137fb3feeSRatan Gupta #pragma once 237fb3feeSRatan Gupta 337fb3feeSRatan Gupta #include "config.h" 437fb3feeSRatan Gupta #include <xyz/openbmc_project/Object/Enable/server.hpp> 537fb3feeSRatan Gupta #include <xyz/openbmc_project/User/Ldap/Create/server.hpp> 637fb3feeSRatan Gupta #include <xyz/openbmc_project/User/Ldap/Config/server.hpp> 7*7b04c352SRatan Gupta #include <xyz/openbmc_project/User/PrivilegeMapper/server.hpp> 837fb3feeSRatan Gupta #include <xyz/openbmc_project/Common/error.hpp> 9*7b04c352SRatan Gupta #include "ldap_mapper_entry.hpp" 1037fb3feeSRatan Gupta #include <phosphor-logging/log.hpp> 1137fb3feeSRatan Gupta #include <phosphor-logging/elog.hpp> 1237fb3feeSRatan Gupta #include <phosphor-logging/elog-errors.hpp> 1337fb3feeSRatan Gupta #include <sdbusplus/bus.hpp> 1437fb3feeSRatan Gupta #include <sdbusplus/server/object.hpp> 15*7b04c352SRatan Gupta 1621e88cb5SRatan Gupta #include <filesystem> 17*7b04c352SRatan Gupta #include <set> 18*7b04c352SRatan Gupta #include <string> 1937fb3feeSRatan Gupta 2037fb3feeSRatan Gupta namespace phosphor 2137fb3feeSRatan Gupta { 2237fb3feeSRatan Gupta namespace ldap 2337fb3feeSRatan Gupta { 2437fb3feeSRatan Gupta 2537fb3feeSRatan Gupta using namespace phosphor::logging; 2637fb3feeSRatan Gupta using namespace sdbusplus::xyz::openbmc_project::Common::Error; 2737fb3feeSRatan Gupta using ConfigIface = sdbusplus::xyz::openbmc_project::User::Ldap::server::Config; 2837fb3feeSRatan Gupta using EnableIface = sdbusplus::xyz::openbmc_project::Object::server::Enable; 2937fb3feeSRatan Gupta using CreateIface = sdbusplus::server::object::object< 3037fb3feeSRatan Gupta sdbusplus::xyz::openbmc_project::User::Ldap::server::Create>; 3121e88cb5SRatan Gupta namespace fs = std::filesystem; 32*7b04c352SRatan Gupta using MapperIface = 33*7b04c352SRatan Gupta sdbusplus::xyz::openbmc_project::User::server::PrivilegeMapper; 34*7b04c352SRatan Gupta 35*7b04c352SRatan Gupta using Ifaces = 36*7b04c352SRatan Gupta sdbusplus::server::object::object<ConfigIface, EnableIface, MapperIface>; 37*7b04c352SRatan Gupta using ObjectPath = sdbusplus::message::object_path; 38*7b04c352SRatan Gupta 3937fb3feeSRatan Gupta class ConfigMgr; 4037fb3feeSRatan Gupta class MockConfigMgr; 4137fb3feeSRatan Gupta 4237fb3feeSRatan Gupta /** @class Config 4337fb3feeSRatan Gupta * @brief Configuration for LDAP. 4437fb3feeSRatan Gupta * @details concrete implementation of xyz.openbmc_project.User.Ldap.Config 4537fb3feeSRatan Gupta * API, in order to provide LDAP configuration. 4637fb3feeSRatan Gupta */ 4737fb3feeSRatan Gupta class Config : public Ifaces 4837fb3feeSRatan Gupta { 4937fb3feeSRatan Gupta public: 5037fb3feeSRatan Gupta Config() = delete; 5137fb3feeSRatan Gupta ~Config() = default; 5237fb3feeSRatan Gupta Config(const Config&) = delete; 5337fb3feeSRatan Gupta Config& operator=(const Config&) = delete; 5437fb3feeSRatan Gupta Config(Config&&) = default; 5537fb3feeSRatan Gupta Config& operator=(Config&&) = default; 5637fb3feeSRatan Gupta 5737fb3feeSRatan Gupta /** @brief Constructor to put object onto bus at a D-Bus path. 5837fb3feeSRatan Gupta * @param[in] bus - Bus to attach to. 5937fb3feeSRatan Gupta * @param[in] path - The D-Bus object path to attach at. 6037fb3feeSRatan Gupta * @param[in] filePath - LDAP configuration file. 6137fb3feeSRatan Gupta * @param[in] caCertFile - LDAP's CA certificate file. 6237fb3feeSRatan Gupta * @param[in] secureLDAP - Specifies whether to use SSL or not. 6337fb3feeSRatan Gupta * @param[in] lDAPServerURI - LDAP URI of the server. 6437fb3feeSRatan Gupta * @param[in] lDAPBindDN - distinguished name with which to bind. 6537fb3feeSRatan Gupta * @param[in] lDAPBaseDN - distinguished name to use as search base. 6637fb3feeSRatan Gupta * @param[in] lDAPBindDNPassword - credentials with which to bind. 6737fb3feeSRatan Gupta * @param[in] lDAPSearchScope - the search scope. 6837fb3feeSRatan Gupta * @param[in] lDAPType - Specifies the LDAP server type which can be AD 6937fb3feeSRatan Gupta * or openLDAP. 7037fb3feeSRatan Gupta * @param[in] lDAPServiceEnabled - Specifies whether the service would be 7137fb3feeSRatan Gupta * enabled or not. 7237fb3feeSRatan Gupta * @param[in] groupNameAttribute - Specifies attribute name that contains 7337fb3feeSRatan Gupta * the name of the Group in the LDAP server. 7437fb3feeSRatan Gupta * @param[in] userNameAttribute - Specifies attribute name that contains 7537fb3feeSRatan Gupta * the username in the LDAP server. 7637fb3feeSRatan Gupta * 7737fb3feeSRatan Gupta * @param[in] parent - parent of config object. 7837fb3feeSRatan Gupta */ 7937fb3feeSRatan Gupta 8037fb3feeSRatan Gupta Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath, 8137fb3feeSRatan Gupta const char* caCertFile, bool secureLDAP, std::string lDAPServerURI, 8237fb3feeSRatan Gupta std::string lDAPBindDN, std::string lDAPBaseDN, 8337fb3feeSRatan Gupta std::string&& lDAPBindDNPassword, 8437fb3feeSRatan Gupta ConfigIface::SearchScope lDAPSearchScope, ConfigIface::Type lDAPType, 8537fb3feeSRatan Gupta bool lDAPServiceEnabled, std::string groupNameAttribute, 8637fb3feeSRatan Gupta std::string userNameAttribute, ConfigMgr& parent); 8737fb3feeSRatan Gupta 8821e88cb5SRatan Gupta /** @brief Constructor to put object onto bus at a D-Bus path. 8921e88cb5SRatan Gupta * @param[in] bus - Bus to attach to. 9021e88cb5SRatan Gupta * @param[in] path - The D-Bus object path to attach at. 9121e88cb5SRatan Gupta * @param[in] filePath - LDAP configuration file. 9221e88cb5SRatan Gupta * @param[in] lDAPType - Specifies the LDAP server type which can be AD 9321e88cb5SRatan Gupta * or openLDAP. 9421e88cb5SRatan Gupta * @param[in] parent - parent of config object. 9521e88cb5SRatan Gupta */ 9621e88cb5SRatan Gupta Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath, 9721e88cb5SRatan Gupta const char* caCertFile, ConfigIface::Type lDAPType, 9821e88cb5SRatan Gupta ConfigMgr& parent); 9921e88cb5SRatan Gupta 10037fb3feeSRatan Gupta using ConfigIface::groupNameAttribute; 10137fb3feeSRatan Gupta using ConfigIface::lDAPBaseDN; 10237fb3feeSRatan Gupta using ConfigIface::lDAPBindDN; 10337fb3feeSRatan Gupta using ConfigIface::lDAPBindDNPassword; 10437fb3feeSRatan Gupta using ConfigIface::lDAPSearchScope; 10537fb3feeSRatan Gupta using ConfigIface::lDAPServerURI; 10637fb3feeSRatan Gupta using ConfigIface::lDAPType; 10737fb3feeSRatan Gupta using ConfigIface::setPropertyByName; 10837fb3feeSRatan Gupta using ConfigIface::userNameAttribute; 10937fb3feeSRatan Gupta using EnableIface::enabled; 11037fb3feeSRatan Gupta 11137fb3feeSRatan Gupta /** @brief Update the Server URI property. 11237fb3feeSRatan Gupta * @param[in] value - lDAPServerURI value to be updated. 11337fb3feeSRatan Gupta * @returns value of changed lDAPServerURI. 11437fb3feeSRatan Gupta */ 11537fb3feeSRatan Gupta std::string lDAPServerURI(std::string value) override; 11637fb3feeSRatan Gupta 11737fb3feeSRatan Gupta /** @brief Update the BindDN property. 11837fb3feeSRatan Gupta * @param[in] value - lDAPBindDN value to be updated. 11937fb3feeSRatan Gupta * @returns value of changed lDAPBindDN. 12037fb3feeSRatan Gupta */ 12137fb3feeSRatan Gupta std::string lDAPBindDN(std::string value) override; 12237fb3feeSRatan Gupta 12337fb3feeSRatan Gupta /** @brief Update the BaseDN property. 12437fb3feeSRatan Gupta * @param[in] value - lDAPBaseDN value to be updated. 12537fb3feeSRatan Gupta * @returns value of changed lDAPBaseDN. 12637fb3feeSRatan Gupta */ 12737fb3feeSRatan Gupta std::string lDAPBaseDN(std::string value) override; 12837fb3feeSRatan Gupta 12937fb3feeSRatan Gupta /** @brief Update the Search scope property. 13037fb3feeSRatan Gupta * @param[in] value - lDAPSearchScope value to be updated. 13137fb3feeSRatan Gupta * @returns value of changed lDAPSearchScope. 13237fb3feeSRatan Gupta */ 13337fb3feeSRatan Gupta ConfigIface::SearchScope 13437fb3feeSRatan Gupta lDAPSearchScope(ConfigIface::SearchScope value) override; 13537fb3feeSRatan Gupta 13637fb3feeSRatan Gupta /** @brief Update the LDAP Type property. 13737fb3feeSRatan Gupta * @param[in] value - lDAPType value to be updated. 13837fb3feeSRatan Gupta * @returns value of changed lDAPType. 13937fb3feeSRatan Gupta */ 14037fb3feeSRatan Gupta ConfigIface::Type lDAPType(ConfigIface::Type value) override; 14137fb3feeSRatan Gupta 14237fb3feeSRatan Gupta /** @brief Update the ldapServiceEnabled property. 14337fb3feeSRatan Gupta * @param[in] value - ldapServiceEnabled value to be updated. 14437fb3feeSRatan Gupta * @returns value of changed ldapServiceEnabled. 14537fb3feeSRatan Gupta */ 14637fb3feeSRatan Gupta bool enabled(bool value) override; 14737fb3feeSRatan Gupta 14837fb3feeSRatan Gupta /** @brief Update the userNameAttribute property. 14937fb3feeSRatan Gupta * @param[in] value - userNameAttribute value to be updated. 15037fb3feeSRatan Gupta * @returns value of changed userNameAttribute. 15137fb3feeSRatan Gupta */ 15237fb3feeSRatan Gupta std::string userNameAttribute(std::string value) override; 15337fb3feeSRatan Gupta 15437fb3feeSRatan Gupta /** @brief Update the groupNameAttribute property. 15537fb3feeSRatan Gupta * @param[in] value - groupNameAttribute value to be updated. 15637fb3feeSRatan Gupta * @returns value of changed groupNameAttribute. 15737fb3feeSRatan Gupta */ 15837fb3feeSRatan Gupta std::string groupNameAttribute(std::string value) override; 15937fb3feeSRatan Gupta 16037fb3feeSRatan Gupta /** @brief Update the BindDNPasword property. 16137fb3feeSRatan Gupta * @param[in] value - lDAPBindDNPassword value to be updated. 16237fb3feeSRatan Gupta * @returns value of changed lDAPBindDNPassword. 16337fb3feeSRatan Gupta */ 16437fb3feeSRatan Gupta std::string lDAPBindDNPassword(std::string value) override; 16537fb3feeSRatan Gupta 16621e88cb5SRatan Gupta /** @brief Function required by Cereal to perform deserialization. 16721e88cb5SRatan Gupta * @tparam Archive - Cereal archive type (binary in our case). 16821e88cb5SRatan Gupta * @param[in] archive - reference to Cereal archive. 16921e88cb5SRatan Gupta * @param[in] version - Class version that enables handling 17021e88cb5SRatan Gupta * a serialized data across code levels 17121e88cb5SRatan Gupta */ 17221e88cb5SRatan Gupta template <class Archive> 17321e88cb5SRatan Gupta void load(Archive& archive, const std::uint32_t version); 17421e88cb5SRatan Gupta 17521e88cb5SRatan Gupta /** @brief Function required by Cereal to perform serialization. 17621e88cb5SRatan Gupta * @tparam Archive - Cereal archive type (binary in our case). 17721e88cb5SRatan Gupta * @param[in] archive - reference to Cereal archive. 17821e88cb5SRatan Gupta * @param[in] version - Class version that enables handling 17921e88cb5SRatan Gupta * a serialized data across code levels 18021e88cb5SRatan Gupta */ 18121e88cb5SRatan Gupta template <class Archive> 18221e88cb5SRatan Gupta void save(Archive& archive, const std::uint32_t version) const; 18321e88cb5SRatan Gupta 18421e88cb5SRatan Gupta /** @brief Serialize and persist this object at the persist 18521e88cb5SRatan Gupta * location. 18621e88cb5SRatan Gupta */ 18721e88cb5SRatan Gupta void serialize(); 18821e88cb5SRatan Gupta 18921e88cb5SRatan Gupta /** @brief Deserialize LDAP config data from the persistent location 19021e88cb5SRatan Gupta * into this object 19121e88cb5SRatan Gupta * @return bool - true if the deserialization was successful, false 19221e88cb5SRatan Gupta * otherwise. 19321e88cb5SRatan Gupta */ 19421e88cb5SRatan Gupta bool deserialize(); 19537fb3feeSRatan Gupta 196c5481d1cSRatan Gupta /** @brief enable or disable the service with the given value 197c5481d1cSRatan Gupta * @param[in] value - enable/disble 198c5481d1cSRatan Gupta * @returns value of changed status 199c5481d1cSRatan Gupta */ 200c5481d1cSRatan Gupta bool enableService(bool value); 201c5481d1cSRatan Gupta 202*7b04c352SRatan Gupta /** @brief Creates a mapping for the group to the privilege 203*7b04c352SRatan Gupta * 204*7b04c352SRatan Gupta * @param[in] groupName - Group Name to which the privilege needs to be 205*7b04c352SRatan Gupta * assigned. 206*7b04c352SRatan Gupta * @param[in] privilege - The privilege role associated with the group. 207*7b04c352SRatan Gupta * 208*7b04c352SRatan Gupta * @return On success return the D-Bus object path of the created privilege 209*7b04c352SRatan Gupta * mapper entry. 210*7b04c352SRatan Gupta */ 211*7b04c352SRatan Gupta ObjectPath create(std::string groupName, std::string privilege) override; 212*7b04c352SRatan Gupta 213*7b04c352SRatan Gupta /** @brief Delete privilege mapping for LDAP group 214*7b04c352SRatan Gupta * 215*7b04c352SRatan Gupta * This method deletes the privilege mapping 216*7b04c352SRatan Gupta * 217*7b04c352SRatan Gupta * @param[in] id - id of the object which needs to be deleted. 218*7b04c352SRatan Gupta */ 219*7b04c352SRatan Gupta void deletePrivilegeMapper(Id id); 220*7b04c352SRatan Gupta 221*7b04c352SRatan Gupta /** @brief Check if LDAP group privilege mapping requested is valid 222*7b04c352SRatan Gupta * 223*7b04c352SRatan Gupta * Check if the privilege mapping already exists for the LDAP group name 224*7b04c352SRatan Gupta * and group name is empty. 225*7b04c352SRatan Gupta * 226*7b04c352SRatan Gupta * @param[in] groupName - LDAP group name 227*7b04c352SRatan Gupta * 228*7b04c352SRatan Gupta * @return throw exception if the conditions are not met. 229*7b04c352SRatan Gupta */ 230*7b04c352SRatan Gupta void checkPrivilegeMapper(const std::string& groupName); 231*7b04c352SRatan Gupta 232*7b04c352SRatan Gupta /** @brief Check if the privilege level is a valid one 233*7b04c352SRatan Gupta * 234*7b04c352SRatan Gupta * @param[in] privilege - Privilege level 235*7b04c352SRatan Gupta * 236*7b04c352SRatan Gupta * @return throw exception if the conditions are not met. 237*7b04c352SRatan Gupta */ 238*7b04c352SRatan Gupta void checkPrivilegeLevel(const std::string& privilege); 239*7b04c352SRatan Gupta 240*7b04c352SRatan Gupta /** @brief Construct LDAP mapper entry D-Bus objects from their persisted 241*7b04c352SRatan Gupta * representations. 242*7b04c352SRatan Gupta */ 243*7b04c352SRatan Gupta void restoreRoleMapping(); 244*7b04c352SRatan Gupta 24537fb3feeSRatan Gupta private: 24621e88cb5SRatan Gupta bool secureLDAP; 24737fb3feeSRatan Gupta std::string lDAPBindPassword{}; 24837fb3feeSRatan Gupta std::string tlsCacertFile{}; 24921e88cb5SRatan Gupta std::string configFilePath{}; 25021e88cb5SRatan Gupta std::string objectPath{}; 25121e88cb5SRatan Gupta std::filesystem::path configPersistPath{}; 25237fb3feeSRatan Gupta 25337fb3feeSRatan Gupta /** @brief Persistent sdbusplus D-Bus bus connection. */ 25437fb3feeSRatan Gupta sdbusplus::bus::bus& bus; 25537fb3feeSRatan Gupta 25637fb3feeSRatan Gupta /** @brief Create a new LDAP config file. 25737fb3feeSRatan Gupta */ 25837fb3feeSRatan Gupta virtual void writeConfig(); 25937fb3feeSRatan Gupta 26037fb3feeSRatan Gupta /** @brief reference to config manager object */ 26137fb3feeSRatan Gupta ConfigMgr& parent; 26237fb3feeSRatan Gupta 263*7b04c352SRatan Gupta /** @brief Id of the last privilege mapper entry */ 264*7b04c352SRatan Gupta Id entryId = 0; 265*7b04c352SRatan Gupta 266*7b04c352SRatan Gupta /** @brief container to hold privilege mapper objects */ 267*7b04c352SRatan Gupta std::map<Id, std::unique_ptr<LDAPMapperEntry>> PrivilegeMapperList; 268*7b04c352SRatan Gupta 269*7b04c352SRatan Gupta /** @brief available privileges container */ 270*7b04c352SRatan Gupta std::set<std::string> privMgr = {"priv-admin", "priv-operator", "priv-user", 271*7b04c352SRatan Gupta "priv-callback"}; 272*7b04c352SRatan Gupta 27337fb3feeSRatan Gupta friend class MockConfigMgr; 27437fb3feeSRatan Gupta }; 27537fb3feeSRatan Gupta 27637fb3feeSRatan Gupta } // namespace ldap 27737fb3feeSRatan Gupta } // namespace phosphor 278