1 /* 2 // Copyright (c) 2018 Intel Corporation 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 */ 16 #pragma once 17 18 #include "app.hpp" 19 #include "certificate_service.hpp" 20 #include "dbus_utility.hpp" 21 #include "error_messages.hpp" 22 #include "generated/enums/account_service.hpp" 23 #include "persistent_data.hpp" 24 #include "query.hpp" 25 #include "registries/privilege_registry.hpp" 26 #include "utils/collection.hpp" 27 #include "utils/dbus_utils.hpp" 28 #include "utils/json_utils.hpp" 29 30 #include <boost/url/format.hpp> 31 #include <boost/url/url.hpp> 32 #include <sdbusplus/asio/property.hpp> 33 #include <sdbusplus/unpack_properties.hpp> 34 35 #include <array> 36 #include <memory> 37 #include <optional> 38 #include <ranges> 39 #include <string> 40 #include <string_view> 41 #include <utility> 42 #include <vector> 43 44 namespace redfish 45 { 46 47 constexpr const char* ldapConfigObjectName = 48 "/xyz/openbmc_project/user/ldap/openldap"; 49 constexpr const char* adConfigObject = 50 "/xyz/openbmc_project/user/ldap/active_directory"; 51 52 constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 53 constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 54 constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 55 constexpr const char* ldapConfigInterface = 56 "xyz.openbmc_project.User.Ldap.Config"; 57 constexpr const char* ldapCreateInterface = 58 "xyz.openbmc_project.User.Ldap.Create"; 59 constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 60 constexpr const char* ldapPrivMapperInterface = 61 "xyz.openbmc_project.User.PrivilegeMapper"; 62 63 struct LDAPRoleMapData 64 { 65 std::string groupName; 66 std::string privilege; 67 }; 68 69 struct LDAPConfigData 70 { 71 std::string uri; 72 std::string bindDN; 73 std::string baseDN; 74 std::string searchScope; 75 std::string serverType; 76 bool serviceEnabled = false; 77 std::string userNameAttribute; 78 std::string groupAttribute; 79 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 80 }; 81 82 inline std::string getRoleIdFromPrivilege(std::string_view role) 83 { 84 if (role == "priv-admin") 85 { 86 return "Administrator"; 87 } 88 if (role == "priv-user") 89 { 90 return "ReadOnly"; 91 } 92 if (role == "priv-operator") 93 { 94 return "Operator"; 95 } 96 return ""; 97 } 98 inline std::string getPrivilegeFromRoleId(std::string_view role) 99 { 100 if (role == "Administrator") 101 { 102 return "priv-admin"; 103 } 104 if (role == "ReadOnly") 105 { 106 return "priv-user"; 107 } 108 if (role == "Operator") 109 { 110 return "priv-operator"; 111 } 112 return ""; 113 } 114 115 /** 116 * @brief Maps user group names retrieved from D-Bus object to 117 * Account Types. 118 * 119 * @param[in] userGroups List of User groups 120 * @param[out] res AccountTypes populated 121 * 122 * @return true in case of success, false if UserGroups contains 123 * invalid group name(s). 124 */ 125 inline bool translateUserGroup(const std::vector<std::string>& userGroups, 126 crow::Response& res) 127 { 128 std::vector<std::string> accountTypes; 129 for (const auto& userGroup : userGroups) 130 { 131 if (userGroup == "redfish") 132 { 133 accountTypes.emplace_back("Redfish"); 134 accountTypes.emplace_back("WebUI"); 135 } 136 else if (userGroup == "ipmi") 137 { 138 accountTypes.emplace_back("IPMI"); 139 } 140 else if (userGroup == "ssh") 141 { 142 accountTypes.emplace_back("ManagerConsole"); 143 } 144 else if (userGroup == "hostconsole") 145 { 146 // The hostconsole group controls who can access the host console 147 // port via ssh and websocket. 148 accountTypes.emplace_back("HostConsole"); 149 } 150 else if (userGroup == "web") 151 { 152 // 'web' is one of the valid groups in the UserGroups property of 153 // the user account in the D-Bus object. This group is currently not 154 // doing anything, and is considered to be equivalent to 'redfish'. 155 // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 156 // AccountTypes, so do nothing here... 157 } 158 else 159 { 160 // Invalid user group name. Caller throws an exception. 161 return false; 162 } 163 } 164 165 res.jsonValue["AccountTypes"] = std::move(accountTypes); 166 return true; 167 } 168 169 /** 170 * @brief Builds User Groups from the Account Types 171 * 172 * @param[in] asyncResp Async Response 173 * @param[in] accountTypes List of Account Types 174 * @param[out] userGroups List of User Groups mapped from Account Types 175 * 176 * @return true if Account Types mapped to User Groups, false otherwise. 177 */ 178 inline bool 179 getUserGroupFromAccountType(crow::Response& res, 180 const std::vector<std::string>& accountTypes, 181 std::vector<std::string>& userGroups) 182 { 183 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group 184 bool redfishType = false; 185 bool webUIType = false; 186 187 for (const auto& accountType : accountTypes) 188 { 189 if (accountType == "Redfish") 190 { 191 redfishType = true; 192 } 193 else if (accountType == "WebUI") 194 { 195 webUIType = true; 196 } 197 else if (accountType == "IPMI") 198 { 199 userGroups.emplace_back("ipmi"); 200 } 201 else if (accountType == "HostConsole") 202 { 203 userGroups.emplace_back("hostconsole"); 204 } 205 else if (accountType == "ManagerConsole") 206 { 207 userGroups.emplace_back("ssh"); 208 } 209 else 210 { 211 // Invalid Account Type 212 messages::propertyValueNotInList(res, "AccountTypes", accountType); 213 return false; 214 } 215 } 216 217 // Both Redfish and WebUI Account Types are needed to PATCH 218 if (redfishType ^ webUIType) 219 { 220 BMCWEB_LOG_ERROR( 221 "Missing Redfish or WebUI Account Type to set redfish User Group"); 222 messages::strictAccountTypes(res, "AccountTypes"); 223 return false; 224 } 225 226 if (redfishType && webUIType) 227 { 228 userGroups.emplace_back("redfish"); 229 } 230 231 return true; 232 } 233 234 /** 235 * @brief Sets UserGroups property of the user based on the Account Types 236 * 237 * @param[in] accountTypes List of User Account Types 238 * @param[in] asyncResp Async Response 239 * @param[in] dbusObjectPath D-Bus Object Path 240 * @param[in] userSelf true if User is updating OWN Account Types 241 */ 242 inline void 243 patchAccountTypes(const std::vector<std::string>& accountTypes, 244 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 245 const std::string& dbusObjectPath, bool userSelf) 246 { 247 // Check if User is disabling own Redfish Account Type 248 if (userSelf && 249 (accountTypes.cend() == 250 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish"))) 251 { 252 BMCWEB_LOG_ERROR( 253 "User disabling OWN Redfish Account Type is not allowed"); 254 messages::strictAccountTypes(asyncResp->res, "AccountTypes"); 255 return; 256 } 257 258 std::vector<std::string> updatedUserGroups; 259 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes, 260 updatedUserGroups)) 261 { 262 // Problem in mapping Account Types to User Groups, Error already 263 // logged. 264 return; 265 } 266 setDbusProperty(asyncResp, "AccountTypes", 267 "xyz.openbmc_project.User.Manager", dbusObjectPath, 268 "xyz.openbmc_project.User.Attributes", "UserGroups", 269 updatedUserGroups); 270 } 271 272 inline void userErrorMessageHandler( 273 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 274 const std::string& newUser, const std::string& username) 275 { 276 if (e == nullptr) 277 { 278 messages::internalError(asyncResp->res); 279 return; 280 } 281 282 const char* errorMessage = e->name; 283 if (strcmp(errorMessage, 284 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 285 { 286 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 287 "UserName", newUser); 288 } 289 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 290 "UserNameDoesNotExist") == 0) 291 { 292 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 293 } 294 else if ((strcmp(errorMessage, 295 "xyz.openbmc_project.Common.Error.InvalidArgument") == 296 0) || 297 (strcmp( 298 errorMessage, 299 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 300 0)) 301 { 302 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 303 } 304 else if (strcmp(errorMessage, 305 "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 306 { 307 messages::createLimitReachedForResource(asyncResp->res); 308 } 309 else 310 { 311 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage); 312 messages::internalError(asyncResp->res); 313 } 314 } 315 316 inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 317 const LDAPConfigData& confData, 318 const std::string& ldapType) 319 { 320 nlohmann::json::object_t ldap; 321 ldap["ServiceEnabled"] = confData.serviceEnabled; 322 nlohmann::json::array_t serviceAddresses; 323 serviceAddresses.emplace_back(confData.uri); 324 ldap["ServiceAddresses"] = std::move(serviceAddresses); 325 326 nlohmann::json::object_t authentication; 327 authentication["AuthenticationType"] = 328 account_service::AuthenticationTypes::UsernameAndPassword; 329 authentication["Username"] = confData.bindDN; 330 authentication["Password"] = nullptr; 331 ldap["Authentication"] = std::move(authentication); 332 333 nlohmann::json::object_t ldapService; 334 nlohmann::json::object_t searchSettings; 335 nlohmann::json::array_t baseDistinguishedNames; 336 baseDistinguishedNames.emplace_back(confData.baseDN); 337 338 searchSettings["BaseDistinguishedNames"] = 339 std::move(baseDistinguishedNames); 340 searchSettings["UsernameAttribute"] = confData.userNameAttribute; 341 searchSettings["GroupsAttribute"] = confData.groupAttribute; 342 ldapService["SearchSettings"] = std::move(searchSettings); 343 ldap["LDAPService"] = std::move(ldapService); 344 345 nlohmann::json::array_t roleMapArray; 346 for (const auto& obj : confData.groupRoleList) 347 { 348 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName); 349 350 nlohmann::json::object_t remoteGroup; 351 remoteGroup["RemoteGroup"] = obj.second.groupName; 352 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 353 roleMapArray.emplace_back(std::move(remoteGroup)); 354 } 355 356 ldap["RemoteRoleMapping"] = std::move(roleMapArray); 357 358 jsonResponse[ldapType].update(ldap); 359 } 360 361 /** 362 * @brief validates given JSON input and then calls appropriate method to 363 * create, to delete or to set Rolemapping object based on the given input. 364 * 365 */ 366 inline void handleRoleMapPatch( 367 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 368 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 369 const std::string& serverType, 370 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input) 371 { 372 for (size_t index = 0; index < input.size(); index++) 373 { 374 std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson = 375 input[index]; 376 nlohmann::json::object_t* obj = 377 std::get_if<nlohmann::json::object_t>(&thisJson); 378 if (obj == nullptr) 379 { 380 // delete the existing object 381 if (index < roleMapObjData.size()) 382 { 383 crow::connections::systemBus->async_method_call( 384 [asyncResp, roleMapObjData, serverType, 385 index](const boost::system::error_code& ec) { 386 if (ec) 387 { 388 BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 389 messages::internalError(asyncResp->res); 390 return; 391 } 392 asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"] 393 [index] = nullptr; 394 }, 395 ldapDbusService, roleMapObjData[index].first, 396 "xyz.openbmc_project.Object.Delete", "Delete"); 397 } 398 else 399 { 400 BMCWEB_LOG_ERROR("Can't delete the object"); 401 messages::propertyValueTypeError(asyncResp->res, "null", 402 "RemoteRoleMapping/" + 403 std::to_string(index)); 404 return; 405 } 406 } 407 else if (obj->empty()) 408 { 409 // Don't do anything for the empty objects,parse next json 410 // eg {"RemoteRoleMapping",[{}]} 411 } 412 else 413 { 414 // update/create the object 415 std::optional<std::string> remoteGroup; 416 std::optional<std::string> localRole; 417 418 if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup", 419 remoteGroup, "LocalRole", localRole)) 420 { 421 continue; 422 } 423 424 // Update existing RoleMapping Object 425 if (index < roleMapObjData.size()) 426 { 427 BMCWEB_LOG_DEBUG("Update Role Map Object"); 428 // If "RemoteGroup" info is provided 429 if (remoteGroup) 430 { 431 setDbusProperty( 432 asyncResp, 433 std::format("RemoteRoleMapping/{}/RemoteGroup", index), 434 ldapDbusService, roleMapObjData[index].first, 435 "xyz.openbmc_project.User.PrivilegeMapperEntry", 436 "GroupName", *remoteGroup); 437 } 438 439 // If "LocalRole" info is provided 440 if (localRole) 441 { 442 setDbusProperty( 443 asyncResp, 444 std::format("RemoteRoleMapping/{}/LocalRole", index), 445 ldapDbusService, roleMapObjData[index].first, 446 "xyz.openbmc_project.User.PrivilegeMapperEntry", 447 "Privilege", *localRole); 448 } 449 } 450 // Create a new RoleMapping Object. 451 else 452 { 453 BMCWEB_LOG_DEBUG( 454 "setRoleMappingProperties: Creating new Object"); 455 std::string pathString = "RemoteRoleMapping/" + 456 std::to_string(index); 457 458 if (!localRole) 459 { 460 messages::propertyMissing(asyncResp->res, 461 pathString + "/LocalRole"); 462 continue; 463 } 464 if (!remoteGroup) 465 { 466 messages::propertyMissing(asyncResp->res, 467 pathString + "/RemoteGroup"); 468 continue; 469 } 470 471 std::string dbusObjectPath; 472 if (serverType == "ActiveDirectory") 473 { 474 dbusObjectPath = adConfigObject; 475 } 476 else if (serverType == "LDAP") 477 { 478 dbusObjectPath = ldapConfigObjectName; 479 } 480 481 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup, 482 *localRole); 483 484 crow::connections::systemBus->async_method_call( 485 [asyncResp, serverType, localRole, 486 remoteGroup](const boost::system::error_code& ec) { 487 if (ec) 488 { 489 BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 490 messages::internalError(asyncResp->res); 491 return; 492 } 493 nlohmann::json& remoteRoleJson = 494 asyncResp->res 495 .jsonValue[serverType]["RemoteRoleMapping"]; 496 nlohmann::json::object_t roleMapEntry; 497 roleMapEntry["LocalRole"] = *localRole; 498 roleMapEntry["RemoteGroup"] = *remoteGroup; 499 remoteRoleJson.emplace_back(std::move(roleMapEntry)); 500 }, 501 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 502 "Create", *remoteGroup, 503 getPrivilegeFromRoleId(std::move(*localRole))); 504 } 505 } 506 } 507 } 508 509 /** 510 * Function that retrieves all properties for LDAP config object 511 * into JSON 512 */ 513 template <typename CallbackFunc> 514 inline void getLDAPConfigData(const std::string& ldapType, 515 CallbackFunc&& callback) 516 { 517 constexpr std::array<std::string_view, 2> interfaces = { 518 ldapEnableInterface, ldapConfigInterface}; 519 520 dbus::utility::getDbusObject( 521 ldapConfigObjectName, interfaces, 522 [callback = std::forward<CallbackFunc>(callback), 523 ldapType](const boost::system::error_code& ec, 524 const dbus::utility::MapperGetObject& resp) mutable { 525 if (ec || resp.empty()) 526 { 527 BMCWEB_LOG_WARNING( 528 "DBUS response error during getting of service name: {}", ec); 529 LDAPConfigData empty{}; 530 callback(false, empty, ldapType); 531 return; 532 } 533 std::string service = resp.begin()->first; 534 sdbusplus::message::object_path path(ldapRootObject); 535 dbus::utility::getManagedObjects( 536 service, path, 537 [callback, ldapType]( 538 const boost::system::error_code& ec2, 539 const dbus::utility::ManagedObjectType& ldapObjects) mutable { 540 LDAPConfigData confData{}; 541 if (ec2) 542 { 543 callback(false, confData, ldapType); 544 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2); 545 return; 546 } 547 548 std::string ldapDbusType; 549 std::string searchString; 550 551 if (ldapType == "LDAP") 552 { 553 ldapDbusType = 554 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 555 searchString = "openldap"; 556 } 557 else if (ldapType == "ActiveDirectory") 558 { 559 ldapDbusType = 560 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 561 searchString = "active_directory"; 562 } 563 else 564 { 565 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}", 566 ldapType); 567 callback(false, confData, ldapType); 568 return; 569 } 570 571 std::string ldapEnableInterfaceStr = ldapEnableInterface; 572 std::string ldapConfigInterfaceStr = ldapConfigInterface; 573 574 for (const auto& object : ldapObjects) 575 { 576 // let's find the object whose ldap type is equal to the 577 // given type 578 if (object.first.str.find(searchString) == std::string::npos) 579 { 580 continue; 581 } 582 583 for (const auto& interface : object.second) 584 { 585 if (interface.first == ldapEnableInterfaceStr) 586 { 587 // rest of the properties are string. 588 for (const auto& property : interface.second) 589 { 590 if (property.first == "Enabled") 591 { 592 const bool* value = 593 std::get_if<bool>(&property.second); 594 if (value == nullptr) 595 { 596 continue; 597 } 598 confData.serviceEnabled = *value; 599 break; 600 } 601 } 602 } 603 else if (interface.first == ldapConfigInterfaceStr) 604 { 605 for (const auto& property : interface.second) 606 { 607 const std::string* strValue = 608 std::get_if<std::string>(&property.second); 609 if (strValue == nullptr) 610 { 611 continue; 612 } 613 if (property.first == "LDAPServerURI") 614 { 615 confData.uri = *strValue; 616 } 617 else if (property.first == "LDAPBindDN") 618 { 619 confData.bindDN = *strValue; 620 } 621 else if (property.first == "LDAPBaseDN") 622 { 623 confData.baseDN = *strValue; 624 } 625 else if (property.first == "LDAPSearchScope") 626 { 627 confData.searchScope = *strValue; 628 } 629 else if (property.first == "GroupNameAttribute") 630 { 631 confData.groupAttribute = *strValue; 632 } 633 else if (property.first == "UserNameAttribute") 634 { 635 confData.userNameAttribute = *strValue; 636 } 637 else if (property.first == "LDAPType") 638 { 639 confData.serverType = *strValue; 640 } 641 } 642 } 643 else if (interface.first == 644 "xyz.openbmc_project.User.PrivilegeMapperEntry") 645 { 646 LDAPRoleMapData roleMapData{}; 647 for (const auto& property : interface.second) 648 { 649 const std::string* strValue = 650 std::get_if<std::string>(&property.second); 651 652 if (strValue == nullptr) 653 { 654 continue; 655 } 656 657 if (property.first == "GroupName") 658 { 659 roleMapData.groupName = *strValue; 660 } 661 else if (property.first == "Privilege") 662 { 663 roleMapData.privilege = *strValue; 664 } 665 } 666 667 confData.groupRoleList.emplace_back(object.first.str, 668 roleMapData); 669 } 670 } 671 } 672 callback(true, confData, ldapType); 673 }); 674 }); 675 } 676 677 /** 678 * @brief updates the LDAP server address and updates the 679 json response with the new value. 680 * @param serviceAddressList address to be updated. 681 * @param asyncResp pointer to the JSON response 682 * @param ldapServerElementName Type of LDAP 683 server(openLDAP/ActiveDirectory) 684 */ 685 686 inline void handleServiceAddressPatch( 687 const std::vector<std::string>& serviceAddressList, 688 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 689 const std::string& ldapServerElementName, 690 const std::string& ldapConfigObject) 691 { 692 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceAddress", 693 ldapDbusService, ldapConfigObject, ldapConfigInterface, 694 "LDAPServerURI", serviceAddressList.front()); 695 } 696 /** 697 * @brief updates the LDAP Bind DN and updates the 698 json response with the new value. 699 * @param username name of the user which needs to be updated. 700 * @param asyncResp pointer to the JSON response 701 * @param ldapServerElementName Type of LDAP 702 server(openLDAP/ActiveDirectory) 703 */ 704 705 inline void 706 handleUserNamePatch(const std::string& username, 707 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 708 const std::string& ldapServerElementName, 709 const std::string& ldapConfigObject) 710 { 711 setDbusProperty(asyncResp, 712 ldapServerElementName + "/Authentication/Username", 713 ldapDbusService, ldapConfigObject, ldapConfigInterface, 714 "LDAPBindDN", username); 715 } 716 717 /** 718 * @brief updates the LDAP password 719 * @param password : ldap password which needs to be updated. 720 * @param asyncResp pointer to the JSON response 721 * @param ldapServerElementName Type of LDAP 722 * server(openLDAP/ActiveDirectory) 723 */ 724 725 inline void 726 handlePasswordPatch(const std::string& password, 727 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 728 const std::string& ldapServerElementName, 729 const std::string& ldapConfigObject) 730 { 731 setDbusProperty(asyncResp, 732 ldapServerElementName + "/Authentication/Password", 733 ldapDbusService, ldapConfigObject, ldapConfigInterface, 734 "LDAPBindDNPassword", password); 735 } 736 737 /** 738 * @brief updates the LDAP BaseDN and updates the 739 json response with the new value. 740 * @param baseDNList baseDN list which needs to be updated. 741 * @param asyncResp pointer to the JSON response 742 * @param ldapServerElementName Type of LDAP 743 server(openLDAP/ActiveDirectory) 744 */ 745 746 inline void 747 handleBaseDNPatch(const std::vector<std::string>& baseDNList, 748 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 749 const std::string& ldapServerElementName, 750 const std::string& ldapConfigObject) 751 { 752 setDbusProperty(asyncResp, 753 ldapServerElementName + 754 "/LDAPService/SearchSettings/BaseDistinguishedNames", 755 ldapDbusService, ldapConfigObject, ldapConfigInterface, 756 "LDAPBaseDN", baseDNList.front()); 757 } 758 /** 759 * @brief updates the LDAP user name attribute and updates the 760 json response with the new value. 761 * @param userNameAttribute attribute to be updated. 762 * @param asyncResp pointer to the JSON response 763 * @param ldapServerElementName Type of LDAP 764 server(openLDAP/ActiveDirectory) 765 */ 766 767 inline void 768 handleUserNameAttrPatch(const std::string& userNameAttribute, 769 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 770 const std::string& ldapServerElementName, 771 const std::string& ldapConfigObject) 772 { 773 setDbusProperty(asyncResp, 774 ldapServerElementName + 775 "LDAPService/SearchSettings/UsernameAttribute", 776 ldapDbusService, ldapConfigObject, ldapConfigInterface, 777 "UserNameAttribute", userNameAttribute); 778 } 779 /** 780 * @brief updates the LDAP group attribute and updates the 781 json response with the new value. 782 * @param groupsAttribute attribute to be updated. 783 * @param asyncResp pointer to the JSON response 784 * @param ldapServerElementName Type of LDAP 785 server(openLDAP/ActiveDirectory) 786 */ 787 788 inline void handleGroupNameAttrPatch( 789 const std::string& groupsAttribute, 790 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 791 const std::string& ldapServerElementName, 792 const std::string& ldapConfigObject) 793 { 794 setDbusProperty(asyncResp, 795 ldapServerElementName + 796 "/LDAPService/SearchSettings/GroupsAttribute", 797 ldapDbusService, ldapConfigObject, ldapConfigInterface, 798 "GroupNameAttribute", groupsAttribute); 799 } 800 /** 801 * @brief updates the LDAP service enable and updates the 802 json response with the new value. 803 * @param input JSON data. 804 * @param asyncResp pointer to the JSON response 805 * @param ldapServerElementName Type of LDAP 806 server(openLDAP/ActiveDirectory) 807 */ 808 809 inline void handleServiceEnablePatch( 810 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 811 const std::string& ldapServerElementName, 812 const std::string& ldapConfigObject) 813 { 814 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceEnabled", 815 ldapDbusService, ldapConfigObject, ldapEnableInterface, 816 "Enabled", serviceEnabled); 817 } 818 819 struct AuthMethods 820 { 821 std::optional<bool> basicAuth; 822 std::optional<bool> cookie; 823 std::optional<bool> sessionToken; 824 std::optional<bool> xToken; 825 std::optional<bool> tls; 826 }; 827 828 inline void 829 handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 830 const AuthMethods& auth) 831 { 832 persistent_data::AuthConfigMethods& authMethodsConfig = 833 persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 834 835 if (auth.basicAuth) 836 { 837 if constexpr (!BMCWEB_BASIC_AUTH) 838 { 839 messages::actionNotSupported( 840 asyncResp->res, 841 "Setting BasicAuth when basic-auth feature is disabled"); 842 return; 843 } 844 845 authMethodsConfig.basic = *auth.basicAuth; 846 } 847 848 if (auth.cookie) 849 { 850 if constexpr (!BMCWEB_COOKIE_AUTH) 851 { 852 messages::actionNotSupported( 853 asyncResp->res, 854 "Setting Cookie when cookie-auth feature is disabled"); 855 return; 856 } 857 authMethodsConfig.cookie = *auth.cookie; 858 } 859 860 if (auth.sessionToken) 861 { 862 if constexpr (!BMCWEB_SESSION_AUTH) 863 { 864 messages::actionNotSupported( 865 asyncResp->res, 866 "Setting SessionToken when session-auth feature is disabled"); 867 return; 868 } 869 authMethodsConfig.sessionToken = *auth.sessionToken; 870 } 871 872 if (auth.xToken) 873 { 874 if constexpr (!BMCWEB_XTOKEN_AUTH) 875 { 876 messages::actionNotSupported( 877 asyncResp->res, 878 "Setting XToken when xtoken-auth feature is disabled"); 879 return; 880 } 881 authMethodsConfig.xtoken = *auth.xToken; 882 } 883 884 if (auth.tls) 885 { 886 if constexpr (!BMCWEB_MUTUAL_TLS_AUTH) 887 { 888 messages::actionNotSupported( 889 asyncResp->res, 890 "Setting TLS when mutual-tls-auth feature is disabled"); 891 return; 892 } 893 authMethodsConfig.tls = *auth.tls; 894 } 895 896 if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 897 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 898 !authMethodsConfig.tls) 899 { 900 // Do not allow user to disable everything 901 messages::actionNotSupported(asyncResp->res, 902 "of disabling all available methods"); 903 return; 904 } 905 906 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 907 authMethodsConfig); 908 // Save configuration immediately 909 persistent_data::getConfig().writeData(); 910 911 messages::success(asyncResp->res); 912 } 913 914 /** 915 * @brief Get the required values from the given JSON, validates the 916 * value and create the LDAP config object. 917 * @param input JSON data 918 * @param asyncResp pointer to the JSON response 919 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 920 */ 921 922 struct LdapPatchParams 923 { 924 std::optional<std::string> authType; 925 std::optional<std::vector<std::string>> serviceAddressList; 926 std::optional<bool> serviceEnabled; 927 std::optional<std::vector<std::string>> baseDNList; 928 std::optional<std::string> userNameAttribute; 929 std::optional<std::string> groupsAttribute; 930 std::optional<std::string> userName; 931 std::optional<std::string> password; 932 std::optional< 933 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>> 934 remoteRoleMapData; 935 }; 936 937 inline void handleLDAPPatch(LdapPatchParams&& input, 938 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 939 const std::string& serverType) 940 { 941 std::string dbusObjectPath; 942 if (serverType == "ActiveDirectory") 943 { 944 dbusObjectPath = adConfigObject; 945 } 946 else if (serverType == "LDAP") 947 { 948 dbusObjectPath = ldapConfigObjectName; 949 } 950 else 951 { 952 BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????", 953 serverType); 954 return; 955 } 956 957 if (input.authType && *input.authType != "UsernameAndPassword") 958 { 959 messages::propertyValueNotInList(asyncResp->res, *input.authType, 960 "AuthenticationType"); 961 return; 962 } 963 964 if (input.serviceAddressList) 965 { 966 if (input.serviceAddressList->empty()) 967 { 968 messages::propertyValueNotInList( 969 asyncResp->res, *input.serviceAddressList, "ServiceAddress"); 970 return; 971 } 972 } 973 if (input.baseDNList) 974 { 975 if (input.baseDNList->empty()) 976 { 977 messages::propertyValueNotInList(asyncResp->res, *input.baseDNList, 978 "BaseDistinguishedNames"); 979 return; 980 } 981 } 982 983 // nothing to update, then return 984 if (!input.userName && !input.password && !input.serviceAddressList && 985 !input.baseDNList && !input.userNameAttribute && 986 !input.groupsAttribute && !input.serviceEnabled && 987 !input.remoteRoleMapData) 988 { 989 return; 990 } 991 992 // Get the existing resource first then keep modifying 993 // whenever any property gets updated. 994 getLDAPConfigData(serverType, 995 [asyncResp, input = std::move(input), 996 dbusObjectPath = std::move(dbusObjectPath)]( 997 bool success, const LDAPConfigData& confData, 998 const std::string& serverT) mutable { 999 if (!success) 1000 { 1001 messages::internalError(asyncResp->res); 1002 return; 1003 } 1004 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 1005 if (confData.serviceEnabled) 1006 { 1007 // Disable the service first and update the rest of 1008 // the properties. 1009 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 1010 } 1011 1012 if (input.serviceAddressList) 1013 { 1014 handleServiceAddressPatch(*input.serviceAddressList, asyncResp, 1015 serverT, dbusObjectPath); 1016 } 1017 if (input.userName) 1018 { 1019 handleUserNamePatch(*input.userName, asyncResp, serverT, 1020 dbusObjectPath); 1021 } 1022 if (input.password) 1023 { 1024 handlePasswordPatch(*input.password, asyncResp, serverT, 1025 dbusObjectPath); 1026 } 1027 1028 if (input.baseDNList) 1029 { 1030 handleBaseDNPatch(*input.baseDNList, asyncResp, serverT, 1031 dbusObjectPath); 1032 } 1033 if (input.userNameAttribute) 1034 { 1035 handleUserNameAttrPatch(*input.userNameAttribute, asyncResp, 1036 serverT, dbusObjectPath); 1037 } 1038 if (input.groupsAttribute) 1039 { 1040 handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT, 1041 dbusObjectPath); 1042 } 1043 if (input.serviceEnabled) 1044 { 1045 // if user has given the value as true then enable 1046 // the service. if user has given false then no-op 1047 // as service is already stopped. 1048 if (*input.serviceEnabled) 1049 { 1050 handleServiceEnablePatch(*input.serviceEnabled, asyncResp, 1051 serverT, dbusObjectPath); 1052 } 1053 } 1054 else 1055 { 1056 // if user has not given the service enabled value 1057 // then revert it to the same state as it was 1058 // before. 1059 handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 1060 serverT, dbusObjectPath); 1061 } 1062 1063 if (input.remoteRoleMapData) 1064 { 1065 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 1066 *input.remoteRoleMapData); 1067 } 1068 }); 1069 } 1070 1071 inline void updateUserProperties( 1072 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username, 1073 const std::optional<std::string>& password, 1074 const std::optional<bool>& enabled, 1075 const std::optional<std::string>& roleId, const std::optional<bool>& locked, 1076 std::optional<std::vector<std::string>> accountTypes, bool userSelf, 1077 const std::shared_ptr<persistent_data::UserSession>& session) 1078 { 1079 sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1080 tempObjPath /= username; 1081 std::string dbusObjectPath(tempObjPath); 1082 1083 dbus::utility::checkDbusPathExists( 1084 dbusObjectPath, 1085 [dbusObjectPath, username, password, roleId, enabled, locked, 1086 accountTypes(std::move(accountTypes)), userSelf, session, 1087 asyncResp{std::move(asyncResp)}](int rc) { 1088 if (rc <= 0) 1089 { 1090 messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1091 username); 1092 return; 1093 } 1094 1095 if (password) 1096 { 1097 int retval = pamUpdatePassword(username, *password); 1098 1099 if (retval == PAM_USER_UNKNOWN) 1100 { 1101 messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1102 username); 1103 } 1104 else if (retval == PAM_AUTHTOK_ERR) 1105 { 1106 // If password is invalid 1107 messages::propertyValueFormatError(asyncResp->res, nullptr, 1108 "Password"); 1109 BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 1110 } 1111 else if (retval != PAM_SUCCESS) 1112 { 1113 messages::internalError(asyncResp->res); 1114 return; 1115 } 1116 else 1117 { 1118 // Remove existing sessions of the user when password changed 1119 persistent_data::SessionStore::getInstance() 1120 .removeSessionsByUsernameExceptSession(username, session); 1121 messages::success(asyncResp->res); 1122 } 1123 } 1124 1125 if (enabled) 1126 { 1127 setDbusProperty(asyncResp, "Enabled", 1128 "xyz.openbmc_project.User.Manager", dbusObjectPath, 1129 "xyz.openbmc_project.User.Attributes", 1130 "UserEnabled", *enabled); 1131 } 1132 1133 if (roleId) 1134 { 1135 std::string priv = getPrivilegeFromRoleId(*roleId); 1136 if (priv.empty()) 1137 { 1138 messages::propertyValueNotInList(asyncResp->res, true, 1139 "Locked"); 1140 return; 1141 } 1142 setDbusProperty(asyncResp, "RoleId", 1143 "xyz.openbmc_project.User.Manager", dbusObjectPath, 1144 "xyz.openbmc_project.User.Attributes", 1145 "UserPrivilege", priv); 1146 } 1147 1148 if (locked) 1149 { 1150 // admin can unlock the account which is locked by 1151 // successive authentication failures but admin should 1152 // not be allowed to lock an account. 1153 if (*locked) 1154 { 1155 messages::propertyValueNotInList(asyncResp->res, "true", 1156 "Locked"); 1157 return; 1158 } 1159 setDbusProperty(asyncResp, "Locked", 1160 "xyz.openbmc_project.User.Manager", dbusObjectPath, 1161 "xyz.openbmc_project.User.Attributes", 1162 "UserLockedForFailedAttempt", *locked); 1163 } 1164 1165 if (accountTypes) 1166 { 1167 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath, 1168 userSelf); 1169 } 1170 }); 1171 } 1172 1173 inline void handleAccountServiceHead( 1174 App& app, const crow::Request& req, 1175 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1176 { 1177 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1178 { 1179 return; 1180 } 1181 asyncResp->res.addHeader( 1182 boost::beast::http::field::link, 1183 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1184 } 1185 1186 inline void 1187 getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1188 const nlohmann::json::json_pointer& keyLocation) 1189 { 1190 boost::urls::url url( 1191 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"); 1192 std::array<std::string_view, 1> interfaces = { 1193 "xyz.openbmc_project.Certs.Certificate"}; 1194 std::string path = "/xyz/openbmc_project/certs/authority/truststore"; 1195 1196 collection_util::getCollectionToKey(asyncResp, url, interfaces, path, 1197 keyLocation); 1198 } 1199 1200 inline void handleAccountServiceClientCertificatesInstanceHead( 1201 App& app, const crow::Request& req, 1202 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1203 const std::string& /*id*/) 1204 { 1205 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1206 { 1207 return; 1208 } 1209 1210 asyncResp->res.addHeader( 1211 boost::beast::http::field::link, 1212 "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby"); 1213 } 1214 1215 inline void handleAccountServiceClientCertificatesInstanceGet( 1216 App& app, const crow::Request& req, 1217 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id) 1218 { 1219 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1220 { 1221 return; 1222 } 1223 BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id); 1224 const boost::urls::url certURL = boost::urls::format( 1225 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}", 1226 id); 1227 std::string objPath = 1228 sdbusplus::message::object_path(certs::authorityObjectPath) / id; 1229 getCertificateProperties( 1230 asyncResp, objPath, 1231 "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL, 1232 "Client Certificate"); 1233 } 1234 1235 inline void handleAccountServiceClientCertificatesHead( 1236 App& app, const crow::Request& req, 1237 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1238 { 1239 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1240 { 1241 return; 1242 } 1243 1244 asyncResp->res.addHeader( 1245 boost::beast::http::field::link, 1246 "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby"); 1247 } 1248 1249 inline void handleAccountServiceClientCertificatesGet( 1250 App& app, const crow::Request& req, 1251 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1252 { 1253 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1254 { 1255 return; 1256 } 1257 getClientCertificates(asyncResp, "/Members"_json_pointer); 1258 } 1259 1260 using account_service::CertificateMappingAttribute; 1261 using persistent_data::MTLSCommonNameParseMode; 1262 inline CertificateMappingAttribute 1263 getCertificateMapping(MTLSCommonNameParseMode parse) 1264 { 1265 switch (parse) 1266 { 1267 case MTLSCommonNameParseMode::CommonName: 1268 { 1269 return CertificateMappingAttribute::CommonName; 1270 } 1271 break; 1272 case MTLSCommonNameParseMode::Whole: 1273 { 1274 return CertificateMappingAttribute::Whole; 1275 } 1276 break; 1277 case MTLSCommonNameParseMode::UserPrincipalName: 1278 { 1279 return CertificateMappingAttribute::UserPrincipalName; 1280 } 1281 break; 1282 1283 case MTLSCommonNameParseMode::Meta: 1284 { 1285 if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING) 1286 { 1287 return CertificateMappingAttribute::CommonName; 1288 } 1289 } 1290 break; 1291 default: 1292 { 1293 return CertificateMappingAttribute::Invalid; 1294 } 1295 break; 1296 } 1297 } 1298 1299 inline void 1300 handleAccountServiceGet(App& app, const crow::Request& req, 1301 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1302 { 1303 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1304 { 1305 return; 1306 } 1307 1308 if (req.session == nullptr) 1309 { 1310 messages::internalError(asyncResp->res); 1311 return; 1312 } 1313 1314 const persistent_data::AuthConfigMethods& authMethodsConfig = 1315 persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 1316 1317 asyncResp->res.addHeader( 1318 boost::beast::http::field::link, 1319 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1320 1321 nlohmann::json& json = asyncResp->res.jsonValue; 1322 json["@odata.id"] = "/redfish/v1/AccountService"; 1323 json["@odata.type"] = "#AccountService.v1_15_0.AccountService"; 1324 json["Id"] = "AccountService"; 1325 json["Name"] = "Account Service"; 1326 json["Description"] = "Account Service"; 1327 json["ServiceEnabled"] = true; 1328 json["MaxPasswordLength"] = 20; 1329 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 1330 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 1331 json["HTTPBasicAuth"] = authMethodsConfig.basic 1332 ? account_service::BasicAuthState::Enabled 1333 : account_service::BasicAuthState::Disabled; 1334 1335 nlohmann::json::array_t allowed; 1336 allowed.emplace_back(account_service::BasicAuthState::Enabled); 1337 allowed.emplace_back(account_service::BasicAuthState::Disabled); 1338 json["HTTPBasicAuth@AllowableValues"] = std::move(allowed); 1339 1340 nlohmann::json::object_t clientCertificate; 1341 clientCertificate["Enabled"] = authMethodsConfig.tls; 1342 clientCertificate["RespondToUnauthenticatedClients"] = true; 1343 1344 using account_service::CertificateMappingAttribute; 1345 1346 CertificateMappingAttribute mapping = 1347 getCertificateMapping(authMethodsConfig.mTLSCommonNameParsingMode); 1348 if (mapping == CertificateMappingAttribute::Invalid) 1349 { 1350 messages::internalError(asyncResp->res); 1351 } 1352 else 1353 { 1354 clientCertificate["CertificateMappingAttribute"] = mapping; 1355 } 1356 nlohmann::json::object_t certificates; 1357 certificates["@odata.id"] = 1358 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"; 1359 certificates["@odata.type"] = 1360 "#CertificateCollection.CertificateCollection"; 1361 clientCertificate["Certificates"] = std::move(certificates); 1362 json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate); 1363 1364 getClientCertificates( 1365 asyncResp, 1366 "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer); 1367 1368 json["Oem"]["OpenBMC"]["@odata.type"] = 1369 "#OpenBMCAccountService.v1_0_0.AccountService"; 1370 json["Oem"]["OpenBMC"]["@odata.id"] = 1371 "/redfish/v1/AccountService#/Oem/OpenBMC"; 1372 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 1373 authMethodsConfig.basic; 1374 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 1375 authMethodsConfig.sessionToken; 1376 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 1377 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 1378 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 1379 1380 // /redfish/v1/AccountService/LDAP/Certificates is something only 1381 // ConfigureManager can access then only display when the user has 1382 // permissions ConfigureManager 1383 Privileges effectiveUserPrivileges = 1384 redfish::getUserPrivileges(*req.session); 1385 1386 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 1387 effectiveUserPrivileges)) 1388 { 1389 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 1390 "/redfish/v1/AccountService/LDAP/Certificates"; 1391 } 1392 sdbusplus::asio::getAllProperties( 1393 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1394 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy", 1395 [asyncResp](const boost::system::error_code& ec, 1396 const dbus::utility::DBusPropertiesMap& propertiesList) { 1397 if (ec) 1398 { 1399 messages::internalError(asyncResp->res); 1400 return; 1401 } 1402 1403 BMCWEB_LOG_DEBUG("Got {} properties for AccountService", 1404 propertiesList.size()); 1405 1406 const uint8_t* minPasswordLength = nullptr; 1407 const uint32_t* accountUnlockTimeout = nullptr; 1408 const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1409 1410 const bool success = sdbusplus::unpackPropertiesNoThrow( 1411 dbus_utils::UnpackErrorPrinter(), propertiesList, 1412 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1413 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1414 maxLoginAttemptBeforeLockout); 1415 1416 if (!success) 1417 { 1418 messages::internalError(asyncResp->res); 1419 return; 1420 } 1421 1422 if (minPasswordLength != nullptr) 1423 { 1424 asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength; 1425 } 1426 1427 if (accountUnlockTimeout != nullptr) 1428 { 1429 asyncResp->res.jsonValue["AccountLockoutDuration"] = 1430 *accountUnlockTimeout; 1431 } 1432 1433 if (maxLoginAttemptBeforeLockout != nullptr) 1434 { 1435 asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1436 *maxLoginAttemptBeforeLockout; 1437 } 1438 }); 1439 1440 auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1441 const std::string& ldapType) { 1442 if (!success) 1443 { 1444 return; 1445 } 1446 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1447 }; 1448 1449 getLDAPConfigData("LDAP", callback); 1450 getLDAPConfigData("ActiveDirectory", callback); 1451 } 1452 1453 inline void 1454 handleCertificateMappingAttributePatch(crow::Response& res, 1455 const std::string& certMapAttribute) 1456 { 1457 MTLSCommonNameParseMode parseMode = 1458 persistent_data::getMTLSCommonNameParseMode(certMapAttribute); 1459 if (parseMode == MTLSCommonNameParseMode::Invalid) 1460 { 1461 messages::propertyValueNotInList(res, "CertificateMappingAttribute", 1462 certMapAttribute); 1463 return; 1464 } 1465 1466 persistent_data::AuthConfigMethods& authMethodsConfig = 1467 persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 1468 authMethodsConfig.mTLSCommonNameParsingMode = parseMode; 1469 } 1470 1471 inline void handleAccountServicePatch( 1472 App& app, const crow::Request& req, 1473 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1474 { 1475 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1476 { 1477 return; 1478 } 1479 std::optional<uint32_t> unlockTimeout; 1480 std::optional<uint16_t> lockoutThreshold; 1481 std::optional<uint8_t> minPasswordLength; 1482 std::optional<uint16_t> maxPasswordLength; 1483 LdapPatchParams ldapObject; 1484 std::optional<std::string> certificateMappingAttribute; 1485 LdapPatchParams activeDirectoryObject; 1486 AuthMethods auth; 1487 std::optional<std::string> httpBasicAuth; 1488 1489 // clang-format off 1490 if (!json_util::readJsonPatch( 1491 req, asyncResp->res, 1492 "AccountLockoutDuration", unlockTimeout, 1493 "AccountLockoutThreshold", lockoutThreshold, 1494 "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType, 1495 "ActiveDirectory/Authentication/Password", activeDirectoryObject.password, 1496 "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName, 1497 "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList, 1498 "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute, 1499 "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute, 1500 "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData, 1501 "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList, 1502 "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled, 1503 "MultiFactorAuth/ClientCertificate/CertificateMappingAttribute", certificateMappingAttribute, 1504 "LDAP/Authentication/AuthenticationType", ldapObject.authType, 1505 "LDAP/Authentication/Password", ldapObject.password, 1506 "LDAP/Authentication/Username", ldapObject.userName, 1507 "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList, 1508 "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute, 1509 "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute, 1510 "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData, 1511 "LDAP/ServiceAddresses", ldapObject.serviceAddressList, 1512 "LDAP/ServiceEnabled", ldapObject.serviceEnabled, 1513 "MaxPasswordLength", maxPasswordLength, 1514 "MinPasswordLength", minPasswordLength, 1515 "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth, 1516 "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie, 1517 "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken, 1518 "Oem/OpenBMC/AuthMethods/TLS", auth.tls, 1519 "Oem/OpenBMC/AuthMethods/XToken", auth.xToken, 1520 "HTTPBasicAuth", httpBasicAuth)) 1521 { 1522 return; 1523 } 1524 // clang-format on 1525 1526 if (httpBasicAuth) 1527 { 1528 if (*httpBasicAuth == "Enabled") 1529 { 1530 auth.basicAuth = true; 1531 } 1532 else if (*httpBasicAuth == "Disabled") 1533 { 1534 auth.basicAuth = false; 1535 } 1536 else 1537 { 1538 messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth", 1539 *httpBasicAuth); 1540 } 1541 } 1542 1543 if (certificateMappingAttribute) 1544 { 1545 handleCertificateMappingAttributePatch(asyncResp->res, 1546 *certificateMappingAttribute); 1547 } 1548 1549 if (minPasswordLength) 1550 { 1551 setDbusProperty( 1552 asyncResp, "MinPasswordLength", "xyz.openbmc_project.User.Manager", 1553 sdbusplus::message::object_path("/xyz/openbmc_project/user"), 1554 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1555 *minPasswordLength); 1556 } 1557 1558 if (maxPasswordLength) 1559 { 1560 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1561 } 1562 1563 handleLDAPPatch(std::move(activeDirectoryObject), asyncResp, 1564 "ActiveDirectory"); 1565 handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP"); 1566 1567 handleAuthMethodsPatch(asyncResp, auth); 1568 1569 if (unlockTimeout) 1570 { 1571 setDbusProperty( 1572 asyncResp, "AccountLockoutDuration", 1573 "xyz.openbmc_project.User.Manager", 1574 sdbusplus::message::object_path("/xyz/openbmc_project/user"), 1575 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1576 *unlockTimeout); 1577 } 1578 if (lockoutThreshold) 1579 { 1580 setDbusProperty( 1581 asyncResp, "AccountLockoutThreshold", 1582 "xyz.openbmc_project.User.Manager", 1583 sdbusplus::message::object_path("/xyz/openbmc_project/user"), 1584 "xyz.openbmc_project.User.AccountPolicy", 1585 "MaxLoginAttemptBeforeLockout", *lockoutThreshold); 1586 } 1587 } 1588 1589 inline void handleAccountCollectionHead( 1590 App& app, const crow::Request& req, 1591 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1592 { 1593 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1594 { 1595 return; 1596 } 1597 asyncResp->res.addHeader( 1598 boost::beast::http::field::link, 1599 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 1600 } 1601 1602 inline void handleAccountCollectionGet( 1603 App& app, const crow::Request& req, 1604 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1605 { 1606 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1607 { 1608 return; 1609 } 1610 1611 if (req.session == nullptr) 1612 { 1613 messages::internalError(asyncResp->res); 1614 return; 1615 } 1616 1617 asyncResp->res.addHeader( 1618 boost::beast::http::field::link, 1619 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 1620 1621 asyncResp->res.jsonValue["@odata.id"] = 1622 "/redfish/v1/AccountService/Accounts"; 1623 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 1624 "ManagerAccountCollection"; 1625 asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 1626 asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 1627 1628 Privileges effectiveUserPrivileges = 1629 redfish::getUserPrivileges(*req.session); 1630 1631 std::string thisUser; 1632 if (req.session) 1633 { 1634 thisUser = req.session->username; 1635 } 1636 sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 1637 dbus::utility::getManagedObjects( 1638 "xyz.openbmc_project.User.Manager", path, 1639 [asyncResp, thisUser, effectiveUserPrivileges]( 1640 const boost::system::error_code& ec, 1641 const dbus::utility::ManagedObjectType& users) { 1642 if (ec) 1643 { 1644 messages::internalError(asyncResp->res); 1645 return; 1646 } 1647 1648 bool userCanSeeAllAccounts = 1649 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1650 1651 bool userCanSeeSelf = 1652 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1653 1654 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1655 memberArray = nlohmann::json::array(); 1656 1657 for (const auto& userpath : users) 1658 { 1659 std::string user = userpath.first.filename(); 1660 if (user.empty()) 1661 { 1662 messages::internalError(asyncResp->res); 1663 BMCWEB_LOG_ERROR("Invalid firmware ID"); 1664 1665 return; 1666 } 1667 1668 // As clarified by Redfish here: 1669 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 1670 // Users without ConfigureUsers, only see their own 1671 // account. Users with ConfigureUsers, see all 1672 // accounts. 1673 if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1674 { 1675 nlohmann::json::object_t member; 1676 member["@odata.id"] = boost::urls::format( 1677 "/redfish/v1/AccountService/Accounts/{}", user); 1678 memberArray.emplace_back(std::move(member)); 1679 } 1680 } 1681 asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 1682 }); 1683 } 1684 1685 inline void processAfterCreateUser( 1686 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1687 const std::string& username, const std::string& password, 1688 const boost::system::error_code& ec, sdbusplus::message_t& m) 1689 { 1690 if (ec) 1691 { 1692 userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 1693 return; 1694 } 1695 1696 if (pamUpdatePassword(username, password) != PAM_SUCCESS) 1697 { 1698 // At this point we have a user that's been 1699 // created, but the password set 1700 // failed.Something is wrong, so delete the user 1701 // that we've already created 1702 sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1703 tempObjPath /= username; 1704 const std::string userPath(tempObjPath); 1705 1706 crow::connections::systemBus->async_method_call( 1707 [asyncResp, password](const boost::system::error_code& ec3) { 1708 if (ec3) 1709 { 1710 messages::internalError(asyncResp->res); 1711 return; 1712 } 1713 1714 // If password is invalid 1715 messages::propertyValueFormatError(asyncResp->res, nullptr, 1716 "Password"); 1717 }, 1718 "xyz.openbmc_project.User.Manager", userPath, 1719 "xyz.openbmc_project.Object.Delete", "Delete"); 1720 1721 BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 1722 return; 1723 } 1724 1725 messages::created(asyncResp->res); 1726 asyncResp->res.addHeader("Location", 1727 "/redfish/v1/AccountService/Accounts/" + username); 1728 } 1729 1730 inline void processAfterGetAllGroups( 1731 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1732 const std::string& username, const std::string& password, 1733 const std::string& roleId, bool enabled, 1734 std::optional<std::vector<std::string>> accountTypes, 1735 const std::vector<std::string>& allGroupsList) 1736 { 1737 std::vector<std::string> userGroups; 1738 std::vector<std::string> accountTypeUserGroups; 1739 1740 // If user specified account types then convert them to unix user groups 1741 if (accountTypes) 1742 { 1743 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes, 1744 accountTypeUserGroups)) 1745 { 1746 // Problem in mapping Account Types to User Groups, Error already 1747 // logged. 1748 return; 1749 } 1750 } 1751 1752 for (const auto& grp : allGroupsList) 1753 { 1754 // If user specified the account type then only accept groups which are 1755 // in the account types group list. 1756 if (!accountTypeUserGroups.empty()) 1757 { 1758 bool found = false; 1759 for (const auto& grp1 : accountTypeUserGroups) 1760 { 1761 if (grp == grp1) 1762 { 1763 found = true; 1764 break; 1765 } 1766 } 1767 if (!found) 1768 { 1769 continue; 1770 } 1771 } 1772 1773 // Console access is provided to the user who is a member of 1774 // hostconsole group and has a administrator role. So, set 1775 // hostconsole group only for the administrator. 1776 if ((grp == "hostconsole") && (roleId != "priv-admin")) 1777 { 1778 if (!accountTypeUserGroups.empty()) 1779 { 1780 BMCWEB_LOG_ERROR( 1781 "Only administrator can get HostConsole access"); 1782 asyncResp->res.result(boost::beast::http::status::bad_request); 1783 return; 1784 } 1785 continue; 1786 } 1787 userGroups.emplace_back(grp); 1788 } 1789 1790 // Make sure user specified groups are valid. This is internal error because 1791 // it some inconsistencies between user manager and bmcweb. 1792 if (!accountTypeUserGroups.empty() && 1793 accountTypeUserGroups.size() != userGroups.size()) 1794 { 1795 messages::internalError(asyncResp->res); 1796 return; 1797 } 1798 crow::connections::systemBus->async_method_call( 1799 [asyncResp, username, password](const boost::system::error_code& ec2, 1800 sdbusplus::message_t& m) { 1801 processAfterCreateUser(asyncResp, username, password, ec2, m); 1802 }, 1803 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1804 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups, 1805 roleId, enabled); 1806 } 1807 1808 inline void handleAccountCollectionPost( 1809 App& app, const crow::Request& req, 1810 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1811 { 1812 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1813 { 1814 return; 1815 } 1816 std::string username; 1817 std::string password; 1818 std::optional<std::string> roleIdJson; 1819 std::optional<bool> enabledJson; 1820 std::optional<std::vector<std::string>> accountTypes; 1821 if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 1822 "Password", password, "RoleId", roleIdJson, 1823 "Enabled", enabledJson, "AccountTypes", 1824 accountTypes)) 1825 { 1826 return; 1827 } 1828 1829 std::string roleId = roleIdJson.value_or("User"); 1830 std::string priv = getPrivilegeFromRoleId(roleId); 1831 if (priv.empty()) 1832 { 1833 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId"); 1834 return; 1835 } 1836 roleId = priv; 1837 1838 bool enabled = enabledJson.value_or(true); 1839 1840 // Reading AllGroups property 1841 sdbusplus::asio::getProperty<std::vector<std::string>>( 1842 *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1843 "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 1844 "AllGroups", 1845 [asyncResp, username, password{std::move(password)}, roleId, enabled, 1846 accountTypes](const boost::system::error_code& ec, 1847 const std::vector<std::string>& allGroupsList) { 1848 if (ec) 1849 { 1850 BMCWEB_LOG_DEBUG("ERROR with async_method_call"); 1851 messages::internalError(asyncResp->res); 1852 return; 1853 } 1854 1855 if (allGroupsList.empty()) 1856 { 1857 messages::internalError(asyncResp->res); 1858 return; 1859 } 1860 1861 processAfterGetAllGroups(asyncResp, username, password, roleId, enabled, 1862 accountTypes, allGroupsList); 1863 }); 1864 } 1865 1866 inline void 1867 handleAccountHead(App& app, const crow::Request& req, 1868 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1869 const std::string& /*accountName*/) 1870 { 1871 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1872 { 1873 return; 1874 } 1875 asyncResp->res.addHeader( 1876 boost::beast::http::field::link, 1877 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1878 } 1879 1880 inline void 1881 handleAccountGet(App& app, const crow::Request& req, 1882 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1883 const std::string& accountName) 1884 { 1885 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1886 { 1887 return; 1888 } 1889 asyncResp->res.addHeader( 1890 boost::beast::http::field::link, 1891 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1892 1893 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 1894 { 1895 // If authentication is disabled, there are no user accounts 1896 messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1897 accountName); 1898 return; 1899 } 1900 1901 if (req.session == nullptr) 1902 { 1903 messages::internalError(asyncResp->res); 1904 return; 1905 } 1906 if (req.session->username != accountName) 1907 { 1908 // At this point we've determined that the user is trying to 1909 // modify a user that isn't them. We need to verify that they 1910 // have permissions to modify other users, so re-run the auth 1911 // check with the same permissions, minus ConfigureSelf. 1912 Privileges effectiveUserPrivileges = 1913 redfish::getUserPrivileges(*req.session); 1914 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 1915 "ConfigureManager"}; 1916 if (!effectiveUserPrivileges.isSupersetOf( 1917 requiredPermissionsToChangeNonSelf)) 1918 { 1919 BMCWEB_LOG_DEBUG("GET Account denied access"); 1920 messages::insufficientPrivilege(asyncResp->res); 1921 return; 1922 } 1923 } 1924 1925 sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 1926 dbus::utility::getManagedObjects( 1927 "xyz.openbmc_project.User.Manager", path, 1928 [asyncResp, 1929 accountName](const boost::system::error_code& ec, 1930 const dbus::utility::ManagedObjectType& users) { 1931 if (ec) 1932 { 1933 messages::internalError(asyncResp->res); 1934 return; 1935 } 1936 const auto userIt = std::ranges::find_if( 1937 users, 1938 [accountName]( 1939 const std::pair<sdbusplus::message::object_path, 1940 dbus::utility::DBusInterfacesMap>& user) { 1941 return accountName == user.first.filename(); 1942 }); 1943 1944 if (userIt == users.end()) 1945 { 1946 messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1947 accountName); 1948 return; 1949 } 1950 1951 asyncResp->res.jsonValue["@odata.type"] = 1952 "#ManagerAccount.v1_7_0.ManagerAccount"; 1953 asyncResp->res.jsonValue["Name"] = "User Account"; 1954 asyncResp->res.jsonValue["Description"] = "User Account"; 1955 asyncResp->res.jsonValue["Password"] = nullptr; 1956 asyncResp->res.jsonValue["StrictAccountTypes"] = true; 1957 1958 for (const auto& interface : userIt->second) 1959 { 1960 if (interface.first == "xyz.openbmc_project.User.Attributes") 1961 { 1962 for (const auto& property : interface.second) 1963 { 1964 if (property.first == "UserEnabled") 1965 { 1966 const bool* userEnabled = 1967 std::get_if<bool>(&property.second); 1968 if (userEnabled == nullptr) 1969 { 1970 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool"); 1971 messages::internalError(asyncResp->res); 1972 return; 1973 } 1974 asyncResp->res.jsonValue["Enabled"] = *userEnabled; 1975 } 1976 else if (property.first == "UserLockedForFailedAttempt") 1977 { 1978 const bool* userLocked = 1979 std::get_if<bool>(&property.second); 1980 if (userLocked == nullptr) 1981 { 1982 BMCWEB_LOG_ERROR("UserLockedForF" 1983 "ailedAttempt " 1984 "wasn't a bool"); 1985 messages::internalError(asyncResp->res); 1986 return; 1987 } 1988 asyncResp->res.jsonValue["Locked"] = *userLocked; 1989 nlohmann::json::array_t allowed; 1990 // can only unlock accounts 1991 allowed.emplace_back("false"); 1992 asyncResp->res 1993 .jsonValue["Locked@Redfish.AllowableValues"] = 1994 std::move(allowed); 1995 } 1996 else if (property.first == "UserPrivilege") 1997 { 1998 const std::string* userPrivPtr = 1999 std::get_if<std::string>(&property.second); 2000 if (userPrivPtr == nullptr) 2001 { 2002 BMCWEB_LOG_ERROR("UserPrivilege wasn't a " 2003 "string"); 2004 messages::internalError(asyncResp->res); 2005 return; 2006 } 2007 std::string role = getRoleIdFromPrivilege(*userPrivPtr); 2008 if (role.empty()) 2009 { 2010 BMCWEB_LOG_ERROR("Invalid user role"); 2011 messages::internalError(asyncResp->res); 2012 return; 2013 } 2014 asyncResp->res.jsonValue["RoleId"] = role; 2015 2016 nlohmann::json& roleEntry = 2017 asyncResp->res.jsonValue["Links"]["Role"]; 2018 roleEntry["@odata.id"] = boost::urls::format( 2019 "/redfish/v1/AccountService/Roles/{}", role); 2020 } 2021 else if (property.first == "UserPasswordExpired") 2022 { 2023 const bool* userPasswordExpired = 2024 std::get_if<bool>(&property.second); 2025 if (userPasswordExpired == nullptr) 2026 { 2027 BMCWEB_LOG_ERROR( 2028 "UserPasswordExpired wasn't a bool"); 2029 messages::internalError(asyncResp->res); 2030 return; 2031 } 2032 asyncResp->res.jsonValue["PasswordChangeRequired"] = 2033 *userPasswordExpired; 2034 } 2035 else if (property.first == "UserGroups") 2036 { 2037 const std::vector<std::string>* userGroups = 2038 std::get_if<std::vector<std::string>>( 2039 &property.second); 2040 if (userGroups == nullptr) 2041 { 2042 BMCWEB_LOG_ERROR( 2043 "userGroups wasn't a string vector"); 2044 messages::internalError(asyncResp->res); 2045 return; 2046 } 2047 if (!translateUserGroup(*userGroups, asyncResp->res)) 2048 { 2049 BMCWEB_LOG_ERROR("userGroups mapping failed"); 2050 messages::internalError(asyncResp->res); 2051 return; 2052 } 2053 } 2054 } 2055 } 2056 } 2057 2058 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format( 2059 "/redfish/v1/AccountService/Accounts/{}", accountName); 2060 asyncResp->res.jsonValue["Id"] = accountName; 2061 asyncResp->res.jsonValue["UserName"] = accountName; 2062 }); 2063 } 2064 2065 inline void 2066 handleAccountDelete(App& app, const crow::Request& req, 2067 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2068 const std::string& username) 2069 { 2070 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 2071 { 2072 return; 2073 } 2074 2075 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 2076 { 2077 // If authentication is disabled, there are no user accounts 2078 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 2079 return; 2080 } 2081 sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 2082 tempObjPath /= username; 2083 const std::string userPath(tempObjPath); 2084 2085 crow::connections::systemBus->async_method_call( 2086 [asyncResp, username](const boost::system::error_code& ec) { 2087 if (ec) 2088 { 2089 messages::resourceNotFound(asyncResp->res, "ManagerAccount", 2090 username); 2091 return; 2092 } 2093 2094 messages::accountRemoved(asyncResp->res); 2095 }, 2096 "xyz.openbmc_project.User.Manager", userPath, 2097 "xyz.openbmc_project.Object.Delete", "Delete"); 2098 } 2099 2100 inline void 2101 handleAccountPatch(App& app, const crow::Request& req, 2102 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2103 const std::string& username) 2104 { 2105 if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 2106 { 2107 return; 2108 } 2109 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 2110 { 2111 // If authentication is disabled, there are no user accounts 2112 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 2113 return; 2114 } 2115 std::optional<std::string> newUserName; 2116 std::optional<std::string> password; 2117 std::optional<bool> enabled; 2118 std::optional<std::string> roleId; 2119 std::optional<bool> locked; 2120 std::optional<std::vector<std::string>> accountTypes; 2121 2122 if (req.session == nullptr) 2123 { 2124 messages::internalError(asyncResp->res); 2125 return; 2126 } 2127 2128 bool userSelf = (username == req.session->username); 2129 2130 Privileges effectiveUserPrivileges = 2131 redfish::getUserPrivileges(*req.session); 2132 Privileges configureUsers = {"ConfigureUsers"}; 2133 bool userHasConfigureUsers = 2134 effectiveUserPrivileges.isSupersetOf(configureUsers); 2135 if (userHasConfigureUsers) 2136 { 2137 // Users with ConfigureUsers can modify for all users 2138 if (!json_util::readJsonPatch( 2139 req, asyncResp->res, "UserName", newUserName, "Password", 2140 password, "RoleId", roleId, "Enabled", enabled, "Locked", 2141 locked, "AccountTypes", accountTypes)) 2142 { 2143 return; 2144 } 2145 } 2146 else 2147 { 2148 // ConfigureSelf accounts can only modify their own account 2149 if (!userSelf) 2150 { 2151 messages::insufficientPrivilege(asyncResp->res); 2152 return; 2153 } 2154 2155 // ConfigureSelf accounts can only modify their password 2156 if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 2157 password)) 2158 { 2159 return; 2160 } 2161 } 2162 2163 // if user name is not provided in the patch method or if it 2164 // matches the user name in the URI, then we are treating it as 2165 // updating user properties other then username. If username 2166 // provided doesn't match the URI, then we are treating this as 2167 // user rename request. 2168 if (!newUserName || (newUserName.value() == username)) 2169 { 2170 updateUserProperties(asyncResp, username, password, enabled, roleId, 2171 locked, accountTypes, userSelf, req.session); 2172 return; 2173 } 2174 crow::connections::systemBus->async_method_call( 2175 [asyncResp, username, password(std::move(password)), 2176 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 2177 locked, userSelf, req, accountTypes(std::move(accountTypes))]( 2178 const boost::system::error_code& ec, sdbusplus::message_t& m) { 2179 if (ec) 2180 { 2181 userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2182 username); 2183 return; 2184 } 2185 2186 updateUserProperties(asyncResp, newUser, password, enabled, roleId, 2187 locked, accountTypes, userSelf, req.session); 2188 }, 2189 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 2190 "xyz.openbmc_project.User.Manager", "RenameUser", username, 2191 *newUserName); 2192 } 2193 2194 inline void requestAccountServiceRoutes(App& app) 2195 { 2196 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 2197 .privileges(redfish::privileges::headAccountService) 2198 .methods(boost::beast::http::verb::head)( 2199 std::bind_front(handleAccountServiceHead, std::ref(app))); 2200 2201 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 2202 .privileges(redfish::privileges::getAccountService) 2203 .methods(boost::beast::http::verb::get)( 2204 std::bind_front(handleAccountServiceGet, std::ref(app))); 2205 2206 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 2207 .privileges(redfish::privileges::patchAccountService) 2208 .methods(boost::beast::http::verb::patch)( 2209 std::bind_front(handleAccountServicePatch, std::ref(app))); 2210 2211 BMCWEB_ROUTE( 2212 app, 2213 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates") 2214 .privileges(redfish::privileges::headCertificateCollection) 2215 .methods(boost::beast::http::verb::head)(std::bind_front( 2216 handleAccountServiceClientCertificatesHead, std::ref(app))); 2217 2218 BMCWEB_ROUTE( 2219 app, 2220 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates") 2221 .privileges(redfish::privileges::getCertificateCollection) 2222 .methods(boost::beast::http::verb::get)(std::bind_front( 2223 handleAccountServiceClientCertificatesGet, std::ref(app))); 2224 2225 BMCWEB_ROUTE( 2226 app, 2227 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>") 2228 .privileges(redfish::privileges::headCertificate) 2229 .methods(boost::beast::http::verb::head)(std::bind_front( 2230 handleAccountServiceClientCertificatesInstanceHead, std::ref(app))); 2231 2232 BMCWEB_ROUTE( 2233 app, 2234 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/") 2235 .privileges(redfish::privileges::getCertificate) 2236 .methods(boost::beast::http::verb::get)(std::bind_front( 2237 handleAccountServiceClientCertificatesInstanceGet, std::ref(app))); 2238 2239 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 2240 .privileges(redfish::privileges::headManagerAccountCollection) 2241 .methods(boost::beast::http::verb::head)( 2242 std::bind_front(handleAccountCollectionHead, std::ref(app))); 2243 2244 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 2245 .privileges(redfish::privileges::getManagerAccountCollection) 2246 .methods(boost::beast::http::verb::get)( 2247 std::bind_front(handleAccountCollectionGet, std::ref(app))); 2248 2249 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 2250 .privileges(redfish::privileges::postManagerAccountCollection) 2251 .methods(boost::beast::http::verb::post)( 2252 std::bind_front(handleAccountCollectionPost, std::ref(app))); 2253 2254 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2255 .privileges(redfish::privileges::headManagerAccount) 2256 .methods(boost::beast::http::verb::head)( 2257 std::bind_front(handleAccountHead, std::ref(app))); 2258 2259 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2260 .privileges(redfish::privileges::getManagerAccount) 2261 .methods(boost::beast::http::verb::get)( 2262 std::bind_front(handleAccountGet, std::ref(app))); 2263 2264 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2265 // TODO this privilege should be using the generated endpoints, but 2266 // because of the special handling of ConfigureSelf, it's not able to 2267 // yet 2268 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 2269 .methods(boost::beast::http::verb::patch)( 2270 std::bind_front(handleAccountPatch, std::ref(app))); 2271 2272 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2273 .privileges(redfish::privileges::deleteManagerAccount) 2274 .methods(boost::beast::http::verb::delete_)( 2275 std::bind_front(handleAccountDelete, std::ref(app))); 2276 } 2277 2278 } // namespace redfish 2279