137fb3feeSRatan Gupta #pragma once 237fb3feeSRatan Gupta 337fb3feeSRatan Gupta #include "config.h" 49638afb9SPatrick Williams 57b04c352SRatan Gupta #include "ldap_mapper_entry.hpp" 69638afb9SPatrick Williams 737fb3feeSRatan Gupta #include <sdbusplus/bus.hpp> 837fb3feeSRatan Gupta #include <sdbusplus/server/object.hpp> 99638afb9SPatrick Williams #include <xyz/openbmc_project/Object/Enable/server.hpp> 109638afb9SPatrick Williams #include <xyz/openbmc_project/User/Ldap/Config/server.hpp> 119638afb9SPatrick Williams #include <xyz/openbmc_project/User/Ldap/Create/server.hpp> 129638afb9SPatrick Williams #include <xyz/openbmc_project/User/PrivilegeMapper/server.hpp> 137b04c352SRatan Gupta 1421e88cb5SRatan Gupta #include <filesystem> 157b04c352SRatan Gupta #include <set> 167b04c352SRatan Gupta #include <string> 1737fb3feeSRatan Gupta 1837fb3feeSRatan Gupta namespace phosphor 1937fb3feeSRatan Gupta { 2037fb3feeSRatan Gupta namespace ldap 2137fb3feeSRatan Gupta { 2237fb3feeSRatan Gupta 2337fb3feeSRatan Gupta using ConfigIface = sdbusplus::xyz::openbmc_project::User::Ldap::server::Config; 2437fb3feeSRatan Gupta using EnableIface = sdbusplus::xyz::openbmc_project::Object::server::Enable; 25b3ef4e1aSPatrick Williams using CreateIface = sdbusplus::server::object_t< 2637fb3feeSRatan Gupta sdbusplus::xyz::openbmc_project::User::Ldap::server::Create>; 2721e88cb5SRatan Gupta namespace fs = std::filesystem; 287b04c352SRatan Gupta using MapperIface = 297b04c352SRatan Gupta sdbusplus::xyz::openbmc_project::User::server::PrivilegeMapper; 307b04c352SRatan Gupta 317b04c352SRatan Gupta using Ifaces = 32b3ef4e1aSPatrick Williams sdbusplus::server::object_t<ConfigIface, EnableIface, MapperIface>; 337b04c352SRatan Gupta using ObjectPath = sdbusplus::message::object_path; 347b04c352SRatan Gupta 3522f13f18SRatan Gupta namespace sdbusRule = sdbusplus::bus::match::rules; 3622f13f18SRatan Gupta 3737fb3feeSRatan Gupta class ConfigMgr; 3837fb3feeSRatan Gupta class MockConfigMgr; 3937fb3feeSRatan Gupta 4037fb3feeSRatan Gupta /** @class Config 4137fb3feeSRatan Gupta * @brief Configuration for LDAP. 4237fb3feeSRatan Gupta * @details concrete implementation of xyz.openbmc_project.User.Ldap.Config 4337fb3feeSRatan Gupta * API, in order to provide LDAP configuration. 4437fb3feeSRatan Gupta */ 4537fb3feeSRatan Gupta class Config : public Ifaces 4637fb3feeSRatan Gupta { 4737fb3feeSRatan Gupta public: 4837fb3feeSRatan Gupta Config() = delete; 4937fb3feeSRatan Gupta ~Config() = default; 5037fb3feeSRatan Gupta Config(const Config&) = delete; 5137fb3feeSRatan Gupta Config& operator=(const Config&) = delete; 52f3fb77c0SNan Zhou Config(Config&&) = delete; 53f3fb77c0SNan Zhou Config& operator=(Config&&) = delete; 5437fb3feeSRatan Gupta 5537fb3feeSRatan Gupta /** @brief Constructor to put object onto bus at a D-Bus path. 5637fb3feeSRatan Gupta * @param[in] bus - Bus to attach to. 5737fb3feeSRatan Gupta * @param[in] path - The D-Bus object path to attach at. 5837fb3feeSRatan Gupta * @param[in] filePath - LDAP configuration file. 5937fb3feeSRatan Gupta * @param[in] caCertFile - LDAP's CA certificate file. 6022f13f18SRatan Gupta * @param[in] certFile - LDAP's client certificate file. 6137fb3feeSRatan Gupta * @param[in] secureLDAP - Specifies whether to use SSL or not. 62e6500a49SPatrick Williams * @param[in] ldapServerURI - LDAP URI of the server. 63e6500a49SPatrick Williams * @param[in] ldapBindDN - distinguished name with which to bind. 64e6500a49SPatrick Williams * @param[in] ldapBaseDN - distinguished name to use as search base. 65e6500a49SPatrick Williams * @param[in] ldapBindDNPassword - credentials with which to bind. 66e6500a49SPatrick Williams * @param[in] ldapSearchScope - the search scope. 67e6500a49SPatrick Williams * @param[in] ldapType - Specifies the LDAP server type which can be AD 6837fb3feeSRatan Gupta * or openLDAP. 69e6500a49SPatrick Williams * @param[in] ldapServiceEnabled - Specifies whether the service would be 7037fb3feeSRatan Gupta * enabled or not. 7137fb3feeSRatan Gupta * @param[in] groupNameAttribute - Specifies attribute name that contains 7237fb3feeSRatan Gupta * the name of the Group in the LDAP server. 7337fb3feeSRatan Gupta * @param[in] userNameAttribute - Specifies attribute name that contains 7437fb3feeSRatan Gupta * the username in the LDAP server. 7537fb3feeSRatan Gupta * 7637fb3feeSRatan Gupta * @param[in] parent - parent of config object. 7737fb3feeSRatan Gupta */ 7837fb3feeSRatan Gupta 79b3ef4e1aSPatrick Williams Config(sdbusplus::bus_t& bus, const char* path, const char* filePath, 8022f13f18SRatan Gupta const char* caCertFile, const char* certFile, bool secureLDAP, 81e6500a49SPatrick Williams std::string ldapServerURI, std::string ldapBindDN, 82e6500a49SPatrick Williams std::string ldapBaseDN, std::string&& ldapBindDNPassword, 83e6500a49SPatrick Williams ConfigIface::SearchScope ldapSearchScope, ConfigIface::Type ldapType, 84e6500a49SPatrick Williams bool ldapServiceEnabled, std::string groupNameAttribute, 8537fb3feeSRatan Gupta std::string userNameAttribute, ConfigMgr& parent); 8637fb3feeSRatan Gupta 8721e88cb5SRatan Gupta /** @brief Constructor to put object onto bus at a D-Bus path. 8821e88cb5SRatan Gupta * @param[in] bus - Bus to attach to. 8921e88cb5SRatan Gupta * @param[in] path - The D-Bus object path to attach at. 9021e88cb5SRatan Gupta * @param[in] filePath - LDAP configuration file. 91e6500a49SPatrick Williams * @param[in] ldapType - Specifies the LDAP server type which can be AD 9221e88cb5SRatan Gupta * or openLDAP. 9321e88cb5SRatan Gupta * @param[in] parent - parent of config object. 9421e88cb5SRatan Gupta */ 95b3ef4e1aSPatrick Williams Config(sdbusplus::bus_t& bus, const char* path, const char* filePath, 96ab4fcb4cSRatan Gupta const char* caCertFile, const char* certFile, 97e6500a49SPatrick Williams ConfigIface::Type ldapType, ConfigMgr& parent); 9821e88cb5SRatan Gupta 9937fb3feeSRatan Gupta using ConfigIface::groupNameAttribute; 100e6500a49SPatrick Williams using ConfigIface::ldapBaseDN; 101e6500a49SPatrick Williams using ConfigIface::ldapBindDN; 102e6500a49SPatrick Williams using ConfigIface::ldapBindDNPassword; 103e6500a49SPatrick Williams using ConfigIface::ldapSearchScope; 104e6500a49SPatrick Williams using ConfigIface::ldapServerURI; 105e6500a49SPatrick Williams using ConfigIface::ldapType; 10637fb3feeSRatan Gupta using ConfigIface::setPropertyByName; 10737fb3feeSRatan Gupta using ConfigIface::userNameAttribute; 10837fb3feeSRatan Gupta using EnableIface::enabled; 10937fb3feeSRatan Gupta 11037fb3feeSRatan Gupta /** @brief Update the Server URI property. 111e6500a49SPatrick Williams * @param[in] value - ldapServerURI value to be updated. 112e6500a49SPatrick Williams * @returns value of changed ldapServerURI. 11337fb3feeSRatan Gupta */ 114e6500a49SPatrick Williams std::string ldapServerURI(std::string value) override; 11537fb3feeSRatan Gupta 11637fb3feeSRatan Gupta /** @brief Update the BindDN property. 117e6500a49SPatrick Williams * @param[in] value - ldapBindDN value to be updated. 118e6500a49SPatrick Williams * @returns value of changed ldapBindDN. 11937fb3feeSRatan Gupta */ 120e6500a49SPatrick Williams std::string ldapBindDN(std::string value) override; 12137fb3feeSRatan Gupta 12237fb3feeSRatan Gupta /** @brief Update the BaseDN property. 123e6500a49SPatrick Williams * @param[in] value - ldapBaseDN value to be updated. 124e6500a49SPatrick Williams * @returns value of changed ldapBaseDN. 12537fb3feeSRatan Gupta */ 126e6500a49SPatrick Williams std::string ldapBaseDN(std::string value) override; 12737fb3feeSRatan Gupta 12837fb3feeSRatan Gupta /** @brief Update the Search scope property. 129e6500a49SPatrick Williams * @param[in] value - ldapSearchScope value to be updated. 130e6500a49SPatrick Williams * @returns value of changed ldapSearchScope. 13137fb3feeSRatan Gupta */ 13237fb3feeSRatan Gupta ConfigIface::SearchScope 133e6500a49SPatrick Williams ldapSearchScope(ConfigIface::SearchScope value) override; 13437fb3feeSRatan Gupta 13537fb3feeSRatan Gupta /** @brief Update the LDAP Type property. 136e6500a49SPatrick Williams * @param[in] value - ldapType value to be updated. 137e6500a49SPatrick Williams * @returns value of changed ldapType. 13837fb3feeSRatan Gupta */ 139e6500a49SPatrick Williams ConfigIface::Type ldapType(ConfigIface::Type value) override; 14037fb3feeSRatan Gupta 14137fb3feeSRatan Gupta /** @brief Update the ldapServiceEnabled property. 14237fb3feeSRatan Gupta * @param[in] value - ldapServiceEnabled value to be updated. 14337fb3feeSRatan Gupta * @returns value of changed ldapServiceEnabled. 14437fb3feeSRatan Gupta */ 14537fb3feeSRatan Gupta bool enabled(bool value) override; 14637fb3feeSRatan Gupta 14737fb3feeSRatan Gupta /** @brief Update the userNameAttribute property. 14837fb3feeSRatan Gupta * @param[in] value - userNameAttribute value to be updated. 14937fb3feeSRatan Gupta * @returns value of changed userNameAttribute. 15037fb3feeSRatan Gupta */ 15137fb3feeSRatan Gupta std::string userNameAttribute(std::string value) override; 15237fb3feeSRatan Gupta 15337fb3feeSRatan Gupta /** @brief Update the groupNameAttribute property. 15437fb3feeSRatan Gupta * @param[in] value - groupNameAttribute value to be updated. 15537fb3feeSRatan Gupta * @returns value of changed groupNameAttribute. 15637fb3feeSRatan Gupta */ 15737fb3feeSRatan Gupta std::string groupNameAttribute(std::string value) override; 15837fb3feeSRatan Gupta 15937fb3feeSRatan Gupta /** @brief Update the BindDNPasword property. 160e6500a49SPatrick Williams * @param[in] value - ldapBindDNPassword value to be updated. 161e6500a49SPatrick Williams * @returns value of changed ldapBindDNPassword. 16237fb3feeSRatan Gupta */ 163e6500a49SPatrick Williams std::string ldapBindDNPassword(std::string value) override; 16437fb3feeSRatan Gupta 16521e88cb5SRatan Gupta /** @brief Function required by Cereal to perform deserialization. 16621e88cb5SRatan Gupta * @tparam Archive - Cereal archive type (binary in our case). 16721e88cb5SRatan Gupta * @param[in] archive - reference to Cereal archive. 16821e88cb5SRatan Gupta * @param[in] version - Class version that enables handling 16921e88cb5SRatan Gupta * a serialized data across code levels 17021e88cb5SRatan Gupta */ 17121e88cb5SRatan Gupta template <class Archive> 17221e88cb5SRatan Gupta void load(Archive& archive, const std::uint32_t version); 17321e88cb5SRatan Gupta 17421e88cb5SRatan Gupta /** @brief Function required by Cereal to perform serialization. 17521e88cb5SRatan Gupta * @tparam Archive - Cereal archive type (binary in our case). 17621e88cb5SRatan Gupta * @param[in] archive - reference to Cereal archive. 17721e88cb5SRatan Gupta * @param[in] version - Class version that enables handling 17821e88cb5SRatan Gupta * a serialized data across code levels 17921e88cb5SRatan Gupta */ 18021e88cb5SRatan Gupta template <class Archive> 18121e88cb5SRatan Gupta void save(Archive& archive, const std::uint32_t version) const; 18221e88cb5SRatan Gupta 18321e88cb5SRatan Gupta /** @brief Serialize and persist this object at the persist 18421e88cb5SRatan Gupta * location. 18521e88cb5SRatan Gupta */ 18621e88cb5SRatan Gupta void serialize(); 18721e88cb5SRatan Gupta 18821e88cb5SRatan Gupta /** @brief Deserialize LDAP config data from the persistent location 18921e88cb5SRatan Gupta * into this object 19021e88cb5SRatan Gupta * @return bool - true if the deserialization was successful, false 19121e88cb5SRatan Gupta * otherwise. 19221e88cb5SRatan Gupta */ 19321e88cb5SRatan Gupta bool deserialize(); 19437fb3feeSRatan Gupta 195c5481d1cSRatan Gupta /** @brief enable or disable the service with the given value 196*46e773a9SManojkiran Eda * @param[in] value - enable/disable 197c5481d1cSRatan Gupta * @returns value of changed status 198c5481d1cSRatan Gupta */ 199c5481d1cSRatan Gupta bool enableService(bool value); 200c5481d1cSRatan Gupta 2017b04c352SRatan Gupta /** @brief Creates a mapping for the group to the privilege 2027b04c352SRatan Gupta * 2037b04c352SRatan Gupta * @param[in] groupName - Group Name to which the privilege needs to be 2047b04c352SRatan Gupta * assigned. 2057b04c352SRatan Gupta * @param[in] privilege - The privilege role associated with the group. 2067b04c352SRatan Gupta * 2077b04c352SRatan Gupta * @return On success return the D-Bus object path of the created privilege 2087b04c352SRatan Gupta * mapper entry. 2097b04c352SRatan Gupta */ 2107b04c352SRatan Gupta ObjectPath create(std::string groupName, std::string privilege) override; 2117b04c352SRatan Gupta 2127b04c352SRatan Gupta /** @brief Delete privilege mapping for LDAP group 2137b04c352SRatan Gupta * 2147b04c352SRatan Gupta * This method deletes the privilege mapping 2157b04c352SRatan Gupta * 2167b04c352SRatan Gupta * @param[in] id - id of the object which needs to be deleted. 2177b04c352SRatan Gupta */ 2187b04c352SRatan Gupta void deletePrivilegeMapper(Id id); 2197b04c352SRatan Gupta 2207b04c352SRatan Gupta /** @brief Check if LDAP group privilege mapping requested is valid 2217b04c352SRatan Gupta * 2227b04c352SRatan Gupta * Check if the privilege mapping already exists for the LDAP group name 2237b04c352SRatan Gupta * and group name is empty. 2247b04c352SRatan Gupta * 2257b04c352SRatan Gupta * @param[in] groupName - LDAP group name 2267b04c352SRatan Gupta * 2277b04c352SRatan Gupta * @return throw exception if the conditions are not met. 2287b04c352SRatan Gupta */ 2297b04c352SRatan Gupta void checkPrivilegeMapper(const std::string& groupName); 2307b04c352SRatan Gupta 2317b04c352SRatan Gupta /** @brief Check if the privilege level is a valid one 2327b04c352SRatan Gupta * 2337b04c352SRatan Gupta * @param[in] privilege - Privilege level 2347b04c352SRatan Gupta * 2357b04c352SRatan Gupta * @return throw exception if the conditions are not met. 2367b04c352SRatan Gupta */ 2377b04c352SRatan Gupta void checkPrivilegeLevel(const std::string& privilege); 2387b04c352SRatan Gupta 2397b04c352SRatan Gupta /** @brief Construct LDAP mapper entry D-Bus objects from their persisted 2407b04c352SRatan Gupta * representations. 2417b04c352SRatan Gupta */ 2427b04c352SRatan Gupta void restoreRoleMapping(); 2437b04c352SRatan Gupta 24437fb3feeSRatan Gupta private: 24521e88cb5SRatan Gupta bool secureLDAP; 246e6500a49SPatrick Williams std::string ldapBindPassword{}; 24737fb3feeSRatan Gupta std::string tlsCacertFile{}; 24822f13f18SRatan Gupta std::string tlsCertFile{}; 24921e88cb5SRatan Gupta std::string configFilePath{}; 25021e88cb5SRatan Gupta std::string objectPath{}; 25121e88cb5SRatan Gupta std::filesystem::path configPersistPath{}; 25237fb3feeSRatan Gupta 25337fb3feeSRatan Gupta /** @brief Persistent sdbusplus D-Bus bus connection. */ 254b3ef4e1aSPatrick Williams sdbusplus::bus_t& bus; 25537fb3feeSRatan Gupta 25637fb3feeSRatan Gupta /** @brief Create a new LDAP config file. 25737fb3feeSRatan Gupta */ 25837fb3feeSRatan Gupta virtual void writeConfig(); 25937fb3feeSRatan Gupta 26037fb3feeSRatan Gupta /** @brief reference to config manager object */ 26137fb3feeSRatan Gupta ConfigMgr& parent; 26237fb3feeSRatan Gupta 2637b04c352SRatan Gupta /** @brief Id of the last privilege mapper entry */ 2647b04c352SRatan Gupta Id entryId = 0; 2657b04c352SRatan Gupta 2667b04c352SRatan Gupta /** @brief container to hold privilege mapper objects */ 2677b04c352SRatan Gupta std::map<Id, std::unique_ptr<LDAPMapperEntry>> PrivilegeMapperList; 2687b04c352SRatan Gupta 2697b04c352SRatan Gupta /** @brief available privileges container */ 27032be2961SRichard Marian Thomaiyar std::set<std::string> privMgr = { 27132be2961SRichard Marian Thomaiyar "priv-admin", 27232be2961SRichard Marian Thomaiyar "priv-operator", 27332be2961SRichard Marian Thomaiyar "priv-user", 27432be2961SRichard Marian Thomaiyar }; 2757b04c352SRatan Gupta 27622f13f18SRatan Gupta /** @brief React to InterfaceAdded signal 27722f13f18SRatan Gupta * @param[in] msg - sdbusplus message 27822f13f18SRatan Gupta */ 279b3ef4e1aSPatrick Williams void certificateInstalled(sdbusplus::message_t& msg); 28022f13f18SRatan Gupta sdbusplus::bus::match_t certificateInstalledSignal; 28122f13f18SRatan Gupta 282a47fe4eaSmanojkiraneda sdbusplus::bus::match_t cacertificateInstalledSignal; 283a47fe4eaSmanojkiraneda 284ab4fcb4cSRatan Gupta /** @brief React to certificate changed signal 285ab4fcb4cSRatan Gupta * @param[in] msg - sdbusplus message 286ab4fcb4cSRatan Gupta */ 287b3ef4e1aSPatrick Williams void certificateChanged(sdbusplus::message_t& msg); 288ab4fcb4cSRatan Gupta sdbusplus::bus::match_t certificateChangedSignal; 289ab4fcb4cSRatan Gupta 29037fb3feeSRatan Gupta friend class MockConfigMgr; 29137fb3feeSRatan Gupta }; 29237fb3feeSRatan Gupta 29337fb3feeSRatan Gupta } // namespace ldap 29437fb3feeSRatan Gupta } // namespace phosphor 295