1 /*
2 // Copyright (c) 2018 Intel Corporation
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 */
16 #pragma once
17
18 #include "app.hpp"
19 #include "certificate_service.hpp"
20 #include "dbus_utility.hpp"
21 #include "error_messages.hpp"
22 #include "generated/enums/account_service.hpp"
23 #include "persistent_data.hpp"
24 #include "query.hpp"
25 #include "registries/privilege_registry.hpp"
26 #include "sessions.hpp"
27 #include "utils/collection.hpp"
28 #include "utils/dbus_utils.hpp"
29 #include "utils/json_utils.hpp"
30
31 #include <boost/url/format.hpp>
32 #include <boost/url/url.hpp>
33 #include <sdbusplus/asio/property.hpp>
34 #include <sdbusplus/unpack_properties.hpp>
35
36 #include <array>
37 #include <memory>
38 #include <optional>
39 #include <ranges>
40 #include <string>
41 #include <string_view>
42 #include <utility>
43 #include <vector>
44
45 namespace redfish
46 {
47
48 constexpr const char* ldapConfigObjectName =
49 "/xyz/openbmc_project/user/ldap/openldap";
50 constexpr const char* adConfigObject =
51 "/xyz/openbmc_project/user/ldap/active_directory";
52
53 constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
54 constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
55 constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
56 constexpr const char* ldapConfigInterface =
57 "xyz.openbmc_project.User.Ldap.Config";
58 constexpr const char* ldapCreateInterface =
59 "xyz.openbmc_project.User.Ldap.Create";
60 constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
61 constexpr const char* ldapPrivMapperInterface =
62 "xyz.openbmc_project.User.PrivilegeMapper";
63
64 struct LDAPRoleMapData
65 {
66 std::string groupName;
67 std::string privilege;
68 };
69
70 struct LDAPConfigData
71 {
72 std::string uri;
73 std::string bindDN;
74 std::string baseDN;
75 std::string searchScope;
76 std::string serverType;
77 bool serviceEnabled = false;
78 std::string userNameAttribute;
79 std::string groupAttribute;
80 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
81 };
82
getRoleIdFromPrivilege(std::string_view role)83 inline std::string getRoleIdFromPrivilege(std::string_view role)
84 {
85 if (role == "priv-admin")
86 {
87 return "Administrator";
88 }
89 if (role == "priv-user")
90 {
91 return "ReadOnly";
92 }
93 if (role == "priv-operator")
94 {
95 return "Operator";
96 }
97 return "";
98 }
getPrivilegeFromRoleId(std::string_view role)99 inline std::string getPrivilegeFromRoleId(std::string_view role)
100 {
101 if (role == "Administrator")
102 {
103 return "priv-admin";
104 }
105 if (role == "ReadOnly")
106 {
107 return "priv-user";
108 }
109 if (role == "Operator")
110 {
111 return "priv-operator";
112 }
113 return "";
114 }
115
116 /**
117 * @brief Maps user group names retrieved from D-Bus object to
118 * Account Types.
119 *
120 * @param[in] userGroups List of User groups
121 * @param[out] res AccountTypes populated
122 *
123 * @return true in case of success, false if UserGroups contains
124 * invalid group name(s).
125 */
translateUserGroup(const std::vector<std::string> & userGroups,crow::Response & res)126 inline bool translateUserGroup(const std::vector<std::string>& userGroups,
127 crow::Response& res)
128 {
129 std::vector<std::string> accountTypes;
130 for (const auto& userGroup : userGroups)
131 {
132 if (userGroup == "redfish")
133 {
134 accountTypes.emplace_back("Redfish");
135 accountTypes.emplace_back("WebUI");
136 }
137 else if (userGroup == "ipmi")
138 {
139 accountTypes.emplace_back("IPMI");
140 }
141 else if (userGroup == "ssh")
142 {
143 accountTypes.emplace_back("ManagerConsole");
144 }
145 else if (userGroup == "hostconsole")
146 {
147 // The hostconsole group controls who can access the host console
148 // port via ssh and websocket.
149 accountTypes.emplace_back("HostConsole");
150 }
151 else if (userGroup == "web")
152 {
153 // 'web' is one of the valid groups in the UserGroups property of
154 // the user account in the D-Bus object. This group is currently not
155 // doing anything, and is considered to be equivalent to 'redfish'.
156 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
157 // AccountTypes, so do nothing here...
158 }
159 else
160 {
161 // Invalid user group name. Caller throws an exception.
162 return false;
163 }
164 }
165
166 res.jsonValue["AccountTypes"] = std::move(accountTypes);
167 return true;
168 }
169
170 /**
171 * @brief Builds User Groups from the Account Types
172 *
173 * @param[in] asyncResp Async Response
174 * @param[in] accountTypes List of Account Types
175 * @param[out] userGroups List of User Groups mapped from Account Types
176 *
177 * @return true if Account Types mapped to User Groups, false otherwise.
178 */
getUserGroupFromAccountType(crow::Response & res,const std::vector<std::string> & accountTypes,std::vector<std::string> & userGroups)179 inline bool getUserGroupFromAccountType(
180 crow::Response& res, const std::vector<std::string>& accountTypes,
181 std::vector<std::string>& userGroups)
182 {
183 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
184 bool redfishType = false;
185 bool webUIType = false;
186
187 for (const auto& accountType : accountTypes)
188 {
189 if (accountType == "Redfish")
190 {
191 redfishType = true;
192 }
193 else if (accountType == "WebUI")
194 {
195 webUIType = true;
196 }
197 else if (accountType == "IPMI")
198 {
199 userGroups.emplace_back("ipmi");
200 }
201 else if (accountType == "HostConsole")
202 {
203 userGroups.emplace_back("hostconsole");
204 }
205 else if (accountType == "ManagerConsole")
206 {
207 userGroups.emplace_back("ssh");
208 }
209 else
210 {
211 // Invalid Account Type
212 messages::propertyValueNotInList(res, "AccountTypes", accountType);
213 return false;
214 }
215 }
216
217 // Both Redfish and WebUI Account Types are needed to PATCH
218 if (redfishType ^ webUIType)
219 {
220 BMCWEB_LOG_ERROR(
221 "Missing Redfish or WebUI Account Type to set redfish User Group");
222 messages::strictAccountTypes(res, "AccountTypes");
223 return false;
224 }
225
226 if (redfishType && webUIType)
227 {
228 userGroups.emplace_back("redfish");
229 }
230
231 return true;
232 }
233
234 /**
235 * @brief Sets UserGroups property of the user based on the Account Types
236 *
237 * @param[in] accountTypes List of User Account Types
238 * @param[in] asyncResp Async Response
239 * @param[in] dbusObjectPath D-Bus Object Path
240 * @param[in] userSelf true if User is updating OWN Account Types
241 */
242 inline void
patchAccountTypes(const std::vector<std::string> & accountTypes,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & dbusObjectPath,bool userSelf)243 patchAccountTypes(const std::vector<std::string>& accountTypes,
244 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
245 const std::string& dbusObjectPath, bool userSelf)
246 {
247 // Check if User is disabling own Redfish Account Type
248 if (userSelf &&
249 (accountTypes.cend() ==
250 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
251 {
252 BMCWEB_LOG_ERROR(
253 "User disabling OWN Redfish Account Type is not allowed");
254 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
255 return;
256 }
257
258 std::vector<std::string> updatedUserGroups;
259 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
260 updatedUserGroups))
261 {
262 // Problem in mapping Account Types to User Groups, Error already
263 // logged.
264 return;
265 }
266 setDbusProperty(asyncResp, "AccountTypes",
267 "xyz.openbmc_project.User.Manager", dbusObjectPath,
268 "xyz.openbmc_project.User.Attributes", "UserGroups",
269 updatedUserGroups);
270 }
271
userErrorMessageHandler(const sd_bus_error * e,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & newUser,const std::string & username)272 inline void userErrorMessageHandler(
273 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
274 const std::string& newUser, const std::string& username)
275 {
276 if (e == nullptr)
277 {
278 messages::internalError(asyncResp->res);
279 return;
280 }
281
282 const char* errorMessage = e->name;
283 if (strcmp(errorMessage,
284 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
285 {
286 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
287 "UserName", newUser);
288 }
289 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
290 "UserNameDoesNotExist") == 0)
291 {
292 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
293 }
294 else if ((strcmp(errorMessage,
295 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
296 0) ||
297 (strcmp(
298 errorMessage,
299 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
300 0))
301 {
302 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
303 }
304 else if (strcmp(errorMessage,
305 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
306 {
307 messages::createLimitReachedForResource(asyncResp->res);
308 }
309 else
310 {
311 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
312 messages::internalError(asyncResp->res);
313 }
314 }
315
parseLDAPConfigData(nlohmann::json & jsonResponse,const LDAPConfigData & confData,const std::string & ldapType)316 inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
317 const LDAPConfigData& confData,
318 const std::string& ldapType)
319 {
320 nlohmann::json::object_t ldap;
321 ldap["ServiceEnabled"] = confData.serviceEnabled;
322 nlohmann::json::array_t serviceAddresses;
323 serviceAddresses.emplace_back(confData.uri);
324 ldap["ServiceAddresses"] = std::move(serviceAddresses);
325
326 nlohmann::json::object_t authentication;
327 authentication["AuthenticationType"] =
328 account_service::AuthenticationTypes::UsernameAndPassword;
329 authentication["Username"] = confData.bindDN;
330 authentication["Password"] = nullptr;
331 ldap["Authentication"] = std::move(authentication);
332
333 nlohmann::json::object_t ldapService;
334 nlohmann::json::object_t searchSettings;
335 nlohmann::json::array_t baseDistinguishedNames;
336 baseDistinguishedNames.emplace_back(confData.baseDN);
337
338 searchSettings["BaseDistinguishedNames"] =
339 std::move(baseDistinguishedNames);
340 searchSettings["UsernameAttribute"] = confData.userNameAttribute;
341 searchSettings["GroupsAttribute"] = confData.groupAttribute;
342 ldapService["SearchSettings"] = std::move(searchSettings);
343 ldap["LDAPService"] = std::move(ldapService);
344
345 nlohmann::json::array_t roleMapArray;
346 for (const auto& obj : confData.groupRoleList)
347 {
348 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
349
350 nlohmann::json::object_t remoteGroup;
351 remoteGroup["RemoteGroup"] = obj.second.groupName;
352 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
353 roleMapArray.emplace_back(std::move(remoteGroup));
354 }
355
356 ldap["RemoteRoleMapping"] = std::move(roleMapArray);
357
358 jsonResponse[ldapType].update(ldap);
359 }
360
361 /**
362 * @brief validates given JSON input and then calls appropriate method to
363 * create, to delete or to set Rolemapping object based on the given input.
364 *
365 */
handleRoleMapPatch(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::vector<std::pair<std::string,LDAPRoleMapData>> & roleMapObjData,const std::string & serverType,std::vector<std::variant<nlohmann::json::object_t,std::nullptr_t>> & input)366 inline void handleRoleMapPatch(
367 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
368 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
369 const std::string& serverType,
370 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input)
371 {
372 for (size_t index = 0; index < input.size(); index++)
373 {
374 std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson =
375 input[index];
376 nlohmann::json::object_t* obj =
377 std::get_if<nlohmann::json::object_t>(&thisJson);
378 if (obj == nullptr)
379 {
380 // delete the existing object
381 if (index < roleMapObjData.size())
382 {
383 crow::connections::systemBus->async_method_call(
384 [asyncResp, roleMapObjData, serverType,
385 index](const boost::system::error_code& ec) {
386 if (ec)
387 {
388 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
389 messages::internalError(asyncResp->res);
390 return;
391 }
392 asyncResp->res
393 .jsonValue[serverType]["RemoteRoleMapping"][index] =
394 nullptr;
395 },
396 ldapDbusService, roleMapObjData[index].first,
397 "xyz.openbmc_project.Object.Delete", "Delete");
398 }
399 else
400 {
401 BMCWEB_LOG_ERROR("Can't delete the object");
402 messages::propertyValueTypeError(
403 asyncResp->res, "null",
404 "RemoteRoleMapping/" + std::to_string(index));
405 return;
406 }
407 }
408 else if (obj->empty())
409 {
410 // Don't do anything for the empty objects,parse next json
411 // eg {"RemoteRoleMapping",[{}]}
412 }
413 else
414 {
415 // update/create the object
416 std::optional<std::string> remoteGroup;
417 std::optional<std::string> localRole;
418
419 if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup",
420 remoteGroup, "LocalRole", localRole))
421 {
422 continue;
423 }
424
425 // Update existing RoleMapping Object
426 if (index < roleMapObjData.size())
427 {
428 BMCWEB_LOG_DEBUG("Update Role Map Object");
429 // If "RemoteGroup" info is provided
430 if (remoteGroup)
431 {
432 setDbusProperty(
433 asyncResp,
434 std::format("RemoteRoleMapping/{}/RemoteGroup", index),
435 ldapDbusService, roleMapObjData[index].first,
436 "xyz.openbmc_project.User.PrivilegeMapperEntry",
437 "GroupName", *remoteGroup);
438 }
439
440 // If "LocalRole" info is provided
441 if (localRole)
442 {
443 std::string priv = getPrivilegeFromRoleId(*localRole);
444 if (priv.empty())
445 {
446 messages::propertyValueNotInList(
447 asyncResp->res, *localRole,
448 std::format("RemoteRoleMapping/{}/LocalRole",
449 index));
450 return;
451 }
452 setDbusProperty(
453 asyncResp,
454 std::format("RemoteRoleMapping/{}/LocalRole", index),
455 ldapDbusService, roleMapObjData[index].first,
456 "xyz.openbmc_project.User.PrivilegeMapperEntry",
457 "Privilege", priv);
458 }
459 }
460 // Create a new RoleMapping Object.
461 else
462 {
463 BMCWEB_LOG_DEBUG(
464 "setRoleMappingProperties: Creating new Object");
465 std::string pathString =
466 "RemoteRoleMapping/" + std::to_string(index);
467
468 if (!localRole)
469 {
470 messages::propertyMissing(asyncResp->res,
471 pathString + "/LocalRole");
472 continue;
473 }
474 if (!remoteGroup)
475 {
476 messages::propertyMissing(asyncResp->res,
477 pathString + "/RemoteGroup");
478 continue;
479 }
480
481 std::string dbusObjectPath;
482 if (serverType == "ActiveDirectory")
483 {
484 dbusObjectPath = adConfigObject;
485 }
486 else if (serverType == "LDAP")
487 {
488 dbusObjectPath = ldapConfigObjectName;
489 }
490
491 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
492 *localRole);
493
494 crow::connections::systemBus->async_method_call(
495 [asyncResp, serverType, localRole,
496 remoteGroup](const boost::system::error_code& ec) {
497 if (ec)
498 {
499 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
500 messages::internalError(asyncResp->res);
501 return;
502 }
503 nlohmann::json& remoteRoleJson =
504 asyncResp->res
505 .jsonValue[serverType]["RemoteRoleMapping"];
506 nlohmann::json::object_t roleMapEntry;
507 roleMapEntry["LocalRole"] = *localRole;
508 roleMapEntry["RemoteGroup"] = *remoteGroup;
509 remoteRoleJson.emplace_back(std::move(roleMapEntry));
510 },
511 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
512 "Create", *remoteGroup,
513 getPrivilegeFromRoleId(std::move(*localRole)));
514 }
515 }
516 }
517 }
518
519 /**
520 * Function that retrieves all properties for LDAP config object
521 * into JSON
522 */
523 template <typename CallbackFunc>
524 inline void
getLDAPConfigData(const std::string & ldapType,CallbackFunc && callback)525 getLDAPConfigData(const std::string& ldapType, CallbackFunc&& callback)
526 {
527 constexpr std::array<std::string_view, 2> interfaces = {
528 ldapEnableInterface, ldapConfigInterface};
529
530 dbus::utility::getDbusObject(
531 ldapConfigObjectName, interfaces,
532 [callback = std::forward<CallbackFunc>(callback),
533 ldapType](const boost::system::error_code& ec,
534 const dbus::utility::MapperGetObject& resp) mutable {
535 if (ec || resp.empty())
536 {
537 BMCWEB_LOG_WARNING(
538 "DBUS response error during getting of service name: {}",
539 ec);
540 LDAPConfigData empty{};
541 callback(false, empty, ldapType);
542 return;
543 }
544 std::string service = resp.begin()->first;
545 sdbusplus::message::object_path path(ldapRootObject);
546 dbus::utility::getManagedObjects(
547 service, path,
548 [callback, ldapType](const boost::system::error_code& ec2,
549 const dbus::utility::ManagedObjectType&
550 ldapObjects) mutable {
551 LDAPConfigData confData{};
552 if (ec2)
553 {
554 callback(false, confData, ldapType);
555 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
556 return;
557 }
558
559 std::string ldapDbusType;
560 std::string searchString;
561
562 if (ldapType == "LDAP")
563 {
564 ldapDbusType =
565 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
566 searchString = "openldap";
567 }
568 else if (ldapType == "ActiveDirectory")
569 {
570 ldapDbusType =
571 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
572 searchString = "active_directory";
573 }
574 else
575 {
576 BMCWEB_LOG_ERROR(
577 "Can't get the DbusType for the given type={}",
578 ldapType);
579 callback(false, confData, ldapType);
580 return;
581 }
582
583 std::string ldapEnableInterfaceStr = ldapEnableInterface;
584 std::string ldapConfigInterfaceStr = ldapConfigInterface;
585
586 for (const auto& object : ldapObjects)
587 {
588 // let's find the object whose ldap type is equal to the
589 // given type
590 if (object.first.str.find(searchString) ==
591 std::string::npos)
592 {
593 continue;
594 }
595
596 for (const auto& interface : object.second)
597 {
598 if (interface.first == ldapEnableInterfaceStr)
599 {
600 // rest of the properties are string.
601 for (const auto& property : interface.second)
602 {
603 if (property.first == "Enabled")
604 {
605 const bool* value =
606 std::get_if<bool>(&property.second);
607 if (value == nullptr)
608 {
609 continue;
610 }
611 confData.serviceEnabled = *value;
612 break;
613 }
614 }
615 }
616 else if (interface.first == ldapConfigInterfaceStr)
617 {
618 for (const auto& property : interface.second)
619 {
620 const std::string* strValue =
621 std::get_if<std::string>(
622 &property.second);
623 if (strValue == nullptr)
624 {
625 continue;
626 }
627 if (property.first == "LDAPServerURI")
628 {
629 confData.uri = *strValue;
630 }
631 else if (property.first == "LDAPBindDN")
632 {
633 confData.bindDN = *strValue;
634 }
635 else if (property.first == "LDAPBaseDN")
636 {
637 confData.baseDN = *strValue;
638 }
639 else if (property.first ==
640 "LDAPSearchScope")
641 {
642 confData.searchScope = *strValue;
643 }
644 else if (property.first ==
645 "GroupNameAttribute")
646 {
647 confData.groupAttribute = *strValue;
648 }
649 else if (property.first ==
650 "UserNameAttribute")
651 {
652 confData.userNameAttribute = *strValue;
653 }
654 else if (property.first == "LDAPType")
655 {
656 confData.serverType = *strValue;
657 }
658 }
659 }
660 else if (
661 interface.first ==
662 "xyz.openbmc_project.User.PrivilegeMapperEntry")
663 {
664 LDAPRoleMapData roleMapData{};
665 for (const auto& property : interface.second)
666 {
667 const std::string* strValue =
668 std::get_if<std::string>(
669 &property.second);
670
671 if (strValue == nullptr)
672 {
673 continue;
674 }
675
676 if (property.first == "GroupName")
677 {
678 roleMapData.groupName = *strValue;
679 }
680 else if (property.first == "Privilege")
681 {
682 roleMapData.privilege = *strValue;
683 }
684 }
685
686 confData.groupRoleList.emplace_back(
687 object.first.str, roleMapData);
688 }
689 }
690 }
691 callback(true, confData, ldapType);
692 });
693 });
694 }
695
696 /**
697 * @brief updates the LDAP server address and updates the
698 json response with the new value.
699 * @param serviceAddressList address to be updated.
700 * @param asyncResp pointer to the JSON response
701 * @param ldapServerElementName Type of LDAP
702 server(openLDAP/ActiveDirectory)
703 */
704
handleServiceAddressPatch(const std::vector<std::string> & serviceAddressList,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)705 inline void handleServiceAddressPatch(
706 const std::vector<std::string>& serviceAddressList,
707 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
708 const std::string& ldapServerElementName,
709 const std::string& ldapConfigObject)
710 {
711 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceAddress",
712 ldapDbusService, ldapConfigObject, ldapConfigInterface,
713 "LDAPServerURI", serviceAddressList.front());
714 }
715 /**
716 * @brief updates the LDAP Bind DN and updates the
717 json response with the new value.
718 * @param username name of the user which needs to be updated.
719 * @param asyncResp pointer to the JSON response
720 * @param ldapServerElementName Type of LDAP
721 server(openLDAP/ActiveDirectory)
722 */
723
724 inline void
handleUserNamePatch(const std::string & username,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)725 handleUserNamePatch(const std::string& username,
726 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
727 const std::string& ldapServerElementName,
728 const std::string& ldapConfigObject)
729 {
730 setDbusProperty(asyncResp,
731 ldapServerElementName + "/Authentication/Username",
732 ldapDbusService, ldapConfigObject, ldapConfigInterface,
733 "LDAPBindDN", username);
734 }
735
736 /**
737 * @brief updates the LDAP password
738 * @param password : ldap password which needs to be updated.
739 * @param asyncResp pointer to the JSON response
740 * @param ldapServerElementName Type of LDAP
741 * server(openLDAP/ActiveDirectory)
742 */
743
744 inline void
handlePasswordPatch(const std::string & password,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)745 handlePasswordPatch(const std::string& password,
746 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
747 const std::string& ldapServerElementName,
748 const std::string& ldapConfigObject)
749 {
750 setDbusProperty(asyncResp,
751 ldapServerElementName + "/Authentication/Password",
752 ldapDbusService, ldapConfigObject, ldapConfigInterface,
753 "LDAPBindDNPassword", password);
754 }
755
756 /**
757 * @brief updates the LDAP BaseDN and updates the
758 json response with the new value.
759 * @param baseDNList baseDN list which needs to be updated.
760 * @param asyncResp pointer to the JSON response
761 * @param ldapServerElementName Type of LDAP
762 server(openLDAP/ActiveDirectory)
763 */
764
765 inline void
handleBaseDNPatch(const std::vector<std::string> & baseDNList,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)766 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
767 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
768 const std::string& ldapServerElementName,
769 const std::string& ldapConfigObject)
770 {
771 setDbusProperty(asyncResp,
772 ldapServerElementName +
773 "/LDAPService/SearchSettings/BaseDistinguishedNames",
774 ldapDbusService, ldapConfigObject, ldapConfigInterface,
775 "LDAPBaseDN", baseDNList.front());
776 }
777 /**
778 * @brief updates the LDAP user name attribute and updates the
779 json response with the new value.
780 * @param userNameAttribute attribute to be updated.
781 * @param asyncResp pointer to the JSON response
782 * @param ldapServerElementName Type of LDAP
783 server(openLDAP/ActiveDirectory)
784 */
785
handleUserNameAttrPatch(const std::string & userNameAttribute,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)786 inline void handleUserNameAttrPatch(
787 const std::string& userNameAttribute,
788 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
789 const std::string& ldapServerElementName,
790 const std::string& ldapConfigObject)
791 {
792 setDbusProperty(
793 asyncResp,
794 ldapServerElementName + "LDAPService/SearchSettings/UsernameAttribute",
795 ldapDbusService, ldapConfigObject, ldapConfigInterface,
796 "UserNameAttribute", userNameAttribute);
797 }
798 /**
799 * @brief updates the LDAP group attribute and updates the
800 json response with the new value.
801 * @param groupsAttribute attribute to be updated.
802 * @param asyncResp pointer to the JSON response
803 * @param ldapServerElementName Type of LDAP
804 server(openLDAP/ActiveDirectory)
805 */
806
handleGroupNameAttrPatch(const std::string & groupsAttribute,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)807 inline void handleGroupNameAttrPatch(
808 const std::string& groupsAttribute,
809 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
810 const std::string& ldapServerElementName,
811 const std::string& ldapConfigObject)
812 {
813 setDbusProperty(
814 asyncResp,
815 ldapServerElementName + "/LDAPService/SearchSettings/GroupsAttribute",
816 ldapDbusService, ldapConfigObject, ldapConfigInterface,
817 "GroupNameAttribute", groupsAttribute);
818 }
819 /**
820 * @brief updates the LDAP service enable and updates the
821 json response with the new value.
822 * @param input JSON data.
823 * @param asyncResp pointer to the JSON response
824 * @param ldapServerElementName Type of LDAP
825 server(openLDAP/ActiveDirectory)
826 */
827
handleServiceEnablePatch(bool serviceEnabled,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)828 inline void handleServiceEnablePatch(
829 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
830 const std::string& ldapServerElementName,
831 const std::string& ldapConfigObject)
832 {
833 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceEnabled",
834 ldapDbusService, ldapConfigObject, ldapEnableInterface,
835 "Enabled", serviceEnabled);
836 }
837
838 struct AuthMethods
839 {
840 std::optional<bool> basicAuth;
841 std::optional<bool> cookie;
842 std::optional<bool> sessionToken;
843 std::optional<bool> xToken;
844 std::optional<bool> tls;
845 };
846
847 inline void
handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const AuthMethods & auth)848 handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
849 const AuthMethods& auth)
850 {
851 persistent_data::AuthConfigMethods& authMethodsConfig =
852 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
853
854 if (auth.basicAuth)
855 {
856 if constexpr (!BMCWEB_BASIC_AUTH)
857 {
858 messages::actionNotSupported(
859 asyncResp->res,
860 "Setting BasicAuth when basic-auth feature is disabled");
861 return;
862 }
863
864 authMethodsConfig.basic = *auth.basicAuth;
865 }
866
867 if (auth.cookie)
868 {
869 if constexpr (!BMCWEB_COOKIE_AUTH)
870 {
871 messages::actionNotSupported(
872 asyncResp->res,
873 "Setting Cookie when cookie-auth feature is disabled");
874 return;
875 }
876 authMethodsConfig.cookie = *auth.cookie;
877 }
878
879 if (auth.sessionToken)
880 {
881 if constexpr (!BMCWEB_SESSION_AUTH)
882 {
883 messages::actionNotSupported(
884 asyncResp->res,
885 "Setting SessionToken when session-auth feature is disabled");
886 return;
887 }
888 authMethodsConfig.sessionToken = *auth.sessionToken;
889 }
890
891 if (auth.xToken)
892 {
893 if constexpr (!BMCWEB_XTOKEN_AUTH)
894 {
895 messages::actionNotSupported(
896 asyncResp->res,
897 "Setting XToken when xtoken-auth feature is disabled");
898 return;
899 }
900 authMethodsConfig.xtoken = *auth.xToken;
901 }
902
903 if (auth.tls)
904 {
905 if constexpr (!BMCWEB_MUTUAL_TLS_AUTH)
906 {
907 messages::actionNotSupported(
908 asyncResp->res,
909 "Setting TLS when mutual-tls-auth feature is disabled");
910 return;
911 }
912 authMethodsConfig.tls = *auth.tls;
913 }
914
915 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
916 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
917 !authMethodsConfig.tls)
918 {
919 // Do not allow user to disable everything
920 messages::actionNotSupported(asyncResp->res,
921 "of disabling all available methods");
922 return;
923 }
924
925 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
926 authMethodsConfig);
927 // Save configuration immediately
928 persistent_data::getConfig().writeData();
929
930 messages::success(asyncResp->res);
931 }
932
933 /**
934 * @brief Get the required values from the given JSON, validates the
935 * value and create the LDAP config object.
936 * @param input JSON data
937 * @param asyncResp pointer to the JSON response
938 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
939 */
940
941 struct LdapPatchParams
942 {
943 std::optional<std::string> authType;
944 std::optional<std::vector<std::string>> serviceAddressList;
945 std::optional<bool> serviceEnabled;
946 std::optional<std::vector<std::string>> baseDNList;
947 std::optional<std::string> userNameAttribute;
948 std::optional<std::string> groupsAttribute;
949 std::optional<std::string> userName;
950 std::optional<std::string> password;
951 std::optional<
952 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>>
953 remoteRoleMapData;
954 };
955
handleLDAPPatch(LdapPatchParams && input,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & serverType)956 inline void handleLDAPPatch(LdapPatchParams&& input,
957 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
958 const std::string& serverType)
959 {
960 std::string dbusObjectPath;
961 if (serverType == "ActiveDirectory")
962 {
963 dbusObjectPath = adConfigObject;
964 }
965 else if (serverType == "LDAP")
966 {
967 dbusObjectPath = ldapConfigObjectName;
968 }
969 else
970 {
971 BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????",
972 serverType);
973 return;
974 }
975
976 if (input.authType && *input.authType != "UsernameAndPassword")
977 {
978 messages::propertyValueNotInList(asyncResp->res, *input.authType,
979 "AuthenticationType");
980 return;
981 }
982
983 if (input.serviceAddressList)
984 {
985 if (input.serviceAddressList->empty())
986 {
987 messages::propertyValueNotInList(
988 asyncResp->res, *input.serviceAddressList, "ServiceAddress");
989 return;
990 }
991 }
992 if (input.baseDNList)
993 {
994 if (input.baseDNList->empty())
995 {
996 messages::propertyValueNotInList(asyncResp->res, *input.baseDNList,
997 "BaseDistinguishedNames");
998 return;
999 }
1000 }
1001
1002 // nothing to update, then return
1003 if (!input.userName && !input.password && !input.serviceAddressList &&
1004 !input.baseDNList && !input.userNameAttribute &&
1005 !input.groupsAttribute && !input.serviceEnabled &&
1006 !input.remoteRoleMapData)
1007 {
1008 return;
1009 }
1010
1011 // Get the existing resource first then keep modifying
1012 // whenever any property gets updated.
1013 getLDAPConfigData(serverType, [asyncResp, input = std::move(input),
1014 dbusObjectPath = std::move(dbusObjectPath)](
1015 bool success,
1016 const LDAPConfigData& confData,
1017 const std::string& serverT) mutable {
1018 if (!success)
1019 {
1020 messages::internalError(asyncResp->res);
1021 return;
1022 }
1023 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1024 if (confData.serviceEnabled)
1025 {
1026 // Disable the service first and update the rest of
1027 // the properties.
1028 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
1029 }
1030
1031 if (input.serviceAddressList)
1032 {
1033 handleServiceAddressPatch(*input.serviceAddressList, asyncResp,
1034 serverT, dbusObjectPath);
1035 }
1036 if (input.userName)
1037 {
1038 handleUserNamePatch(*input.userName, asyncResp, serverT,
1039 dbusObjectPath);
1040 }
1041 if (input.password)
1042 {
1043 handlePasswordPatch(*input.password, asyncResp, serverT,
1044 dbusObjectPath);
1045 }
1046
1047 if (input.baseDNList)
1048 {
1049 handleBaseDNPatch(*input.baseDNList, asyncResp, serverT,
1050 dbusObjectPath);
1051 }
1052 if (input.userNameAttribute)
1053 {
1054 handleUserNameAttrPatch(*input.userNameAttribute, asyncResp,
1055 serverT, dbusObjectPath);
1056 }
1057 if (input.groupsAttribute)
1058 {
1059 handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT,
1060 dbusObjectPath);
1061 }
1062 if (input.serviceEnabled)
1063 {
1064 // if user has given the value as true then enable
1065 // the service. if user has given false then no-op
1066 // as service is already stopped.
1067 if (*input.serviceEnabled)
1068 {
1069 handleServiceEnablePatch(*input.serviceEnabled, asyncResp,
1070 serverT, dbusObjectPath);
1071 }
1072 }
1073 else
1074 {
1075 // if user has not given the service enabled value
1076 // then revert it to the same state as it was
1077 // before.
1078 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1079 serverT, dbusObjectPath);
1080 }
1081
1082 if (input.remoteRoleMapData)
1083 {
1084 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1085 *input.remoteRoleMapData);
1086 }
1087 });
1088 }
1089
updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,const std::string & username,const std::optional<std::string> & password,const std::optional<bool> & enabled,const std::optional<std::string> & roleId,const std::optional<bool> & locked,std::optional<std::vector<std::string>> accountTypes,bool userSelf,const std::shared_ptr<persistent_data::UserSession> & session)1090 inline void updateUserProperties(
1091 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1092 const std::optional<std::string>& password,
1093 const std::optional<bool>& enabled,
1094 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1095 std::optional<std::vector<std::string>> accountTypes, bool userSelf,
1096 const std::shared_ptr<persistent_data::UserSession>& session)
1097 {
1098 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1099 tempObjPath /= username;
1100 std::string dbusObjectPath(tempObjPath);
1101
1102 dbus::utility::checkDbusPathExists(
1103 dbusObjectPath,
1104 [dbusObjectPath, username, password, roleId, enabled, locked,
1105 accountTypes(std::move(accountTypes)), userSelf, session,
1106 asyncResp{std::move(asyncResp)}](int rc) {
1107 if (rc <= 0)
1108 {
1109 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1110 username);
1111 return;
1112 }
1113
1114 if (password)
1115 {
1116 int retval = pamUpdatePassword(username, *password);
1117
1118 if (retval == PAM_USER_UNKNOWN)
1119 {
1120 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1121 username);
1122 }
1123 else if (retval == PAM_AUTHTOK_ERR)
1124 {
1125 // If password is invalid
1126 messages::propertyValueFormatError(asyncResp->res, nullptr,
1127 "Password");
1128 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1129 }
1130 else if (retval != PAM_SUCCESS)
1131 {
1132 messages::internalError(asyncResp->res);
1133 return;
1134 }
1135 else
1136 {
1137 // Remove existing sessions of the user when password
1138 // changed
1139 persistent_data::SessionStore::getInstance()
1140 .removeSessionsByUsernameExceptSession(username,
1141 session);
1142 messages::success(asyncResp->res);
1143 }
1144 }
1145
1146 if (enabled)
1147 {
1148 setDbusProperty(
1149 asyncResp, "Enabled", "xyz.openbmc_project.User.Manager",
1150 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
1151 "UserEnabled", *enabled);
1152 }
1153
1154 if (roleId)
1155 {
1156 std::string priv = getPrivilegeFromRoleId(*roleId);
1157 if (priv.empty())
1158 {
1159 messages::propertyValueNotInList(asyncResp->res, true,
1160 "Locked");
1161 return;
1162 }
1163 setDbusProperty(
1164 asyncResp, "RoleId", "xyz.openbmc_project.User.Manager",
1165 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
1166 "UserPrivilege", priv);
1167 }
1168
1169 if (locked)
1170 {
1171 // admin can unlock the account which is locked by
1172 // successive authentication failures but admin should
1173 // not be allowed to lock an account.
1174 if (*locked)
1175 {
1176 messages::propertyValueNotInList(asyncResp->res, "true",
1177 "Locked");
1178 return;
1179 }
1180 setDbusProperty(
1181 asyncResp, "Locked", "xyz.openbmc_project.User.Manager",
1182 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
1183 "UserLockedForFailedAttempt", *locked);
1184 }
1185
1186 if (accountTypes)
1187 {
1188 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1189 userSelf);
1190 }
1191 });
1192 }
1193
handleAccountServiceHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1194 inline void handleAccountServiceHead(
1195 App& app, const crow::Request& req,
1196 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1197 {
1198 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1199 {
1200 return;
1201 }
1202 asyncResp->res.addHeader(
1203 boost::beast::http::field::link,
1204 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1205 }
1206
1207 inline void
getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const nlohmann::json::json_pointer & keyLocation)1208 getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1209 const nlohmann::json::json_pointer& keyLocation)
1210 {
1211 boost::urls::url url(
1212 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates");
1213 std::array<std::string_view, 1> interfaces = {
1214 "xyz.openbmc_project.Certs.Certificate"};
1215 std::string path = "/xyz/openbmc_project/certs/authority/truststore";
1216
1217 collection_util::getCollectionToKey(asyncResp, url, interfaces, path,
1218 keyLocation);
1219 }
1220
handleAccountServiceClientCertificatesInstanceHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string &)1221 inline void handleAccountServiceClientCertificatesInstanceHead(
1222 App& app, const crow::Request& req,
1223 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1224 const std::string& /*id*/)
1225 {
1226 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1227 {
1228 return;
1229 }
1230
1231 asyncResp->res.addHeader(
1232 boost::beast::http::field::link,
1233 "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby");
1234 }
1235
handleAccountServiceClientCertificatesInstanceGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & id)1236 inline void handleAccountServiceClientCertificatesInstanceGet(
1237 App& app, const crow::Request& req,
1238 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id)
1239 {
1240 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1241 {
1242 return;
1243 }
1244 BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id);
1245 const boost::urls::url certURL = boost::urls::format(
1246 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}",
1247 id);
1248 std::string objPath =
1249 sdbusplus::message::object_path(certs::authorityObjectPath) / id;
1250 getCertificateProperties(
1251 asyncResp, objPath,
1252 "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL,
1253 "Client Certificate");
1254 }
1255
handleAccountServiceClientCertificatesHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1256 inline void handleAccountServiceClientCertificatesHead(
1257 App& app, const crow::Request& req,
1258 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1259 {
1260 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1261 {
1262 return;
1263 }
1264
1265 asyncResp->res.addHeader(
1266 boost::beast::http::field::link,
1267 "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby");
1268 }
1269
handleAccountServiceClientCertificatesGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1270 inline void handleAccountServiceClientCertificatesGet(
1271 App& app, const crow::Request& req,
1272 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1273 {
1274 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1275 {
1276 return;
1277 }
1278 getClientCertificates(asyncResp, "/Members"_json_pointer);
1279 }
1280
1281 using account_service::CertificateMappingAttribute;
1282 using persistent_data::MTLSCommonNameParseMode;
1283 inline CertificateMappingAttribute
getCertificateMapping(MTLSCommonNameParseMode parse)1284 getCertificateMapping(MTLSCommonNameParseMode parse)
1285 {
1286 switch (parse)
1287 {
1288 case MTLSCommonNameParseMode::CommonName:
1289 {
1290 return CertificateMappingAttribute::CommonName;
1291 }
1292 break;
1293 case MTLSCommonNameParseMode::Whole:
1294 {
1295 return CertificateMappingAttribute::Whole;
1296 }
1297 break;
1298 case MTLSCommonNameParseMode::UserPrincipalName:
1299 {
1300 return CertificateMappingAttribute::UserPrincipalName;
1301 }
1302 break;
1303
1304 case MTLSCommonNameParseMode::Meta:
1305 {
1306 if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
1307 {
1308 return CertificateMappingAttribute::CommonName;
1309 }
1310 }
1311 break;
1312 default:
1313 {
1314 return CertificateMappingAttribute::Invalid;
1315 }
1316 break;
1317 }
1318 }
1319
1320 inline void
handleAccountServiceGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1321 handleAccountServiceGet(App& app, const crow::Request& req,
1322 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1323 {
1324 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1325 {
1326 return;
1327 }
1328
1329 if (req.session == nullptr)
1330 {
1331 messages::internalError(asyncResp->res);
1332 return;
1333 }
1334
1335 const persistent_data::AuthConfigMethods& authMethodsConfig =
1336 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1337
1338 asyncResp->res.addHeader(
1339 boost::beast::http::field::link,
1340 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1341
1342 nlohmann::json& json = asyncResp->res.jsonValue;
1343 json["@odata.id"] = "/redfish/v1/AccountService";
1344 json["@odata.type"] = "#AccountService.v1_15_0.AccountService";
1345 json["Id"] = "AccountService";
1346 json["Name"] = "Account Service";
1347 json["Description"] = "Account Service";
1348 json["ServiceEnabled"] = true;
1349 json["MaxPasswordLength"] = 20;
1350 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1351 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
1352 json["HTTPBasicAuth"] = authMethodsConfig.basic
1353 ? account_service::BasicAuthState::Enabled
1354 : account_service::BasicAuthState::Disabled;
1355
1356 nlohmann::json::array_t allowed;
1357 allowed.emplace_back(account_service::BasicAuthState::Enabled);
1358 allowed.emplace_back(account_service::BasicAuthState::Disabled);
1359 json["HTTPBasicAuth@AllowableValues"] = std::move(allowed);
1360
1361 nlohmann::json::object_t clientCertificate;
1362 clientCertificate["Enabled"] = authMethodsConfig.tls;
1363 clientCertificate["RespondToUnauthenticatedClients"] =
1364 !authMethodsConfig.tlsStrict;
1365
1366 using account_service::CertificateMappingAttribute;
1367
1368 CertificateMappingAttribute mapping =
1369 getCertificateMapping(authMethodsConfig.mTLSCommonNameParsingMode);
1370 if (mapping == CertificateMappingAttribute::Invalid)
1371 {
1372 messages::internalError(asyncResp->res);
1373 }
1374 else
1375 {
1376 clientCertificate["CertificateMappingAttribute"] = mapping;
1377 }
1378 nlohmann::json::object_t certificates;
1379 certificates["@odata.id"] =
1380 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates";
1381 certificates["@odata.type"] =
1382 "#CertificateCollection.CertificateCollection";
1383 clientCertificate["Certificates"] = std::move(certificates);
1384 json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate);
1385
1386 getClientCertificates(
1387 asyncResp,
1388 "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer);
1389
1390 json["Oem"]["OpenBMC"]["@odata.type"] =
1391 "#OpenBMCAccountService.v1_0_0.AccountService";
1392 json["Oem"]["OpenBMC"]["@odata.id"] =
1393 "/redfish/v1/AccountService#/Oem/OpenBMC";
1394 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1395 authMethodsConfig.basic;
1396 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1397 authMethodsConfig.sessionToken;
1398 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1399 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1400 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1401
1402 // /redfish/v1/AccountService/LDAP/Certificates is something only
1403 // ConfigureManager can access then only display when the user has
1404 // permissions ConfigureManager
1405 Privileges effectiveUserPrivileges =
1406 redfish::getUserPrivileges(*req.session);
1407
1408 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1409 effectiveUserPrivileges))
1410 {
1411 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1412 "/redfish/v1/AccountService/LDAP/Certificates";
1413 }
1414 sdbusplus::asio::getAllProperties(
1415 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1416 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
1417 [asyncResp](const boost::system::error_code& ec,
1418 const dbus::utility::DBusPropertiesMap& propertiesList) {
1419 if (ec)
1420 {
1421 messages::internalError(asyncResp->res);
1422 return;
1423 }
1424
1425 BMCWEB_LOG_DEBUG("Got {} properties for AccountService",
1426 propertiesList.size());
1427
1428 const uint8_t* minPasswordLength = nullptr;
1429 const uint32_t* accountUnlockTimeout = nullptr;
1430 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1431
1432 const bool success = sdbusplus::unpackPropertiesNoThrow(
1433 dbus_utils::UnpackErrorPrinter(), propertiesList,
1434 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1435 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1436 maxLoginAttemptBeforeLockout);
1437
1438 if (!success)
1439 {
1440 messages::internalError(asyncResp->res);
1441 return;
1442 }
1443
1444 if (minPasswordLength != nullptr)
1445 {
1446 asyncResp->res.jsonValue["MinPasswordLength"] =
1447 *minPasswordLength;
1448 }
1449
1450 if (accountUnlockTimeout != nullptr)
1451 {
1452 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1453 *accountUnlockTimeout;
1454 }
1455
1456 if (maxLoginAttemptBeforeLockout != nullptr)
1457 {
1458 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1459 *maxLoginAttemptBeforeLockout;
1460 }
1461 });
1462
1463 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
1464 const std::string& ldapType) {
1465 if (!success)
1466 {
1467 return;
1468 }
1469 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1470 };
1471
1472 getLDAPConfigData("LDAP", callback);
1473 getLDAPConfigData("ActiveDirectory", callback);
1474 }
1475
handleCertificateMappingAttributePatch(crow::Response & res,const std::string & certMapAttribute)1476 inline void handleCertificateMappingAttributePatch(
1477 crow::Response& res, const std::string& certMapAttribute)
1478 {
1479 MTLSCommonNameParseMode parseMode =
1480 persistent_data::getMTLSCommonNameParseMode(certMapAttribute);
1481 if (parseMode == MTLSCommonNameParseMode::Invalid)
1482 {
1483 messages::propertyValueNotInList(res, "CertificateMappingAttribute",
1484 certMapAttribute);
1485 return;
1486 }
1487
1488 persistent_data::AuthConfigMethods& authMethodsConfig =
1489 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1490 authMethodsConfig.mTLSCommonNameParsingMode = parseMode;
1491 }
1492
handleRespondToUnauthenticatedClientsPatch(App & app,const crow::Request & req,crow::Response & res,bool respondToUnauthenticatedClients)1493 inline void handleRespondToUnauthenticatedClientsPatch(
1494 App& app, const crow::Request& req, crow::Response& res,
1495 bool respondToUnauthenticatedClients)
1496 {
1497 if (req.session != nullptr)
1498 {
1499 // Sanity check. If the user isn't currently authenticated with mutual
1500 // TLS, they very likely are about to permanently lock themselves out.
1501 // Make sure they're using mutual TLS before allowing locking.
1502 if (req.session->sessionType != persistent_data::SessionType::MutualTLS)
1503 {
1504 messages::propertyValueExternalConflict(
1505 res,
1506 "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients",
1507 respondToUnauthenticatedClients);
1508 return;
1509 }
1510 }
1511
1512 persistent_data::AuthConfigMethods& authMethodsConfig =
1513 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1514
1515 // Change the settings
1516 authMethodsConfig.tlsStrict = !respondToUnauthenticatedClients;
1517
1518 // Write settings to disk
1519 persistent_data::getConfig().writeData();
1520
1521 // Trigger a reload, to apply the new settings to new connections
1522 app.loadCertificate();
1523 }
1524
handleAccountServicePatch(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1525 inline void handleAccountServicePatch(
1526 App& app, const crow::Request& req,
1527 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1528 {
1529 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1530 {
1531 return;
1532 }
1533 std::optional<uint32_t> unlockTimeout;
1534 std::optional<uint16_t> lockoutThreshold;
1535 std::optional<uint8_t> minPasswordLength;
1536 std::optional<uint16_t> maxPasswordLength;
1537 LdapPatchParams ldapObject;
1538 std::optional<std::string> certificateMappingAttribute;
1539 std::optional<bool> respondToUnauthenticatedClients;
1540 LdapPatchParams activeDirectoryObject;
1541 AuthMethods auth;
1542 std::optional<std::string> httpBasicAuth;
1543
1544 // clang-format off
1545 if (!json_util::readJsonPatch(
1546 req, asyncResp->res,
1547 "AccountLockoutDuration", unlockTimeout,
1548 "AccountLockoutThreshold", lockoutThreshold,
1549 "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType,
1550 "ActiveDirectory/Authentication/Password", activeDirectoryObject.password,
1551 "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName,
1552 "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList,
1553 "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute,
1554 "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute,
1555 "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData,
1556 "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList,
1557 "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled,
1558 "MultiFactorAuth/ClientCertificate/CertificateMappingAttribute", certificateMappingAttribute,
1559 "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients", respondToUnauthenticatedClients,
1560 "LDAP/Authentication/AuthenticationType", ldapObject.authType,
1561 "LDAP/Authentication/Password", ldapObject.password,
1562 "LDAP/Authentication/Username", ldapObject.userName,
1563 "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList,
1564 "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute,
1565 "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute,
1566 "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData,
1567 "LDAP/ServiceAddresses", ldapObject.serviceAddressList,
1568 "LDAP/ServiceEnabled", ldapObject.serviceEnabled,
1569 "MaxPasswordLength", maxPasswordLength,
1570 "MinPasswordLength", minPasswordLength,
1571 "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth,
1572 "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie,
1573 "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken,
1574 "Oem/OpenBMC/AuthMethods/TLS", auth.tls,
1575 "Oem/OpenBMC/AuthMethods/XToken", auth.xToken,
1576 "HTTPBasicAuth", httpBasicAuth))
1577 {
1578 return;
1579 }
1580 // clang-format on
1581
1582 if (httpBasicAuth)
1583 {
1584 if (*httpBasicAuth == "Enabled")
1585 {
1586 auth.basicAuth = true;
1587 }
1588 else if (*httpBasicAuth == "Disabled")
1589 {
1590 auth.basicAuth = false;
1591 }
1592 else
1593 {
1594 messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth",
1595 *httpBasicAuth);
1596 }
1597 }
1598
1599 if (respondToUnauthenticatedClients)
1600 {
1601 handleRespondToUnauthenticatedClientsPatch(
1602 app, req, asyncResp->res, *respondToUnauthenticatedClients);
1603 }
1604
1605 if (certificateMappingAttribute)
1606 {
1607 handleCertificateMappingAttributePatch(asyncResp->res,
1608 *certificateMappingAttribute);
1609 }
1610
1611 if (minPasswordLength)
1612 {
1613 setDbusProperty(
1614 asyncResp, "MinPasswordLength", "xyz.openbmc_project.User.Manager",
1615 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
1616 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
1617 *minPasswordLength);
1618 }
1619
1620 if (maxPasswordLength)
1621 {
1622 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1623 }
1624
1625 handleLDAPPatch(std::move(activeDirectoryObject), asyncResp,
1626 "ActiveDirectory");
1627 handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP");
1628
1629 handleAuthMethodsPatch(asyncResp, auth);
1630
1631 if (unlockTimeout)
1632 {
1633 setDbusProperty(
1634 asyncResp, "AccountLockoutDuration",
1635 "xyz.openbmc_project.User.Manager",
1636 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
1637 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
1638 *unlockTimeout);
1639 }
1640 if (lockoutThreshold)
1641 {
1642 setDbusProperty(
1643 asyncResp, "AccountLockoutThreshold",
1644 "xyz.openbmc_project.User.Manager",
1645 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
1646 "xyz.openbmc_project.User.AccountPolicy",
1647 "MaxLoginAttemptBeforeLockout", *lockoutThreshold);
1648 }
1649 }
1650
handleAccountCollectionHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1651 inline void handleAccountCollectionHead(
1652 App& app, const crow::Request& req,
1653 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1654 {
1655 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1656 {
1657 return;
1658 }
1659 asyncResp->res.addHeader(
1660 boost::beast::http::field::link,
1661 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1662 }
1663
handleAccountCollectionGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1664 inline void handleAccountCollectionGet(
1665 App& app, const crow::Request& req,
1666 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1667 {
1668 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1669 {
1670 return;
1671 }
1672
1673 if (req.session == nullptr)
1674 {
1675 messages::internalError(asyncResp->res);
1676 return;
1677 }
1678
1679 asyncResp->res.addHeader(
1680 boost::beast::http::field::link,
1681 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1682
1683 asyncResp->res.jsonValue["@odata.id"] =
1684 "/redfish/v1/AccountService/Accounts";
1685 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1686 "ManagerAccountCollection";
1687 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1688 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1689
1690 Privileges effectiveUserPrivileges =
1691 redfish::getUserPrivileges(*req.session);
1692
1693 std::string thisUser;
1694 if (req.session)
1695 {
1696 thisUser = req.session->username;
1697 }
1698 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1699 dbus::utility::getManagedObjects(
1700 "xyz.openbmc_project.User.Manager", path,
1701 [asyncResp, thisUser, effectiveUserPrivileges](
1702 const boost::system::error_code& ec,
1703 const dbus::utility::ManagedObjectType& users) {
1704 if (ec)
1705 {
1706 messages::internalError(asyncResp->res);
1707 return;
1708 }
1709
1710 bool userCanSeeAllAccounts =
1711 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1712
1713 bool userCanSeeSelf =
1714 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1715
1716 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1717 memberArray = nlohmann::json::array();
1718
1719 for (const auto& userpath : users)
1720 {
1721 std::string user = userpath.first.filename();
1722 if (user.empty())
1723 {
1724 messages::internalError(asyncResp->res);
1725 BMCWEB_LOG_ERROR("Invalid firmware ID");
1726
1727 return;
1728 }
1729
1730 // As clarified by Redfish here:
1731 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1732 // Users without ConfigureUsers, only see their own
1733 // account. Users with ConfigureUsers, see all
1734 // accounts.
1735 if (userCanSeeAllAccounts ||
1736 (thisUser == user && userCanSeeSelf))
1737 {
1738 nlohmann::json::object_t member;
1739 member["@odata.id"] = boost::urls::format(
1740 "/redfish/v1/AccountService/Accounts/{}", user);
1741 memberArray.emplace_back(std::move(member));
1742 }
1743 }
1744 asyncResp->res.jsonValue["Members@odata.count"] =
1745 memberArray.size();
1746 });
1747 }
1748
processAfterCreateUser(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username,const std::string & password,const boost::system::error_code & ec,sdbusplus::message_t & m)1749 inline void processAfterCreateUser(
1750 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1751 const std::string& username, const std::string& password,
1752 const boost::system::error_code& ec, sdbusplus::message_t& m)
1753 {
1754 if (ec)
1755 {
1756 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1757 return;
1758 }
1759
1760 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1761 {
1762 // At this point we have a user that's been
1763 // created, but the password set
1764 // failed.Something is wrong, so delete the user
1765 // that we've already created
1766 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1767 tempObjPath /= username;
1768 const std::string userPath(tempObjPath);
1769
1770 crow::connections::systemBus->async_method_call(
1771 [asyncResp, password](const boost::system::error_code& ec3) {
1772 if (ec3)
1773 {
1774 messages::internalError(asyncResp->res);
1775 return;
1776 }
1777
1778 // If password is invalid
1779 messages::propertyValueFormatError(asyncResp->res, nullptr,
1780 "Password");
1781 },
1782 "xyz.openbmc_project.User.Manager", userPath,
1783 "xyz.openbmc_project.Object.Delete", "Delete");
1784
1785 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1786 return;
1787 }
1788
1789 messages::created(asyncResp->res);
1790 asyncResp->res.addHeader("Location",
1791 "/redfish/v1/AccountService/Accounts/" + username);
1792 }
1793
processAfterGetAllGroups(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username,const std::string & password,const std::string & roleId,bool enabled,std::optional<std::vector<std::string>> accountTypes,const std::vector<std::string> & allGroupsList)1794 inline void processAfterGetAllGroups(
1795 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1796 const std::string& username, const std::string& password,
1797 const std::string& roleId, bool enabled,
1798 std::optional<std::vector<std::string>> accountTypes,
1799 const std::vector<std::string>& allGroupsList)
1800 {
1801 std::vector<std::string> userGroups;
1802 std::vector<std::string> accountTypeUserGroups;
1803
1804 // If user specified account types then convert them to unix user groups
1805 if (accountTypes)
1806 {
1807 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1808 accountTypeUserGroups))
1809 {
1810 // Problem in mapping Account Types to User Groups, Error already
1811 // logged.
1812 return;
1813 }
1814 }
1815
1816 for (const auto& grp : allGroupsList)
1817 {
1818 // If user specified the account type then only accept groups which are
1819 // in the account types group list.
1820 if (!accountTypeUserGroups.empty())
1821 {
1822 bool found = false;
1823 for (const auto& grp1 : accountTypeUserGroups)
1824 {
1825 if (grp == grp1)
1826 {
1827 found = true;
1828 break;
1829 }
1830 }
1831 if (!found)
1832 {
1833 continue;
1834 }
1835 }
1836
1837 // Console access is provided to the user who is a member of
1838 // hostconsole group and has a administrator role. So, set
1839 // hostconsole group only for the administrator.
1840 if ((grp == "hostconsole") && (roleId != "priv-admin"))
1841 {
1842 if (!accountTypeUserGroups.empty())
1843 {
1844 BMCWEB_LOG_ERROR(
1845 "Only administrator can get HostConsole access");
1846 asyncResp->res.result(boost::beast::http::status::bad_request);
1847 return;
1848 }
1849 continue;
1850 }
1851 userGroups.emplace_back(grp);
1852 }
1853
1854 // Make sure user specified groups are valid. This is internal error because
1855 // it some inconsistencies between user manager and bmcweb.
1856 if (!accountTypeUserGroups.empty() &&
1857 accountTypeUserGroups.size() != userGroups.size())
1858 {
1859 messages::internalError(asyncResp->res);
1860 return;
1861 }
1862 crow::connections::systemBus->async_method_call(
1863 [asyncResp, username, password](const boost::system::error_code& ec2,
1864 sdbusplus::message_t& m) {
1865 processAfterCreateUser(asyncResp, username, password, ec2, m);
1866 },
1867 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1868 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
1869 roleId, enabled);
1870 }
1871
handleAccountCollectionPost(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1872 inline void handleAccountCollectionPost(
1873 App& app, const crow::Request& req,
1874 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1875 {
1876 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1877 {
1878 return;
1879 }
1880 std::string username;
1881 std::string password;
1882 std::optional<std::string> roleIdJson;
1883 std::optional<bool> enabledJson;
1884 std::optional<std::vector<std::string>> accountTypes;
1885 if (!json_util::readJsonPatch(
1886 req, asyncResp->res, "UserName", username, "Password", password,
1887 "RoleId", roleIdJson, "Enabled", enabledJson, "AccountTypes",
1888 accountTypes))
1889 {
1890 return;
1891 }
1892
1893 std::string roleId = roleIdJson.value_or("User");
1894 std::string priv = getPrivilegeFromRoleId(roleId);
1895 if (priv.empty())
1896 {
1897 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
1898 return;
1899 }
1900 roleId = priv;
1901
1902 bool enabled = enabledJson.value_or(true);
1903
1904 // Reading AllGroups property
1905 sdbusplus::asio::getProperty<std::vector<std::string>>(
1906 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1907 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1908 "AllGroups",
1909 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1910 accountTypes](const boost::system::error_code& ec,
1911 const std::vector<std::string>& allGroupsList) {
1912 if (ec)
1913 {
1914 BMCWEB_LOG_DEBUG("ERROR with async_method_call");
1915 messages::internalError(asyncResp->res);
1916 return;
1917 }
1918
1919 if (allGroupsList.empty())
1920 {
1921 messages::internalError(asyncResp->res);
1922 return;
1923 }
1924
1925 processAfterGetAllGroups(asyncResp, username, password, roleId,
1926 enabled, accountTypes, allGroupsList);
1927 });
1928 }
1929
1930 inline void
handleAccountHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string &)1931 handleAccountHead(App& app, const crow::Request& req,
1932 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1933 const std::string& /*accountName*/)
1934 {
1935 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1936 {
1937 return;
1938 }
1939 asyncResp->res.addHeader(
1940 boost::beast::http::field::link,
1941 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1942 }
1943
1944 inline void
handleAccountGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & accountName)1945 handleAccountGet(App& app, const crow::Request& req,
1946 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1947 const std::string& accountName)
1948 {
1949 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1950 {
1951 return;
1952 }
1953 asyncResp->res.addHeader(
1954 boost::beast::http::field::link,
1955 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1956
1957 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
1958 {
1959 // If authentication is disabled, there are no user accounts
1960 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1961 accountName);
1962 return;
1963 }
1964
1965 if (req.session == nullptr)
1966 {
1967 messages::internalError(asyncResp->res);
1968 return;
1969 }
1970 if (req.session->username != accountName)
1971 {
1972 // At this point we've determined that the user is trying to
1973 // modify a user that isn't them. We need to verify that they
1974 // have permissions to modify other users, so re-run the auth
1975 // check with the same permissions, minus ConfigureSelf.
1976 Privileges effectiveUserPrivileges =
1977 redfish::getUserPrivileges(*req.session);
1978 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1979 "ConfigureManager"};
1980 if (!effectiveUserPrivileges.isSupersetOf(
1981 requiredPermissionsToChangeNonSelf))
1982 {
1983 BMCWEB_LOG_DEBUG("GET Account denied access");
1984 messages::insufficientPrivilege(asyncResp->res);
1985 return;
1986 }
1987 }
1988
1989 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1990 dbus::utility::getManagedObjects(
1991 "xyz.openbmc_project.User.Manager", path,
1992 [asyncResp,
1993 accountName](const boost::system::error_code& ec,
1994 const dbus::utility::ManagedObjectType& users) {
1995 if (ec)
1996 {
1997 messages::internalError(asyncResp->res);
1998 return;
1999 }
2000 const auto userIt = std::ranges::find_if(
2001 users,
2002 [accountName](
2003 const std::pair<sdbusplus::message::object_path,
2004 dbus::utility::DBusInterfacesMap>& user) {
2005 return accountName == user.first.filename();
2006 });
2007
2008 if (userIt == users.end())
2009 {
2010 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2011 accountName);
2012 return;
2013 }
2014
2015 asyncResp->res.jsonValue["@odata.type"] =
2016 "#ManagerAccount.v1_7_0.ManagerAccount";
2017 asyncResp->res.jsonValue["Name"] = "User Account";
2018 asyncResp->res.jsonValue["Description"] = "User Account";
2019 asyncResp->res.jsonValue["Password"] = nullptr;
2020 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
2021
2022 for (const auto& interface : userIt->second)
2023 {
2024 if (interface.first == "xyz.openbmc_project.User.Attributes")
2025 {
2026 for (const auto& property : interface.second)
2027 {
2028 if (property.first == "UserEnabled")
2029 {
2030 const bool* userEnabled =
2031 std::get_if<bool>(&property.second);
2032 if (userEnabled == nullptr)
2033 {
2034 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
2035 messages::internalError(asyncResp->res);
2036 return;
2037 }
2038 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
2039 }
2040 else if (property.first == "UserLockedForFailedAttempt")
2041 {
2042 const bool* userLocked =
2043 std::get_if<bool>(&property.second);
2044 if (userLocked == nullptr)
2045 {
2046 BMCWEB_LOG_ERROR("UserLockedForF"
2047 "ailedAttempt "
2048 "wasn't a bool");
2049 messages::internalError(asyncResp->res);
2050 return;
2051 }
2052 asyncResp->res.jsonValue["Locked"] = *userLocked;
2053 nlohmann::json::array_t allowed;
2054 // can only unlock accounts
2055 allowed.emplace_back("false");
2056 asyncResp->res
2057 .jsonValue["Locked@Redfish.AllowableValues"] =
2058 std::move(allowed);
2059 }
2060 else if (property.first == "UserPrivilege")
2061 {
2062 const std::string* userPrivPtr =
2063 std::get_if<std::string>(&property.second);
2064 if (userPrivPtr == nullptr)
2065 {
2066 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
2067 "string");
2068 messages::internalError(asyncResp->res);
2069 return;
2070 }
2071 std::string role =
2072 getRoleIdFromPrivilege(*userPrivPtr);
2073 if (role.empty())
2074 {
2075 BMCWEB_LOG_ERROR("Invalid user role");
2076 messages::internalError(asyncResp->res);
2077 return;
2078 }
2079 asyncResp->res.jsonValue["RoleId"] = role;
2080
2081 nlohmann::json& roleEntry =
2082 asyncResp->res.jsonValue["Links"]["Role"];
2083 roleEntry["@odata.id"] = boost::urls::format(
2084 "/redfish/v1/AccountService/Roles/{}", role);
2085 }
2086 else if (property.first == "UserPasswordExpired")
2087 {
2088 const bool* userPasswordExpired =
2089 std::get_if<bool>(&property.second);
2090 if (userPasswordExpired == nullptr)
2091 {
2092 BMCWEB_LOG_ERROR(
2093 "UserPasswordExpired wasn't a bool");
2094 messages::internalError(asyncResp->res);
2095 return;
2096 }
2097 asyncResp->res.jsonValue["PasswordChangeRequired"] =
2098 *userPasswordExpired;
2099 }
2100 else if (property.first == "UserGroups")
2101 {
2102 const std::vector<std::string>* userGroups =
2103 std::get_if<std::vector<std::string>>(
2104 &property.second);
2105 if (userGroups == nullptr)
2106 {
2107 BMCWEB_LOG_ERROR(
2108 "userGroups wasn't a string vector");
2109 messages::internalError(asyncResp->res);
2110 return;
2111 }
2112 if (!translateUserGroup(*userGroups,
2113 asyncResp->res))
2114 {
2115 BMCWEB_LOG_ERROR("userGroups mapping failed");
2116 messages::internalError(asyncResp->res);
2117 return;
2118 }
2119 }
2120 }
2121 }
2122 }
2123
2124 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
2125 "/redfish/v1/AccountService/Accounts/{}", accountName);
2126 asyncResp->res.jsonValue["Id"] = accountName;
2127 asyncResp->res.jsonValue["UserName"] = accountName;
2128 });
2129 }
2130
2131 inline void
handleAccountDelete(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username)2132 handleAccountDelete(App& app, const crow::Request& req,
2133 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2134 const std::string& username)
2135 {
2136 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2137 {
2138 return;
2139 }
2140
2141 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2142 {
2143 // If authentication is disabled, there are no user accounts
2144 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2145 return;
2146 }
2147 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2148 tempObjPath /= username;
2149 const std::string userPath(tempObjPath);
2150
2151 crow::connections::systemBus->async_method_call(
2152 [asyncResp, username](const boost::system::error_code& ec) {
2153 if (ec)
2154 {
2155 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2156 username);
2157 return;
2158 }
2159
2160 messages::accountRemoved(asyncResp->res);
2161 },
2162 "xyz.openbmc_project.User.Manager", userPath,
2163 "xyz.openbmc_project.Object.Delete", "Delete");
2164 }
2165
2166 inline void
handleAccountPatch(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username)2167 handleAccountPatch(App& app, const crow::Request& req,
2168 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2169 const std::string& username)
2170 {
2171 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2172 {
2173 return;
2174 }
2175 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2176 {
2177 // If authentication is disabled, there are no user accounts
2178 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2179 return;
2180 }
2181 std::optional<std::string> newUserName;
2182 std::optional<std::string> password;
2183 std::optional<bool> enabled;
2184 std::optional<std::string> roleId;
2185 std::optional<bool> locked;
2186 std::optional<std::vector<std::string>> accountTypes;
2187
2188 if (req.session == nullptr)
2189 {
2190 messages::internalError(asyncResp->res);
2191 return;
2192 }
2193
2194 bool userSelf = (username == req.session->username);
2195
2196 Privileges effectiveUserPrivileges =
2197 redfish::getUserPrivileges(*req.session);
2198 Privileges configureUsers = {"ConfigureUsers"};
2199 bool userHasConfigureUsers =
2200 effectiveUserPrivileges.isSupersetOf(configureUsers);
2201 if (userHasConfigureUsers)
2202 {
2203 // Users with ConfigureUsers can modify for all users
2204 if (!json_util::readJsonPatch(
2205 req, asyncResp->res, "UserName", newUserName, "Password",
2206 password, "RoleId", roleId, "Enabled", enabled, "Locked",
2207 locked, "AccountTypes", accountTypes))
2208 {
2209 return;
2210 }
2211 }
2212 else
2213 {
2214 // ConfigureSelf accounts can only modify their own account
2215 if (!userSelf)
2216 {
2217 messages::insufficientPrivilege(asyncResp->res);
2218 return;
2219 }
2220
2221 // ConfigureSelf accounts can only modify their password
2222 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2223 password))
2224 {
2225 return;
2226 }
2227 }
2228
2229 // if user name is not provided in the patch method or if it
2230 // matches the user name in the URI, then we are treating it as
2231 // updating user properties other then username. If username
2232 // provided doesn't match the URI, then we are treating this as
2233 // user rename request.
2234 if (!newUserName || (newUserName.value() == username))
2235 {
2236 updateUserProperties(asyncResp, username, password, enabled, roleId,
2237 locked, accountTypes, userSelf, req.session);
2238 return;
2239 }
2240 crow::connections::systemBus->async_method_call(
2241 [asyncResp, username, password(std::move(password)),
2242 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
2243 locked, userSelf, req, accountTypes(std::move(accountTypes))](
2244 const boost::system::error_code& ec, sdbusplus::message_t& m) {
2245 if (ec)
2246 {
2247 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2248 username);
2249 return;
2250 }
2251
2252 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
2253 locked, accountTypes, userSelf, req.session);
2254 },
2255 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2256 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2257 *newUserName);
2258 }
2259
requestAccountServiceRoutes(App & app)2260 inline void requestAccountServiceRoutes(App& app)
2261 {
2262 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2263 .privileges(redfish::privileges::headAccountService)
2264 .methods(boost::beast::http::verb::head)(
2265 std::bind_front(handleAccountServiceHead, std::ref(app)));
2266
2267 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2268 .privileges(redfish::privileges::getAccountService)
2269 .methods(boost::beast::http::verb::get)(
2270 std::bind_front(handleAccountServiceGet, std::ref(app)));
2271
2272 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2273 .privileges(redfish::privileges::patchAccountService)
2274 .methods(boost::beast::http::verb::patch)(
2275 std::bind_front(handleAccountServicePatch, std::ref(app)));
2276
2277 BMCWEB_ROUTE(
2278 app,
2279 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates")
2280 .privileges(redfish::privileges::headCertificateCollection)
2281 .methods(boost::beast::http::verb::head)(std::bind_front(
2282 handleAccountServiceClientCertificatesHead, std::ref(app)));
2283
2284 BMCWEB_ROUTE(
2285 app,
2286 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates")
2287 .privileges(redfish::privileges::getCertificateCollection)
2288 .methods(boost::beast::http::verb::get)(std::bind_front(
2289 handleAccountServiceClientCertificatesGet, std::ref(app)));
2290
2291 BMCWEB_ROUTE(
2292 app,
2293 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>")
2294 .privileges(redfish::privileges::headCertificate)
2295 .methods(boost::beast::http::verb::head)(std::bind_front(
2296 handleAccountServiceClientCertificatesInstanceHead, std::ref(app)));
2297
2298 BMCWEB_ROUTE(
2299 app,
2300 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/")
2301 .privileges(redfish::privileges::getCertificate)
2302 .methods(boost::beast::http::verb::get)(std::bind_front(
2303 handleAccountServiceClientCertificatesInstanceGet, std::ref(app)));
2304
2305 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2306 .privileges(redfish::privileges::headManagerAccountCollection)
2307 .methods(boost::beast::http::verb::head)(
2308 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2309
2310 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2311 .privileges(redfish::privileges::getManagerAccountCollection)
2312 .methods(boost::beast::http::verb::get)(
2313 std::bind_front(handleAccountCollectionGet, std::ref(app)));
2314
2315 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2316 .privileges(redfish::privileges::postManagerAccountCollection)
2317 .methods(boost::beast::http::verb::post)(
2318 std::bind_front(handleAccountCollectionPost, std::ref(app)));
2319
2320 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2321 .privileges(redfish::privileges::headManagerAccount)
2322 .methods(boost::beast::http::verb::head)(
2323 std::bind_front(handleAccountHead, std::ref(app)));
2324
2325 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2326 .privileges(redfish::privileges::getManagerAccount)
2327 .methods(boost::beast::http::verb::get)(
2328 std::bind_front(handleAccountGet, std::ref(app)));
2329
2330 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2331 // TODO this privilege should be using the generated endpoints, but
2332 // because of the special handling of ConfigureSelf, it's not able to
2333 // yet
2334 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2335 .methods(boost::beast::http::verb::patch)(
2336 std::bind_front(handleAccountPatch, std::ref(app)));
2337
2338 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2339 .privileges(redfish::privileges::deleteManagerAccount)
2340 .methods(boost::beast::http::verb::delete_)(
2341 std::bind_front(handleAccountDelete, std::ref(app)));
2342 }
2343
2344 } // namespace redfish
2345