137fb3feeSRatan Gupta #pragma once 237fb3feeSRatan Gupta 337fb3feeSRatan Gupta #include "config.h" 49638afb9SPatrick Williams 57b04c352SRatan Gupta #include "ldap_mapper_entry.hpp" 69638afb9SPatrick Williams 737fb3feeSRatan Gupta #include <phosphor-logging/elog-errors.hpp> 89638afb9SPatrick Williams #include <phosphor-logging/elog.hpp> 99638afb9SPatrick Williams #include <phosphor-logging/log.hpp> 1037fb3feeSRatan Gupta #include <sdbusplus/bus.hpp> 1137fb3feeSRatan Gupta #include <sdbusplus/server/object.hpp> 129638afb9SPatrick Williams #include <xyz/openbmc_project/Common/error.hpp> 139638afb9SPatrick Williams #include <xyz/openbmc_project/Object/Enable/server.hpp> 149638afb9SPatrick Williams #include <xyz/openbmc_project/User/Ldap/Config/server.hpp> 159638afb9SPatrick Williams #include <xyz/openbmc_project/User/Ldap/Create/server.hpp> 169638afb9SPatrick Williams #include <xyz/openbmc_project/User/PrivilegeMapper/server.hpp> 177b04c352SRatan Gupta 1821e88cb5SRatan Gupta #include <filesystem> 197b04c352SRatan Gupta #include <set> 207b04c352SRatan Gupta #include <string> 2137fb3feeSRatan Gupta 22*e6500a49SPatrick Williams #ifndef SDBUSPP_NEW_CAMELCASE 23*e6500a49SPatrick Williams #define ldapBaseDN lDAPBaseDN 24*e6500a49SPatrick Williams #define ldapBindDN lDAPBindDN 25*e6500a49SPatrick Williams #define ldapBindDNPassword lDAPBindDNPassword 26*e6500a49SPatrick Williams #define ldapSearchScope lDAPSearchScope 27*e6500a49SPatrick Williams #define ldapServerURI lDAPServerURI 28*e6500a49SPatrick Williams #define ldapType lDAPType 29*e6500a49SPatrick Williams #endif 30*e6500a49SPatrick Williams 3137fb3feeSRatan Gupta namespace phosphor 3237fb3feeSRatan Gupta { 3337fb3feeSRatan Gupta namespace ldap 3437fb3feeSRatan Gupta { 3537fb3feeSRatan Gupta 3637fb3feeSRatan Gupta using namespace phosphor::logging; 3737fb3feeSRatan Gupta using namespace sdbusplus::xyz::openbmc_project::Common::Error; 3837fb3feeSRatan Gupta using ConfigIface = sdbusplus::xyz::openbmc_project::User::Ldap::server::Config; 3937fb3feeSRatan Gupta using EnableIface = sdbusplus::xyz::openbmc_project::Object::server::Enable; 4037fb3feeSRatan Gupta using CreateIface = sdbusplus::server::object::object< 4137fb3feeSRatan Gupta sdbusplus::xyz::openbmc_project::User::Ldap::server::Create>; 4221e88cb5SRatan Gupta namespace fs = std::filesystem; 437b04c352SRatan Gupta using MapperIface = 447b04c352SRatan Gupta sdbusplus::xyz::openbmc_project::User::server::PrivilegeMapper; 457b04c352SRatan Gupta 467b04c352SRatan Gupta using Ifaces = 477b04c352SRatan Gupta sdbusplus::server::object::object<ConfigIface, EnableIface, MapperIface>; 487b04c352SRatan Gupta using ObjectPath = sdbusplus::message::object_path; 497b04c352SRatan Gupta 5022f13f18SRatan Gupta namespace sdbusRule = sdbusplus::bus::match::rules; 5122f13f18SRatan Gupta 5237fb3feeSRatan Gupta class ConfigMgr; 5337fb3feeSRatan Gupta class MockConfigMgr; 5437fb3feeSRatan Gupta 5537fb3feeSRatan Gupta /** @class Config 5637fb3feeSRatan Gupta * @brief Configuration for LDAP. 5737fb3feeSRatan Gupta * @details concrete implementation of xyz.openbmc_project.User.Ldap.Config 5837fb3feeSRatan Gupta * API, in order to provide LDAP configuration. 5937fb3feeSRatan Gupta */ 6037fb3feeSRatan Gupta class Config : public Ifaces 6137fb3feeSRatan Gupta { 6237fb3feeSRatan Gupta public: 6337fb3feeSRatan Gupta Config() = delete; 6437fb3feeSRatan Gupta ~Config() = default; 6537fb3feeSRatan Gupta Config(const Config&) = delete; 6637fb3feeSRatan Gupta Config& operator=(const Config&) = delete; 6737fb3feeSRatan Gupta Config(Config&&) = default; 6837fb3feeSRatan Gupta Config& operator=(Config&&) = default; 6937fb3feeSRatan Gupta 7037fb3feeSRatan Gupta /** @brief Constructor to put object onto bus at a D-Bus path. 7137fb3feeSRatan Gupta * @param[in] bus - Bus to attach to. 7237fb3feeSRatan Gupta * @param[in] path - The D-Bus object path to attach at. 7337fb3feeSRatan Gupta * @param[in] filePath - LDAP configuration file. 7437fb3feeSRatan Gupta * @param[in] caCertFile - LDAP's CA certificate file. 7522f13f18SRatan Gupta * @param[in] certFile - LDAP's client certificate file. 7637fb3feeSRatan Gupta * @param[in] secureLDAP - Specifies whether to use SSL or not. 77*e6500a49SPatrick Williams * @param[in] ldapServerURI - LDAP URI of the server. 78*e6500a49SPatrick Williams * @param[in] ldapBindDN - distinguished name with which to bind. 79*e6500a49SPatrick Williams * @param[in] ldapBaseDN - distinguished name to use as search base. 80*e6500a49SPatrick Williams * @param[in] ldapBindDNPassword - credentials with which to bind. 81*e6500a49SPatrick Williams * @param[in] ldapSearchScope - the search scope. 82*e6500a49SPatrick Williams * @param[in] ldapType - Specifies the LDAP server type which can be AD 8337fb3feeSRatan Gupta * or openLDAP. 84*e6500a49SPatrick Williams * @param[in] ldapServiceEnabled - Specifies whether the service would be 8537fb3feeSRatan Gupta * enabled or not. 8637fb3feeSRatan Gupta * @param[in] groupNameAttribute - Specifies attribute name that contains 8737fb3feeSRatan Gupta * the name of the Group in the LDAP server. 8837fb3feeSRatan Gupta * @param[in] userNameAttribute - Specifies attribute name that contains 8937fb3feeSRatan Gupta * the username in the LDAP server. 9037fb3feeSRatan Gupta * 9137fb3feeSRatan Gupta * @param[in] parent - parent of config object. 9237fb3feeSRatan Gupta */ 9337fb3feeSRatan Gupta 9437fb3feeSRatan Gupta Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath, 9522f13f18SRatan Gupta const char* caCertFile, const char* certFile, bool secureLDAP, 96*e6500a49SPatrick Williams std::string ldapServerURI, std::string ldapBindDN, 97*e6500a49SPatrick Williams std::string ldapBaseDN, std::string&& ldapBindDNPassword, 98*e6500a49SPatrick Williams ConfigIface::SearchScope ldapSearchScope, ConfigIface::Type ldapType, 99*e6500a49SPatrick Williams bool ldapServiceEnabled, std::string groupNameAttribute, 10037fb3feeSRatan Gupta std::string userNameAttribute, ConfigMgr& parent); 10137fb3feeSRatan Gupta 10221e88cb5SRatan Gupta /** @brief Constructor to put object onto bus at a D-Bus path. 10321e88cb5SRatan Gupta * @param[in] bus - Bus to attach to. 10421e88cb5SRatan Gupta * @param[in] path - The D-Bus object path to attach at. 10521e88cb5SRatan Gupta * @param[in] filePath - LDAP configuration file. 106*e6500a49SPatrick Williams * @param[in] ldapType - Specifies the LDAP server type which can be AD 10721e88cb5SRatan Gupta * or openLDAP. 10821e88cb5SRatan Gupta * @param[in] parent - parent of config object. 10921e88cb5SRatan Gupta */ 11021e88cb5SRatan Gupta Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath, 111ab4fcb4cSRatan Gupta const char* caCertFile, const char* certFile, 112*e6500a49SPatrick Williams ConfigIface::Type ldapType, ConfigMgr& parent); 11321e88cb5SRatan Gupta 11437fb3feeSRatan Gupta using ConfigIface::groupNameAttribute; 115*e6500a49SPatrick Williams using ConfigIface::ldapBaseDN; 116*e6500a49SPatrick Williams using ConfigIface::ldapBindDN; 117*e6500a49SPatrick Williams using ConfigIface::ldapBindDNPassword; 118*e6500a49SPatrick Williams using ConfigIface::ldapSearchScope; 119*e6500a49SPatrick Williams using ConfigIface::ldapServerURI; 120*e6500a49SPatrick Williams using ConfigIface::ldapType; 12137fb3feeSRatan Gupta using ConfigIface::setPropertyByName; 12237fb3feeSRatan Gupta using ConfigIface::userNameAttribute; 12337fb3feeSRatan Gupta using EnableIface::enabled; 12437fb3feeSRatan Gupta 12537fb3feeSRatan Gupta /** @brief Update the Server URI property. 126*e6500a49SPatrick Williams * @param[in] value - ldapServerURI value to be updated. 127*e6500a49SPatrick Williams * @returns value of changed ldapServerURI. 12837fb3feeSRatan Gupta */ 129*e6500a49SPatrick Williams std::string ldapServerURI(std::string value) override; 13037fb3feeSRatan Gupta 13137fb3feeSRatan Gupta /** @brief Update the BindDN property. 132*e6500a49SPatrick Williams * @param[in] value - ldapBindDN value to be updated. 133*e6500a49SPatrick Williams * @returns value of changed ldapBindDN. 13437fb3feeSRatan Gupta */ 135*e6500a49SPatrick Williams std::string ldapBindDN(std::string value) override; 13637fb3feeSRatan Gupta 13737fb3feeSRatan Gupta /** @brief Update the BaseDN property. 138*e6500a49SPatrick Williams * @param[in] value - ldapBaseDN value to be updated. 139*e6500a49SPatrick Williams * @returns value of changed ldapBaseDN. 14037fb3feeSRatan Gupta */ 141*e6500a49SPatrick Williams std::string ldapBaseDN(std::string value) override; 14237fb3feeSRatan Gupta 14337fb3feeSRatan Gupta /** @brief Update the Search scope property. 144*e6500a49SPatrick Williams * @param[in] value - ldapSearchScope value to be updated. 145*e6500a49SPatrick Williams * @returns value of changed ldapSearchScope. 14637fb3feeSRatan Gupta */ 14737fb3feeSRatan Gupta ConfigIface::SearchScope 148*e6500a49SPatrick Williams ldapSearchScope(ConfigIface::SearchScope value) override; 14937fb3feeSRatan Gupta 15037fb3feeSRatan Gupta /** @brief Update the LDAP Type property. 151*e6500a49SPatrick Williams * @param[in] value - ldapType value to be updated. 152*e6500a49SPatrick Williams * @returns value of changed ldapType. 15337fb3feeSRatan Gupta */ 154*e6500a49SPatrick Williams ConfigIface::Type ldapType(ConfigIface::Type value) override; 15537fb3feeSRatan Gupta 15637fb3feeSRatan Gupta /** @brief Update the ldapServiceEnabled property. 15737fb3feeSRatan Gupta * @param[in] value - ldapServiceEnabled value to be updated. 15837fb3feeSRatan Gupta * @returns value of changed ldapServiceEnabled. 15937fb3feeSRatan Gupta */ 16037fb3feeSRatan Gupta bool enabled(bool value) override; 16137fb3feeSRatan Gupta 16237fb3feeSRatan Gupta /** @brief Update the userNameAttribute property. 16337fb3feeSRatan Gupta * @param[in] value - userNameAttribute value to be updated. 16437fb3feeSRatan Gupta * @returns value of changed userNameAttribute. 16537fb3feeSRatan Gupta */ 16637fb3feeSRatan Gupta std::string userNameAttribute(std::string value) override; 16737fb3feeSRatan Gupta 16837fb3feeSRatan Gupta /** @brief Update the groupNameAttribute property. 16937fb3feeSRatan Gupta * @param[in] value - groupNameAttribute value to be updated. 17037fb3feeSRatan Gupta * @returns value of changed groupNameAttribute. 17137fb3feeSRatan Gupta */ 17237fb3feeSRatan Gupta std::string groupNameAttribute(std::string value) override; 17337fb3feeSRatan Gupta 17437fb3feeSRatan Gupta /** @brief Update the BindDNPasword property. 175*e6500a49SPatrick Williams * @param[in] value - ldapBindDNPassword value to be updated. 176*e6500a49SPatrick Williams * @returns value of changed ldapBindDNPassword. 17737fb3feeSRatan Gupta */ 178*e6500a49SPatrick Williams std::string ldapBindDNPassword(std::string value) override; 17937fb3feeSRatan Gupta 18021e88cb5SRatan Gupta /** @brief Function required by Cereal to perform deserialization. 18121e88cb5SRatan Gupta * @tparam Archive - Cereal archive type (binary in our case). 18221e88cb5SRatan Gupta * @param[in] archive - reference to Cereal archive. 18321e88cb5SRatan Gupta * @param[in] version - Class version that enables handling 18421e88cb5SRatan Gupta * a serialized data across code levels 18521e88cb5SRatan Gupta */ 18621e88cb5SRatan Gupta template <class Archive> 18721e88cb5SRatan Gupta void load(Archive& archive, const std::uint32_t version); 18821e88cb5SRatan Gupta 18921e88cb5SRatan Gupta /** @brief Function required by Cereal to perform serialization. 19021e88cb5SRatan Gupta * @tparam Archive - Cereal archive type (binary in our case). 19121e88cb5SRatan Gupta * @param[in] archive - reference to Cereal archive. 19221e88cb5SRatan Gupta * @param[in] version - Class version that enables handling 19321e88cb5SRatan Gupta * a serialized data across code levels 19421e88cb5SRatan Gupta */ 19521e88cb5SRatan Gupta template <class Archive> 19621e88cb5SRatan Gupta void save(Archive& archive, const std::uint32_t version) const; 19721e88cb5SRatan Gupta 19821e88cb5SRatan Gupta /** @brief Serialize and persist this object at the persist 19921e88cb5SRatan Gupta * location. 20021e88cb5SRatan Gupta */ 20121e88cb5SRatan Gupta void serialize(); 20221e88cb5SRatan Gupta 20321e88cb5SRatan Gupta /** @brief Deserialize LDAP config data from the persistent location 20421e88cb5SRatan Gupta * into this object 20521e88cb5SRatan Gupta * @return bool - true if the deserialization was successful, false 20621e88cb5SRatan Gupta * otherwise. 20721e88cb5SRatan Gupta */ 20821e88cb5SRatan Gupta bool deserialize(); 20937fb3feeSRatan Gupta 210c5481d1cSRatan Gupta /** @brief enable or disable the service with the given value 211c5481d1cSRatan Gupta * @param[in] value - enable/disble 212c5481d1cSRatan Gupta * @returns value of changed status 213c5481d1cSRatan Gupta */ 214c5481d1cSRatan Gupta bool enableService(bool value); 215c5481d1cSRatan Gupta 2167b04c352SRatan Gupta /** @brief Creates a mapping for the group to the privilege 2177b04c352SRatan Gupta * 2187b04c352SRatan Gupta * @param[in] groupName - Group Name to which the privilege needs to be 2197b04c352SRatan Gupta * assigned. 2207b04c352SRatan Gupta * @param[in] privilege - The privilege role associated with the group. 2217b04c352SRatan Gupta * 2227b04c352SRatan Gupta * @return On success return the D-Bus object path of the created privilege 2237b04c352SRatan Gupta * mapper entry. 2247b04c352SRatan Gupta */ 2257b04c352SRatan Gupta ObjectPath create(std::string groupName, std::string privilege) override; 2267b04c352SRatan Gupta 2277b04c352SRatan Gupta /** @brief Delete privilege mapping for LDAP group 2287b04c352SRatan Gupta * 2297b04c352SRatan Gupta * This method deletes the privilege mapping 2307b04c352SRatan Gupta * 2317b04c352SRatan Gupta * @param[in] id - id of the object which needs to be deleted. 2327b04c352SRatan Gupta */ 2337b04c352SRatan Gupta void deletePrivilegeMapper(Id id); 2347b04c352SRatan Gupta 2357b04c352SRatan Gupta /** @brief Check if LDAP group privilege mapping requested is valid 2367b04c352SRatan Gupta * 2377b04c352SRatan Gupta * Check if the privilege mapping already exists for the LDAP group name 2387b04c352SRatan Gupta * and group name is empty. 2397b04c352SRatan Gupta * 2407b04c352SRatan Gupta * @param[in] groupName - LDAP group name 2417b04c352SRatan Gupta * 2427b04c352SRatan Gupta * @return throw exception if the conditions are not met. 2437b04c352SRatan Gupta */ 2447b04c352SRatan Gupta void checkPrivilegeMapper(const std::string& groupName); 2457b04c352SRatan Gupta 2467b04c352SRatan Gupta /** @brief Check if the privilege level is a valid one 2477b04c352SRatan Gupta * 2487b04c352SRatan Gupta * @param[in] privilege - Privilege level 2497b04c352SRatan Gupta * 2507b04c352SRatan Gupta * @return throw exception if the conditions are not met. 2517b04c352SRatan Gupta */ 2527b04c352SRatan Gupta void checkPrivilegeLevel(const std::string& privilege); 2537b04c352SRatan Gupta 2547b04c352SRatan Gupta /** @brief Construct LDAP mapper entry D-Bus objects from their persisted 2557b04c352SRatan Gupta * representations. 2567b04c352SRatan Gupta */ 2577b04c352SRatan Gupta void restoreRoleMapping(); 2587b04c352SRatan Gupta 25937fb3feeSRatan Gupta private: 26021e88cb5SRatan Gupta bool secureLDAP; 261*e6500a49SPatrick Williams std::string ldapBindPassword{}; 26237fb3feeSRatan Gupta std::string tlsCacertFile{}; 26322f13f18SRatan Gupta std::string tlsCertFile{}; 26421e88cb5SRatan Gupta std::string configFilePath{}; 26521e88cb5SRatan Gupta std::string objectPath{}; 26621e88cb5SRatan Gupta std::filesystem::path configPersistPath{}; 26737fb3feeSRatan Gupta 26837fb3feeSRatan Gupta /** @brief Persistent sdbusplus D-Bus bus connection. */ 26937fb3feeSRatan Gupta sdbusplus::bus::bus& bus; 27037fb3feeSRatan Gupta 27137fb3feeSRatan Gupta /** @brief Create a new LDAP config file. 27237fb3feeSRatan Gupta */ 27337fb3feeSRatan Gupta virtual void writeConfig(); 27437fb3feeSRatan Gupta 27537fb3feeSRatan Gupta /** @brief reference to config manager object */ 27637fb3feeSRatan Gupta ConfigMgr& parent; 27737fb3feeSRatan Gupta 2787b04c352SRatan Gupta /** @brief Id of the last privilege mapper entry */ 2797b04c352SRatan Gupta Id entryId = 0; 2807b04c352SRatan Gupta 2817b04c352SRatan Gupta /** @brief container to hold privilege mapper objects */ 2827b04c352SRatan Gupta std::map<Id, std::unique_ptr<LDAPMapperEntry>> PrivilegeMapperList; 2837b04c352SRatan Gupta 2847b04c352SRatan Gupta /** @brief available privileges container */ 28532be2961SRichard Marian Thomaiyar std::set<std::string> privMgr = { 28632be2961SRichard Marian Thomaiyar "priv-admin", 28732be2961SRichard Marian Thomaiyar "priv-operator", 28832be2961SRichard Marian Thomaiyar "priv-user", 289fe720ffaSraviteja-b "priv-noaccess", 29032be2961SRichard Marian Thomaiyar }; 2917b04c352SRatan Gupta 29222f13f18SRatan Gupta /** @brief React to InterfaceAdded signal 29322f13f18SRatan Gupta * @param[in] msg - sdbusplus message 29422f13f18SRatan Gupta */ 29522f13f18SRatan Gupta void certificateInstalled(sdbusplus::message::message& msg); 29622f13f18SRatan Gupta sdbusplus::bus::match_t certificateInstalledSignal; 29722f13f18SRatan Gupta 298a47fe4eaSmanojkiraneda sdbusplus::bus::match_t cacertificateInstalledSignal; 299a47fe4eaSmanojkiraneda 300ab4fcb4cSRatan Gupta /** @brief React to certificate changed signal 301ab4fcb4cSRatan Gupta * @param[in] msg - sdbusplus message 302ab4fcb4cSRatan Gupta */ 303ab4fcb4cSRatan Gupta void certificateChanged(sdbusplus::message::message& msg); 304ab4fcb4cSRatan Gupta sdbusplus::bus::match_t certificateChangedSignal; 305ab4fcb4cSRatan Gupta 30637fb3feeSRatan Gupta friend class MockConfigMgr; 30737fb3feeSRatan Gupta }; 30837fb3feeSRatan Gupta 30937fb3feeSRatan Gupta } // namespace ldap 31037fb3feeSRatan Gupta } // namespace phosphor 311