGroupConstraints()
457 groupsMgr.erase(std::find(groupsMgr.begin(), groupsMgr.end(), groupName)); in deleteGroup()
464 if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) != in checkCreateGroupConstraints()
465 groupsMgr.end()) in checkCreateGroupConstraints()
474 elog<NoResource>(xyz::openbmc_project::User::Common::NoResource::REASON( in checkCreateGroupConstraints()
497 // All user management lock has to be based on /etc/shadow in renameUser()
498 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in renameUser()
502 usersList[userName].get()->userGroups()); in renameUser()
513 const auto& user = usersList[userName]; in renameUser() local
514 std::string priv = user.get()->userPrivilege(); in renameUser()
515 std::vector<std::string> groupNames = user.get()->userGroups(); in renameUser()
516 bool enabled = user.get()->userEnabled(); in renameUser()
520 // Special group 'ipmi' needs a way to identify user renamed, in order to in renameUser()
523 this->userRenamed(userName, newUserName); in renameUser()
525 usersList.emplace(newUserName, std::make_unique<phosphor::user::Users>( in renameUser()
537 // All user management lock has to be based on /etc/shadow in updateGroupsAndPriv()
538 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in updateGroupsAndPriv()
541 usersList[userName].get()->userGroups(); in updateGroupsAndPriv()
544 std::set_symmetric_difference(oldGroupNames.begin(), oldGroupNames.end(), in updateGroupsAndPriv()
545 groupNames.begin(), groupNames.end(), in updateGroupsAndPriv()
547 if (std::find(groupDiff.begin(), groupDiff.end(), "ipmi") != in updateGroupsAndPriv()
548 groupDiff.end()) in updateGroupsAndPriv()
557 // treat privilege as a group - This is to avoid using different file to in updateGroupsAndPriv()
574 "Unable to modify user privilege / groups for user '{USERNAME}'", in updateGroupsAndPriv()
579 std::sort(groupNames.begin(), groupNames.end()); in updateGroupsAndPriv()
580 usersList[userName]->setUserGroups(groupNames); in updateGroupsAndPriv()
581 usersList[userName]->setUserPrivilege(priv); in updateGroupsAndPriv()
582 lg2::info("User '{USERNAME}' groups / privilege updated successfully", in updateGroupsAndPriv()
694 argValue = line.substr(startPos, endPos - startPos); in getPamModuleConfValue()
742 << line.substr(endPos, line.size() - endPos) in setPamModuleConfValue()
765 // All user management lock has to be based on /etc/shadow in userEnable()
766 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in userEnable()
774 lg2::error("Unable to modify user enabled state for '{USERNAME}'", in userEnable()
779 usersList[userName]->setUserEnabled(enabled); in userEnable()
780 lg2::info("User '{USERNAME}' has been {STATUS}", "USERNAME", userName, in userEnable()
785 * faillock app will provide the user failed login list with when the attempt
790 * ending with 'V') compared to the maximum allowed to determine if the user is
793 * This data is only refreshed when an attempt is made, so if the user appears
795 * than the unlock_time to know if the user has since been unlocked.
857 // All user management lock has to be based on /etc/shadow in userLockedForFailedAttempt()
858 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in userLockedForFailedAttempt()
881 // All user management lock has to be based on /etc/shadow in userLockedForFailedAttempt()
882 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in userLockedForFailedAttempt()
890 // Clear user fail records in userLockedForFailedAttempt()
904 // All user management lock has to be based on /etc/shadow in userPasswordExpired()
905 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in userPasswordExpired()
925 // spwd.sp_max == -1 means the password does not expire. in userPasswordExpired()
929 ((spwd.sp_max != -1) && ((spwd.sp_max + spwd.sp_lstchg) < today))) in userPasswordExpired()
936 // User entry is missing in /etc/shadow, indicating no SHA password. in userPasswordExpired()
937 // Treat this as new user without password entry in /etc/shadow in userPasswordExpired()
938 // TODO: Add property to indicate user password was not set yet in userPasswordExpired()
939 // https://github.com/openbmc/phosphor-user-manager/issues/8 in userPasswordExpired()
948 // All user management lock has to be based on /etc/shadow in getUserAndSshGrpList()
949 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in getUserAndSshGrpList()
956 phosphor::user::File passwd(passwdFileName, "r"); in getUserAndSshGrpList()
975 if ((pwp->pw_uid == 0) || in getUserAndSshGrpList()
976 ((pwp->pw_uid >= 1000) && (pwp->pw_uid < 65534))) in getUserAndSshGrpList()
979 if ((pwp->pw_uid >= 1000) && (pwp->pw_uid < 65534)) in getUserAndSshGrpList()
982 std::string userName(pwp->pw_name); in getUserAndSshGrpList()
987 std::string loginShell(pwp->pw_shell); in getUserAndSshGrpList()
1007 return usersList.size() - ipmiUsers.size(); in getNonIpmiUsersCount()
1012 // All user management lock has to be based on /etc/shadow in isUserEnabled()
1013 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in isUserEnabled()
1021 // according to chage/usermod code -1 means that account does not expire in isUserEnabled()
1022 …// https://github.com/shadow-maint/shadow/blob/7a796897e52293efe9e210ab8da32b7aefe65591/src/chage.c in isUserEnabled()
1023 if (resultPtr->sp_expire < 0) in isUserEnabled()
1029 if (resultPtr->sp_expire > currentDate()) in isUserEnabled()
1036 return false; // assume user is disabled for any error. in isUserEnabled()
1060 // Don't throw error, just return empty userList - fallback in getUsersInGroup()
1070 std::string basePath = "/xyz/openbmc_project/user/ldap/openldap"; in getPrivilegeMapperObject()
1071 std::string interface = "xyz.openbmc_project.User.Ldap.Config"; in getPrivilegeMapperObject()
1084 lg2::error("Unable to get the User Service: {ERR}", "ERR", e); in getPrivilegeMapperObject()
1116 if (mapperResponse.begin() == mapperResponse.end()) in getServiceName()
1122 return mapperResponse.begin()->first; in getServiceName()
1148 lg2::error("User {USERNAME} does not exist", "USERNAME", userName); in getPrimaryGroup()
1229 // Check whether the given user is local user or not. in getUserInfo()
1232 const auto& user = usersList[userName]; in getUserInfo() local
1233 userInfo.emplace("UserPrivilege", user.get()->userPrivilege()); in getUserInfo()
1234 userInfo.emplace("UserGroups", user.get()->userGroups()); in getUserInfo()
1235 userInfo.emplace("UserEnabled", user.get()->userEnabled()); in getUserInfo()
1237 user.get()->userLockedForFailedAttempt()); in getUserInfo()
1239 user.get()->userPasswordExpired()); in getUserInfo()
1241 user.get()->secretKeyGenerationRequired()); in getUserInfo()
1258 if (it != interfaces.end()) in getUserInfo()
1260 auto propIt = it->second.find("Enabled"); in getUserInfo()
1261 if (propIt != it->second.end() && in getUserInfo()
1262 std::get<bool>(propIt->second)) in getUserInfo()
1283 "xyz.openbmc_project.User.PrivilegeMapperEntry"); in getUserInfo()
1284 if (it != interfaces.end()) in getUserInfo()
1289 for (const auto& [propName, propValue] : it->second) in getUserInfo()
1440 // All user management lock has to be based on /etc/shadow in initUserObjects()
1441 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; in initUserObjects()
1471 for (auto& user : userNameList) in initUserObjects() local
1478 if (std::find(tempGrp.begin(), tempGrp.end(), user) != in initUserObjects()
1479 tempGrp.end()) in initUserObjects()
1481 if (std::find(privMgr.begin(), privMgr.end(), grp.first) != in initUserObjects()
1482 privMgr.end()) in initUserObjects()
1492 // Add user objects to the Users path. in initUserObjects()
1494 tempObjPath /= user; in initUserObjects()
1496 std::sort(userGroups.begin(), userGroups.end()); in initUserObjects()
1497 usersList.emplace(user, std::make_unique<phosphor::user::Users>( in initUserObjects()
1499 userPriv, isUserEnabled(user), *this)); in initUserObjects()
1529 std::sort(groupsMgr.begin(), groupsMgr.end()); in UserMgr()
1535 this->emit_object_added(); in UserMgr()
1541 // set EXPIRE_DATE to 0 to disable user, PAM takes 0 as expire on in executeUserAdd()
1542 // 1970-01-01, that's an implementation-defined behavior in executeUserAdd()
1543 executeCmd("/usr/sbin/useradd", userName, "-G", groups, "-m", "-N", "-s", in executeUserAdd()
1544 (sshRequested ? "/bin/sh" : "/sbin/nologin"), "-e", in executeUserAdd()
1545 (enabled ? "" : "1970-01-01")); in executeUserAdd()
1550 executeCmd("/usr/sbin/userdel", userName, "-r"); in executeUserDelete()
1555 executeCmd("/usr/sbin/faillock", "--user", userName, "--reset"); in executeUserClearFailRecords()
1562 executeCmd("/usr/sbin/usermod", "-l", newUserName, userName, "-d", in executeUserRename()
1563 newHomeDir.c_str(), "-m"); in executeUserRename()
1569 executeCmd("/usr/sbin/usermod", userName, "-G", newGroups, "-s", in executeUserModify()
1575 // set EXPIRE_DATE to 0 to disable user, PAM takes 0 as expire on in executeUserModifyUserEnable()
1576 // 1970-01-01, that's an implementation-defined behavior in executeUserModifyUserEnable()
1577 executeCmd("/usr/sbin/usermod", userName, "-e", in executeUserModifyUserEnable()
1578 (enabled ? "" : "1970-01-01")); in executeUserModifyUserEnable()
1583 return executeCmd("/usr/sbin/faillock", "--user", userName); in getFailedAttempt()
1599 u.second->enableMultiFactorAuth(type, false); in enabled()
1606 u.second->enableMultiFactorAuth(value, true); in enabled()
1619 return usersList[userName]->secretKeyGenerationRequired(); in secretKeyRequired()
1623 } // namespace user