188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 187e860f15SJohn Edward Broadbent #include <app.hpp> 1924c8542dSRatan Gupta #include <dbus_utility.hpp> 2065b0dc32SEd Tanous #include <error_messages.hpp> 21b9b2e0b2SEd Tanous #include <openbmc_dbus_rest.hpp> 2252cc112dSEd Tanous #include <persistent_data.hpp> 2345ca1b86SEd Tanous #include <query.hpp> 24ed398213SEd Tanous #include <registries/privilege_registry.hpp> 251e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 26a840879dSEd Tanous #include <utils/json_utils.hpp> 271214b7e7SGunnar Mills 281abe55efSEd Tanous namespace redfish 291abe55efSEd Tanous { 3088d16c9aSLewanczyk, Dawid 3123a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 326973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 332c70f800SEd Tanous constexpr const char* adConfigObject = 34ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 35ab828d7cSRatan Gupta 36b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 376973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 386973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 396973a582SRatan Gupta constexpr const char* ldapConfigInterface = 406973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 416973a582SRatan Gupta constexpr const char* ldapCreateInterface = 426973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 436973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 4406785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 4506785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 466973a582SRatan Gupta constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager"; 476973a582SRatan Gupta constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties"; 486973a582SRatan Gupta constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper"; 496973a582SRatan Gupta constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper"; 506973a582SRatan Gupta constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper"; 516973a582SRatan Gupta 5254fc587aSNagaraju Goruganti struct LDAPRoleMapData 5354fc587aSNagaraju Goruganti { 5454fc587aSNagaraju Goruganti std::string groupName; 5554fc587aSNagaraju Goruganti std::string privilege; 5654fc587aSNagaraju Goruganti }; 5754fc587aSNagaraju Goruganti 586973a582SRatan Gupta struct LDAPConfigData 596973a582SRatan Gupta { 606973a582SRatan Gupta std::string uri{}; 616973a582SRatan Gupta std::string bindDN{}; 626973a582SRatan Gupta std::string baseDN{}; 636973a582SRatan Gupta std::string searchScope{}; 646973a582SRatan Gupta std::string serverType{}; 656973a582SRatan Gupta bool serviceEnabled = false; 666973a582SRatan Gupta std::string userNameAttribute{}; 676973a582SRatan Gupta std::string groupAttribute{}; 6854fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 696973a582SRatan Gupta }; 706973a582SRatan Gupta 7154fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 7284e12cb7SAppaRao Puli { 7384e12cb7SAppaRao Puli if (role == "priv-admin") 7484e12cb7SAppaRao Puli { 7584e12cb7SAppaRao Puli return "Administrator"; 7684e12cb7SAppaRao Puli } 773174e4dfSEd Tanous if (role == "priv-user") 7884e12cb7SAppaRao Puli { 79c80fee55SAppaRao Puli return "ReadOnly"; 8084e12cb7SAppaRao Puli } 813174e4dfSEd Tanous if (role == "priv-operator") 8284e12cb7SAppaRao Puli { 8384e12cb7SAppaRao Puli return "Operator"; 8484e12cb7SAppaRao Puli } 8526f6976fSEd Tanous if (role.empty() || (role == "priv-noaccess")) 86e9e6d240Sjayaprakash Mutyala { 87e9e6d240Sjayaprakash Mutyala return "NoAccess"; 88e9e6d240Sjayaprakash Mutyala } 8984e12cb7SAppaRao Puli return ""; 9084e12cb7SAppaRao Puli } 9154fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 9284e12cb7SAppaRao Puli { 9384e12cb7SAppaRao Puli if (role == "Administrator") 9484e12cb7SAppaRao Puli { 9584e12cb7SAppaRao Puli return "priv-admin"; 9684e12cb7SAppaRao Puli } 973174e4dfSEd Tanous if (role == "ReadOnly") 9884e12cb7SAppaRao Puli { 9984e12cb7SAppaRao Puli return "priv-user"; 10084e12cb7SAppaRao Puli } 1013174e4dfSEd Tanous if (role == "Operator") 10284e12cb7SAppaRao Puli { 10384e12cb7SAppaRao Puli return "priv-operator"; 10484e12cb7SAppaRao Puli } 10526f6976fSEd Tanous if ((role == "NoAccess") || (role.empty())) 106e9e6d240Sjayaprakash Mutyala { 107e9e6d240Sjayaprakash Mutyala return "priv-noaccess"; 108e9e6d240Sjayaprakash Mutyala } 10984e12cb7SAppaRao Puli return ""; 11084e12cb7SAppaRao Puli } 111b9b2e0b2SEd Tanous 1128d1b46d7Szhanghch05 inline void userErrorMessageHandler( 1138d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1148d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 11566b5ca76Sjayaprakash Mutyala { 11666b5ca76Sjayaprakash Mutyala if (e == nullptr) 11766b5ca76Sjayaprakash Mutyala { 11866b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 11966b5ca76Sjayaprakash Mutyala return; 12066b5ca76Sjayaprakash Mutyala } 12166b5ca76Sjayaprakash Mutyala 122055806b3SManojkiran Eda const char* errorMessage = e->name; 12366b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 12466b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 12566b5ca76Sjayaprakash Mutyala { 12666b5ca76Sjayaprakash Mutyala messages::resourceAlreadyExists(asyncResp->res, 1278114bd4dSGunnar Mills "#ManagerAccount.v1_4_0.ManagerAccount", 12866b5ca76Sjayaprakash Mutyala "UserName", newUser); 12966b5ca76Sjayaprakash Mutyala } 13066b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 13166b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 13266b5ca76Sjayaprakash Mutyala { 13366b5ca76Sjayaprakash Mutyala messages::resourceNotFound( 1348114bd4dSGunnar Mills asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username); 13566b5ca76Sjayaprakash Mutyala } 136d4d25793SEd Tanous else if ((strcmp(errorMessage, 137d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 138d4d25793SEd Tanous 0) || 1390fda0f12SGeorge Liu (strcmp( 1400fda0f12SGeorge Liu errorMessage, 1410fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 1420fda0f12SGeorge Liu 0)) 14366b5ca76Sjayaprakash Mutyala { 14466b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 14566b5ca76Sjayaprakash Mutyala } 14666b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 14766b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 14866b5ca76Sjayaprakash Mutyala { 14966b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 15066b5ca76Sjayaprakash Mutyala } 15166b5ca76Sjayaprakash Mutyala else 15266b5ca76Sjayaprakash Mutyala { 15366b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 15466b5ca76Sjayaprakash Mutyala } 15566b5ca76Sjayaprakash Mutyala } 15666b5ca76Sjayaprakash Mutyala 15781ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 158ab828d7cSRatan Gupta const LDAPConfigData& confData, 159ab828d7cSRatan Gupta const std::string& ldapType) 1606973a582SRatan Gupta { 161ab828d7cSRatan Gupta std::string service = 162ab828d7cSRatan Gupta (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService"; 16354fc587aSNagaraju Goruganti 164*1476687dSEd Tanous nlohmann::json& ldap = jsonResponse[ldapType]; 16554fc587aSNagaraju Goruganti 166*1476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 167*1476687dSEd Tanous ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri}); 168*1476687dSEd Tanous ldap["Authentication"]["AuthenticationType"] = "UsernameAndPassword"; 169*1476687dSEd Tanous ldap["Authentication"]["Username"] = confData.bindDN; 170*1476687dSEd Tanous ldap["Authentication"]["Password"] = nullptr; 171*1476687dSEd Tanous 172*1476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] = 173*1476687dSEd Tanous nlohmann::json::array({confData.baseDN}); 174*1476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] = 175*1476687dSEd Tanous confData.userNameAttribute; 176*1476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] = 177*1476687dSEd Tanous confData.groupAttribute; 178*1476687dSEd Tanous 179*1476687dSEd Tanous nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"]; 18054fc587aSNagaraju Goruganti roleMapArray = nlohmann::json::array(); 1819eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 18254fc587aSNagaraju Goruganti { 18354fc587aSNagaraju Goruganti BMCWEB_LOG_DEBUG << "Pushing the data groupName=" 18454fc587aSNagaraju Goruganti << obj.second.groupName << "\n"; 18554fc587aSNagaraju Goruganti roleMapArray.push_back( 18654fc587aSNagaraju Goruganti {nlohmann::json::array({"RemoteGroup", obj.second.groupName}), 18754fc587aSNagaraju Goruganti nlohmann::json::array( 18854fc587aSNagaraju Goruganti {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})}); 18954fc587aSNagaraju Goruganti } 1906973a582SRatan Gupta } 1916973a582SRatan Gupta 1926973a582SRatan Gupta /** 19306785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 19406785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 19506785244SRatan Gupta * 19606785244SRatan Gupta */ 19723a21a1cSEd Tanous inline void handleRoleMapPatch( 1988d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19906785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 200f23b7296SEd Tanous const std::string& serverType, const std::vector<nlohmann::json>& input) 20106785244SRatan Gupta { 20206785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 20306785244SRatan Gupta { 204f23b7296SEd Tanous const nlohmann::json& thisJson = input[index]; 20506785244SRatan Gupta 20606785244SRatan Gupta if (thisJson.is_null()) 20706785244SRatan Gupta { 20806785244SRatan Gupta // delete the existing object 20906785244SRatan Gupta if (index < roleMapObjData.size()) 21006785244SRatan Gupta { 21106785244SRatan Gupta crow::connections::systemBus->async_method_call( 21206785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 21306785244SRatan Gupta index](const boost::system::error_code ec) { 21406785244SRatan Gupta if (ec) 21506785244SRatan Gupta { 21606785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 21706785244SRatan Gupta messages::internalError(asyncResp->res); 21806785244SRatan Gupta return; 21906785244SRatan Gupta } 22006785244SRatan Gupta asyncResp->res 22106785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"][index] = 22206785244SRatan Gupta nullptr; 22306785244SRatan Gupta }, 22406785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 22506785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 22606785244SRatan Gupta } 22706785244SRatan Gupta else 22806785244SRatan Gupta { 22906785244SRatan Gupta BMCWEB_LOG_ERROR << "Can't delete the object"; 23006785244SRatan Gupta messages::propertyValueTypeError( 23171f52d96SEd Tanous asyncResp->res, 23271f52d96SEd Tanous thisJson.dump(2, ' ', true, 23371f52d96SEd Tanous nlohmann::json::error_handler_t::replace), 23406785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index)); 23506785244SRatan Gupta return; 23606785244SRatan Gupta } 23706785244SRatan Gupta } 23806785244SRatan Gupta else if (thisJson.empty()) 23906785244SRatan Gupta { 24006785244SRatan Gupta // Don't do anything for the empty objects,parse next json 24106785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 24206785244SRatan Gupta } 24306785244SRatan Gupta else 24406785244SRatan Gupta { 24506785244SRatan Gupta // update/create the object 24606785244SRatan Gupta std::optional<std::string> remoteGroup; 24706785244SRatan Gupta std::optional<std::string> localRole; 24806785244SRatan Gupta 249f23b7296SEd Tanous // This is a copy, but it's required in this case because of how 250f23b7296SEd Tanous // readJson is structured 251f23b7296SEd Tanous nlohmann::json thisJsonCopy = thisJson; 252f23b7296SEd Tanous if (!json_util::readJson(thisJsonCopy, asyncResp->res, 253f23b7296SEd Tanous "RemoteGroup", remoteGroup, "LocalRole", 254f23b7296SEd Tanous localRole)) 25506785244SRatan Gupta { 25606785244SRatan Gupta continue; 25706785244SRatan Gupta } 25806785244SRatan Gupta 25906785244SRatan Gupta // Update existing RoleMapping Object 26006785244SRatan Gupta if (index < roleMapObjData.size()) 26106785244SRatan Gupta { 26206785244SRatan Gupta BMCWEB_LOG_DEBUG << "Update Role Map Object"; 26306785244SRatan Gupta // If "RemoteGroup" info is provided 26406785244SRatan Gupta if (remoteGroup) 26506785244SRatan Gupta { 26606785244SRatan Gupta crow::connections::systemBus->async_method_call( 26706785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 26806785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 26906785244SRatan Gupta if (ec) 27006785244SRatan Gupta { 27106785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " 27206785244SRatan Gupta << ec; 27306785244SRatan Gupta messages::internalError(asyncResp->res); 27406785244SRatan Gupta return; 27506785244SRatan Gupta } 27606785244SRatan Gupta asyncResp->res 27706785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"] 27806785244SRatan Gupta [index]["RemoteGroup"] = *remoteGroup; 27906785244SRatan Gupta }, 28006785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 28106785244SRatan Gupta propertyInterface, "Set", 28206785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 28306785244SRatan Gupta "GroupName", 284168e20c1SEd Tanous dbus::utility::DbusVariantType( 285168e20c1SEd Tanous std::move(*remoteGroup))); 28606785244SRatan Gupta } 28706785244SRatan Gupta 28806785244SRatan Gupta // If "LocalRole" info is provided 28906785244SRatan Gupta if (localRole) 29006785244SRatan Gupta { 29106785244SRatan Gupta crow::connections::systemBus->async_method_call( 29206785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 29306785244SRatan Gupta localRole](const boost::system::error_code ec) { 29406785244SRatan Gupta if (ec) 29506785244SRatan Gupta { 29606785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " 29706785244SRatan Gupta << ec; 29806785244SRatan Gupta messages::internalError(asyncResp->res); 29906785244SRatan Gupta return; 30006785244SRatan Gupta } 30106785244SRatan Gupta asyncResp->res 30206785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"] 30306785244SRatan Gupta [index]["LocalRole"] = *localRole; 30406785244SRatan Gupta }, 30506785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 30606785244SRatan Gupta propertyInterface, "Set", 30706785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 30806785244SRatan Gupta "Privilege", 309168e20c1SEd Tanous dbus::utility::DbusVariantType( 31006785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole)))); 31106785244SRatan Gupta } 31206785244SRatan Gupta } 31306785244SRatan Gupta // Create a new RoleMapping Object. 31406785244SRatan Gupta else 31506785244SRatan Gupta { 31606785244SRatan Gupta BMCWEB_LOG_DEBUG 31706785244SRatan Gupta << "setRoleMappingProperties: Creating new Object"; 31806785244SRatan Gupta std::string pathString = 31906785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index); 32006785244SRatan Gupta 32106785244SRatan Gupta if (!localRole) 32206785244SRatan Gupta { 32306785244SRatan Gupta messages::propertyMissing(asyncResp->res, 32406785244SRatan Gupta pathString + "/LocalRole"); 32506785244SRatan Gupta continue; 32606785244SRatan Gupta } 32706785244SRatan Gupta if (!remoteGroup) 32806785244SRatan Gupta { 32906785244SRatan Gupta messages::propertyMissing(asyncResp->res, 33006785244SRatan Gupta pathString + "/RemoteGroup"); 33106785244SRatan Gupta continue; 33206785244SRatan Gupta } 33306785244SRatan Gupta 33406785244SRatan Gupta std::string dbusObjectPath; 33506785244SRatan Gupta if (serverType == "ActiveDirectory") 33606785244SRatan Gupta { 3372c70f800SEd Tanous dbusObjectPath = adConfigObject; 33806785244SRatan Gupta } 33906785244SRatan Gupta else if (serverType == "LDAP") 34006785244SRatan Gupta { 34123a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 34206785244SRatan Gupta } 34306785244SRatan Gupta 34406785244SRatan Gupta BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup 34506785244SRatan Gupta << ",LocalRole=" << *localRole; 34606785244SRatan Gupta 34706785244SRatan Gupta crow::connections::systemBus->async_method_call( 348271584abSEd Tanous [asyncResp, serverType, localRole, 34906785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 35006785244SRatan Gupta if (ec) 35106785244SRatan Gupta { 35206785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 35306785244SRatan Gupta messages::internalError(asyncResp->res); 35406785244SRatan Gupta return; 35506785244SRatan Gupta } 35606785244SRatan Gupta nlohmann::json& remoteRoleJson = 35706785244SRatan Gupta asyncResp->res 35806785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 359*1476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 360*1476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 361*1476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 362*1476687dSEd Tanous remoteRoleJson.push_back(std::move(roleMapEntry)); 36306785244SRatan Gupta }, 36406785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 3653174e4dfSEd Tanous "Create", *remoteGroup, 36606785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 36706785244SRatan Gupta } 36806785244SRatan Gupta } 36906785244SRatan Gupta } 37006785244SRatan Gupta } 37106785244SRatan Gupta 37206785244SRatan Gupta /** 3736973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 3746973a582SRatan Gupta * into JSON 3756973a582SRatan Gupta */ 3766973a582SRatan Gupta template <typename CallbackFunc> 3776973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 3786973a582SRatan Gupta CallbackFunc&& callback) 3796973a582SRatan Gupta { 38054fc587aSNagaraju Goruganti 38154fc587aSNagaraju Goruganti const std::array<const char*, 2> interfaces = {ldapEnableInterface, 38254fc587aSNagaraju Goruganti ldapConfigInterface}; 38354fc587aSNagaraju Goruganti 38454fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 38554fc587aSNagaraju Goruganti [callback, ldapType](const boost::system::error_code ec, 386b9d36b47SEd Tanous const dbus::utility::MapperGetObject& resp) { 38754fc587aSNagaraju Goruganti if (ec || resp.empty()) 38854fc587aSNagaraju Goruganti { 3890fda0f12SGeorge Liu BMCWEB_LOG_ERROR 3900fda0f12SGeorge Liu << "DBUS response error during getting of service name: " 39154fc587aSNagaraju Goruganti << ec; 39223a21a1cSEd Tanous LDAPConfigData empty{}; 39323a21a1cSEd Tanous callback(false, empty, ldapType); 39454fc587aSNagaraju Goruganti return; 39554fc587aSNagaraju Goruganti } 39654fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 39754fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 398711ac7a9SEd Tanous [callback, ldapType]( 399711ac7a9SEd Tanous const boost::system::error_code errorCode, 400711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) { 4016973a582SRatan Gupta LDAPConfigData confData{}; 40281ce609eSEd Tanous if (errorCode) 4036973a582SRatan Gupta { 404ab828d7cSRatan Gupta callback(false, confData, ldapType); 40554fc587aSNagaraju Goruganti BMCWEB_LOG_ERROR << "D-Bus responses error: " 40681ce609eSEd Tanous << errorCode; 4076973a582SRatan Gupta return; 4086973a582SRatan Gupta } 409ab828d7cSRatan Gupta 410ab828d7cSRatan Gupta std::string ldapDbusType; 41154fc587aSNagaraju Goruganti std::string searchString; 41254fc587aSNagaraju Goruganti 413ab828d7cSRatan Gupta if (ldapType == "LDAP") 414ab828d7cSRatan Gupta { 4150fda0f12SGeorge Liu ldapDbusType = 4160fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 41754fc587aSNagaraju Goruganti searchString = "openldap"; 418ab828d7cSRatan Gupta } 419ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 420ab828d7cSRatan Gupta { 42154fc587aSNagaraju Goruganti ldapDbusType = 4220fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 42354fc587aSNagaraju Goruganti searchString = "active_directory"; 424ab828d7cSRatan Gupta } 425ab828d7cSRatan Gupta else 426ab828d7cSRatan Gupta { 42754fc587aSNagaraju Goruganti BMCWEB_LOG_ERROR 42854fc587aSNagaraju Goruganti << "Can't get the DbusType for the given type=" 429ab828d7cSRatan Gupta << ldapType; 430ab828d7cSRatan Gupta callback(false, confData, ldapType); 431ab828d7cSRatan Gupta return; 432ab828d7cSRatan Gupta } 433ab828d7cSRatan Gupta 434ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 435ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 436ab828d7cSRatan Gupta 4376973a582SRatan Gupta for (const auto& object : ldapObjects) 4386973a582SRatan Gupta { 43954fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 44054fc587aSNagaraju Goruganti // given type 44154fc587aSNagaraju Goruganti if (object.first.str.find(searchString) == 44254fc587aSNagaraju Goruganti std::string::npos) 4436973a582SRatan Gupta { 444ab828d7cSRatan Gupta continue; 445ab828d7cSRatan Gupta } 446ab828d7cSRatan Gupta 4476973a582SRatan Gupta for (const auto& interface : object.second) 4486973a582SRatan Gupta { 4496973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 4506973a582SRatan Gupta { 4516973a582SRatan Gupta // rest of the properties are string. 4526973a582SRatan Gupta for (const auto& property : interface.second) 4536973a582SRatan Gupta { 4546973a582SRatan Gupta if (property.first == "Enabled") 4556973a582SRatan Gupta { 4566973a582SRatan Gupta const bool* value = 4576973a582SRatan Gupta std::get_if<bool>(&property.second); 4586973a582SRatan Gupta if (value == nullptr) 4596973a582SRatan Gupta { 4606973a582SRatan Gupta continue; 4616973a582SRatan Gupta } 4626973a582SRatan Gupta confData.serviceEnabled = *value; 4636973a582SRatan Gupta break; 4646973a582SRatan Gupta } 4656973a582SRatan Gupta } 4666973a582SRatan Gupta } 4676973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 4686973a582SRatan Gupta { 4696973a582SRatan Gupta 4706973a582SRatan Gupta for (const auto& property : interface.second) 4716973a582SRatan Gupta { 472271584abSEd Tanous const std::string* strValue = 47354fc587aSNagaraju Goruganti std::get_if<std::string>( 47454fc587aSNagaraju Goruganti &property.second); 475271584abSEd Tanous if (strValue == nullptr) 4766973a582SRatan Gupta { 4776973a582SRatan Gupta continue; 4786973a582SRatan Gupta } 4796973a582SRatan Gupta if (property.first == "LDAPServerURI") 4806973a582SRatan Gupta { 481271584abSEd Tanous confData.uri = *strValue; 4826973a582SRatan Gupta } 4836973a582SRatan Gupta else if (property.first == "LDAPBindDN") 4846973a582SRatan Gupta { 485271584abSEd Tanous confData.bindDN = *strValue; 4866973a582SRatan Gupta } 4876973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 4886973a582SRatan Gupta { 489271584abSEd Tanous confData.baseDN = *strValue; 4906973a582SRatan Gupta } 49154fc587aSNagaraju Goruganti else if (property.first == 49254fc587aSNagaraju Goruganti "LDAPSearchScope") 4936973a582SRatan Gupta { 494271584abSEd Tanous confData.searchScope = *strValue; 4956973a582SRatan Gupta } 49654fc587aSNagaraju Goruganti else if (property.first == 49754fc587aSNagaraju Goruganti "GroupNameAttribute") 4986973a582SRatan Gupta { 499271584abSEd Tanous confData.groupAttribute = *strValue; 5006973a582SRatan Gupta } 50154fc587aSNagaraju Goruganti else if (property.first == 50254fc587aSNagaraju Goruganti "UserNameAttribute") 5036973a582SRatan Gupta { 504271584abSEd Tanous confData.userNameAttribute = *strValue; 5056973a582SRatan Gupta } 50654fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 507ab828d7cSRatan Gupta { 508271584abSEd Tanous confData.serverType = *strValue; 50954fc587aSNagaraju Goruganti } 51054fc587aSNagaraju Goruganti } 51154fc587aSNagaraju Goruganti } 5120fda0f12SGeorge Liu else if ( 5130fda0f12SGeorge Liu interface.first == 5140fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 51554fc587aSNagaraju Goruganti { 51654fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 51754fc587aSNagaraju Goruganti for (const auto& property : interface.second) 51854fc587aSNagaraju Goruganti { 519271584abSEd Tanous const std::string* strValue = 52054fc587aSNagaraju Goruganti std::get_if<std::string>( 52154fc587aSNagaraju Goruganti &property.second); 52254fc587aSNagaraju Goruganti 523271584abSEd Tanous if (strValue == nullptr) 52454fc587aSNagaraju Goruganti { 52554fc587aSNagaraju Goruganti continue; 52654fc587aSNagaraju Goruganti } 52754fc587aSNagaraju Goruganti 52854fc587aSNagaraju Goruganti if (property.first == "GroupName") 52954fc587aSNagaraju Goruganti { 530271584abSEd Tanous roleMapData.groupName = *strValue; 53154fc587aSNagaraju Goruganti } 53254fc587aSNagaraju Goruganti else if (property.first == "Privilege") 53354fc587aSNagaraju Goruganti { 534271584abSEd Tanous roleMapData.privilege = *strValue; 53554fc587aSNagaraju Goruganti } 53654fc587aSNagaraju Goruganti } 53754fc587aSNagaraju Goruganti 5380f0353b6SEd Tanous confData.groupRoleList.emplace_back( 5390f0353b6SEd Tanous object.first.str, roleMapData); 54054fc587aSNagaraju Goruganti } 54154fc587aSNagaraju Goruganti } 54254fc587aSNagaraju Goruganti } 543ab828d7cSRatan Gupta callback(true, confData, ldapType); 54454fc587aSNagaraju Goruganti }, 54554fc587aSNagaraju Goruganti service, ldapRootObject, dbusObjManagerIntf, 5466973a582SRatan Gupta "GetManagedObjects"); 54754fc587aSNagaraju Goruganti }, 54854fc587aSNagaraju Goruganti mapperBusName, mapperObjectPath, mapperIntf, "GetObject", 54923a21a1cSEd Tanous ldapConfigObjectName, interfaces); 5506973a582SRatan Gupta } 5516973a582SRatan Gupta 5528a07d286SRatan Gupta /** 5538a07d286SRatan Gupta * @brief parses the authentication section under the LDAP 5548a07d286SRatan Gupta * @param input JSON data 5558a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 5568a07d286SRatan Gupta * @param userName userName to be filled from the given JSON. 5578a07d286SRatan Gupta * @param password password to be filled from the given JSON. 5588a07d286SRatan Gupta */ 5594f48d5f6SEd Tanous inline void parseLDAPAuthenticationJson( 5606c51eab1SEd Tanous nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 5616c51eab1SEd Tanous std::optional<std::string>& username, std::optional<std::string>& password) 5628a07d286SRatan Gupta { 5638a07d286SRatan Gupta std::optional<std::string> authType; 5648a07d286SRatan Gupta 5658a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "AuthenticationType", 5668a07d286SRatan Gupta authType, "Username", username, "Password", 5678a07d286SRatan Gupta password)) 5688a07d286SRatan Gupta { 5698a07d286SRatan Gupta return; 5708a07d286SRatan Gupta } 5718a07d286SRatan Gupta if (!authType) 5728a07d286SRatan Gupta { 5738a07d286SRatan Gupta return; 5748a07d286SRatan Gupta } 5758a07d286SRatan Gupta if (*authType != "UsernameAndPassword") 5768a07d286SRatan Gupta { 5778a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, *authType, 5788a07d286SRatan Gupta "AuthenticationType"); 5798a07d286SRatan Gupta return; 5808a07d286SRatan Gupta } 5818a07d286SRatan Gupta } 5828a07d286SRatan Gupta /** 5838a07d286SRatan Gupta * @brief parses the LDAPService section under the LDAP 5848a07d286SRatan Gupta * @param input JSON data 5858a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 5868a07d286SRatan Gupta * @param baseDNList baseDN to be filled from the given JSON. 5878a07d286SRatan Gupta * @param userNameAttribute userName to be filled from the given JSON. 5888a07d286SRatan Gupta * @param groupaAttribute password to be filled from the given JSON. 5898a07d286SRatan Gupta */ 5908a07d286SRatan Gupta 5914f48d5f6SEd Tanous inline void 5924f48d5f6SEd Tanous parseLDAPServiceJson(nlohmann::json input, 5938d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 5948a07d286SRatan Gupta std::optional<std::vector<std::string>>& baseDNList, 5958a07d286SRatan Gupta std::optional<std::string>& userNameAttribute, 5968a07d286SRatan Gupta std::optional<std::string>& groupsAttribute) 5978a07d286SRatan Gupta { 5988a07d286SRatan Gupta std::optional<nlohmann::json> searchSettings; 5998a07d286SRatan Gupta 6008a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "SearchSettings", 6018a07d286SRatan Gupta searchSettings)) 6028a07d286SRatan Gupta { 6038a07d286SRatan Gupta return; 6048a07d286SRatan Gupta } 6058a07d286SRatan Gupta if (!searchSettings) 6068a07d286SRatan Gupta { 6078a07d286SRatan Gupta return; 6088a07d286SRatan Gupta } 6098a07d286SRatan Gupta if (!json_util::readJson(*searchSettings, asyncResp->res, 6108a07d286SRatan Gupta "BaseDistinguishedNames", baseDNList, 6118a07d286SRatan Gupta "UsernameAttribute", userNameAttribute, 6128a07d286SRatan Gupta "GroupsAttribute", groupsAttribute)) 6138a07d286SRatan Gupta { 6148a07d286SRatan Gupta return; 6158a07d286SRatan Gupta } 6168a07d286SRatan Gupta } 6178a07d286SRatan Gupta /** 6188a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 6198a07d286SRatan Gupta json response with the new value. 6208a07d286SRatan Gupta * @param serviceAddressList address to be updated. 6218a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6228a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6238a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6248a07d286SRatan Gupta */ 6258a07d286SRatan Gupta 6264f48d5f6SEd Tanous inline void handleServiceAddressPatch( 6278a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 6288d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6298a07d286SRatan Gupta const std::string& ldapServerElementName, 6308a07d286SRatan Gupta const std::string& ldapConfigObject) 6318a07d286SRatan Gupta { 6328a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6338a07d286SRatan Gupta [asyncResp, ldapServerElementName, 6348a07d286SRatan Gupta serviceAddressList](const boost::system::error_code ec) { 6358a07d286SRatan Gupta if (ec) 6368a07d286SRatan Gupta { 6378a07d286SRatan Gupta BMCWEB_LOG_DEBUG 638c61704abSGunnar Mills << "Error Occurred in updating the service address"; 6398a07d286SRatan Gupta messages::internalError(asyncResp->res); 6408a07d286SRatan Gupta return; 6418a07d286SRatan Gupta } 6428a07d286SRatan Gupta std::vector<std::string> modifiedserviceAddressList = { 6438a07d286SRatan Gupta serviceAddressList.front()}; 6448a07d286SRatan Gupta asyncResp->res 6458a07d286SRatan Gupta .jsonValue[ldapServerElementName]["ServiceAddresses"] = 6468a07d286SRatan Gupta modifiedserviceAddressList; 6478a07d286SRatan Gupta if ((serviceAddressList).size() > 1) 6488a07d286SRatan Gupta { 6498a07d286SRatan Gupta messages::propertyValueModified(asyncResp->res, 6508a07d286SRatan Gupta "ServiceAddresses", 6518a07d286SRatan Gupta serviceAddressList.front()); 6528a07d286SRatan Gupta } 6538a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the service address"; 6548a07d286SRatan Gupta }, 6558a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 6568a07d286SRatan Gupta ldapConfigInterface, "LDAPServerURI", 657168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceAddressList.front())); 6588a07d286SRatan Gupta } 6598a07d286SRatan Gupta /** 6608a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 6618a07d286SRatan Gupta json response with the new value. 6628a07d286SRatan Gupta * @param username name of the user which needs to be updated. 6638a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6648a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6658a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6668a07d286SRatan Gupta */ 6678a07d286SRatan Gupta 6684f48d5f6SEd Tanous inline void 6694f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 6708d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6718a07d286SRatan Gupta const std::string& ldapServerElementName, 6728a07d286SRatan Gupta const std::string& ldapConfigObject) 6738a07d286SRatan Gupta { 6748a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6758a07d286SRatan Gupta [asyncResp, username, 6768a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 6778a07d286SRatan Gupta if (ec) 6788a07d286SRatan Gupta { 6796c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the username"; 6808a07d286SRatan Gupta messages::internalError(asyncResp->res); 6818a07d286SRatan Gupta return; 6828a07d286SRatan Gupta } 6836c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 6846c51eab1SEd Tanous ["Username"] = username; 6858a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the username"; 6868a07d286SRatan Gupta }, 6878a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 688168e20c1SEd Tanous ldapConfigInterface, "LDAPBindDN", 689168e20c1SEd Tanous dbus::utility::DbusVariantType(username)); 6908a07d286SRatan Gupta } 6918a07d286SRatan Gupta 6928a07d286SRatan Gupta /** 6938a07d286SRatan Gupta * @brief updates the LDAP password 6948a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 6958a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6968a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6978a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 6988a07d286SRatan Gupta */ 6998a07d286SRatan Gupta 7004f48d5f6SEd Tanous inline void 7014f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 7028d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7038a07d286SRatan Gupta const std::string& ldapServerElementName, 7048a07d286SRatan Gupta const std::string& ldapConfigObject) 7058a07d286SRatan Gupta { 7068a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7078a07d286SRatan Gupta [asyncResp, password, 7088a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7098a07d286SRatan Gupta if (ec) 7108a07d286SRatan Gupta { 7116c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the password"; 7128a07d286SRatan Gupta messages::internalError(asyncResp->res); 7138a07d286SRatan Gupta return; 7148a07d286SRatan Gupta } 7156c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 7166c51eab1SEd Tanous ["Password"] = ""; 7178a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the password"; 7188a07d286SRatan Gupta }, 7198a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7208a07d286SRatan Gupta ldapConfigInterface, "LDAPBindDNPassword", 721168e20c1SEd Tanous dbus::utility::DbusVariantType(password)); 7228a07d286SRatan Gupta } 7238a07d286SRatan Gupta 7248a07d286SRatan Gupta /** 7258a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7268a07d286SRatan Gupta json response with the new value. 7278a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7288a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7298a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7308a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7318a07d286SRatan Gupta */ 7328a07d286SRatan Gupta 7334f48d5f6SEd Tanous inline void 7344f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 7358d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7368a07d286SRatan Gupta const std::string& ldapServerElementName, 7378a07d286SRatan Gupta const std::string& ldapConfigObject) 7388a07d286SRatan Gupta { 7398a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7408a07d286SRatan Gupta [asyncResp, baseDNList, 7418a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7428a07d286SRatan Gupta if (ec) 7438a07d286SRatan Gupta { 7446c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN"; 7458a07d286SRatan Gupta messages::internalError(asyncResp->res); 7468a07d286SRatan Gupta return; 7478a07d286SRatan Gupta } 7488a07d286SRatan Gupta auto& serverTypeJson = 7498a07d286SRatan Gupta asyncResp->res.jsonValue[ldapServerElementName]; 7508a07d286SRatan Gupta auto& searchSettingsJson = 7518a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 7526c51eab1SEd Tanous std::vector<std::string> modifiedBaseDNList = {baseDNList.front()}; 7536c51eab1SEd Tanous searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList; 7548a07d286SRatan Gupta if (baseDNList.size() > 1) 7558a07d286SRatan Gupta { 7568a07d286SRatan Gupta messages::propertyValueModified(asyncResp->res, 7578a07d286SRatan Gupta "BaseDistinguishedNames", 7588a07d286SRatan Gupta baseDNList.front()); 7598a07d286SRatan Gupta } 7608a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the base DN"; 7618a07d286SRatan Gupta }, 7628a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7638a07d286SRatan Gupta ldapConfigInterface, "LDAPBaseDN", 764168e20c1SEd Tanous dbus::utility::DbusVariantType(baseDNList.front())); 7658a07d286SRatan Gupta } 7668a07d286SRatan Gupta /** 7678a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 7688a07d286SRatan Gupta json response with the new value. 7698a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 7708a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7718a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7728a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7738a07d286SRatan Gupta */ 7748a07d286SRatan Gupta 7754f48d5f6SEd Tanous inline void 7764f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 7778d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7788a07d286SRatan Gupta const std::string& ldapServerElementName, 7798a07d286SRatan Gupta const std::string& ldapConfigObject) 7808a07d286SRatan Gupta { 7818a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7828a07d286SRatan Gupta [asyncResp, userNameAttribute, 7838a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7848a07d286SRatan Gupta if (ec) 7858a07d286SRatan Gupta { 786c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 7878a07d286SRatan Gupta "username attribute"; 7888a07d286SRatan Gupta messages::internalError(asyncResp->res); 7898a07d286SRatan Gupta return; 7908a07d286SRatan Gupta } 7918a07d286SRatan Gupta auto& serverTypeJson = 7928a07d286SRatan Gupta asyncResp->res.jsonValue[ldapServerElementName]; 7938a07d286SRatan Gupta auto& searchSettingsJson = 7948a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 7958a07d286SRatan Gupta searchSettingsJson["UsernameAttribute"] = userNameAttribute; 7968a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the user name attr."; 7978a07d286SRatan Gupta }, 7988a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7998a07d286SRatan Gupta ldapConfigInterface, "UserNameAttribute", 800168e20c1SEd Tanous dbus::utility::DbusVariantType(userNameAttribute)); 8018a07d286SRatan Gupta } 8028a07d286SRatan Gupta /** 8038a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 8048a07d286SRatan Gupta json response with the new value. 8058a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 8068a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8078a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8088a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8098a07d286SRatan Gupta */ 8108a07d286SRatan Gupta 8114f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 8128d1b46d7Szhanghch05 const std::string& groupsAttribute, 8138d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8148a07d286SRatan Gupta const std::string& ldapServerElementName, 8158a07d286SRatan Gupta const std::string& ldapConfigObject) 8168a07d286SRatan Gupta { 8178a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8188a07d286SRatan Gupta [asyncResp, groupsAttribute, 8198a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8208a07d286SRatan Gupta if (ec) 8218a07d286SRatan Gupta { 822c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 8238a07d286SRatan Gupta "groupname attribute"; 8248a07d286SRatan Gupta messages::internalError(asyncResp->res); 8258a07d286SRatan Gupta return; 8268a07d286SRatan Gupta } 8278a07d286SRatan Gupta auto& serverTypeJson = 8288a07d286SRatan Gupta asyncResp->res.jsonValue[ldapServerElementName]; 8298a07d286SRatan Gupta auto& searchSettingsJson = 8308a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 8318a07d286SRatan Gupta searchSettingsJson["GroupsAttribute"] = groupsAttribute; 8328a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the groupname attr"; 8338a07d286SRatan Gupta }, 8348a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8358a07d286SRatan Gupta ldapConfigInterface, "GroupNameAttribute", 836168e20c1SEd Tanous dbus::utility::DbusVariantType(groupsAttribute)); 8378a07d286SRatan Gupta } 8388a07d286SRatan Gupta /** 8398a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8408a07d286SRatan Gupta json response with the new value. 8418a07d286SRatan Gupta * @param input JSON data. 8428a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8438a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8448a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8458a07d286SRatan Gupta */ 8468a07d286SRatan Gupta 8474f48d5f6SEd Tanous inline void handleServiceEnablePatch( 8486c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8498a07d286SRatan Gupta const std::string& ldapServerElementName, 8508a07d286SRatan Gupta const std::string& ldapConfigObject) 8518a07d286SRatan Gupta { 8528a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8538a07d286SRatan Gupta [asyncResp, serviceEnabled, 8548a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8558a07d286SRatan Gupta if (ec) 8568a07d286SRatan Gupta { 8578a07d286SRatan Gupta BMCWEB_LOG_DEBUG 858c61704abSGunnar Mills << "Error Occurred in Updating the service enable"; 8598a07d286SRatan Gupta messages::internalError(asyncResp->res); 8608a07d286SRatan Gupta return; 8618a07d286SRatan Gupta } 8626c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] = 8638a07d286SRatan Gupta serviceEnabled; 8646c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled; 8658a07d286SRatan Gupta }, 8668a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 867168e20c1SEd Tanous ldapEnableInterface, "Enabled", 868168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceEnabled)); 8698a07d286SRatan Gupta } 8708a07d286SRatan Gupta 8714f48d5f6SEd Tanous inline void 8724f48d5f6SEd Tanous handleAuthMethodsPatch(nlohmann::json& input, 8738d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 87478158631SZbigniew Kurzynski { 87578158631SZbigniew Kurzynski std::optional<bool> basicAuth; 87678158631SZbigniew Kurzynski std::optional<bool> cookie; 87778158631SZbigniew Kurzynski std::optional<bool> sessionToken; 87878158631SZbigniew Kurzynski std::optional<bool> xToken; 879501f1e58SZbigniew Kurzynski std::optional<bool> tls; 88078158631SZbigniew Kurzynski 88178158631SZbigniew Kurzynski if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, 88278158631SZbigniew Kurzynski "Cookie", cookie, "SessionToken", sessionToken, 883501f1e58SZbigniew Kurzynski "XToken", xToken, "TLS", tls)) 88478158631SZbigniew Kurzynski { 88578158631SZbigniew Kurzynski BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; 88678158631SZbigniew Kurzynski return; 88778158631SZbigniew Kurzynski } 88878158631SZbigniew Kurzynski 88978158631SZbigniew Kurzynski // Make a copy of methods configuration 89052cc112dSEd Tanous persistent_data::AuthConfigMethods authMethodsConfig = 89152cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 89278158631SZbigniew Kurzynski 89378158631SZbigniew Kurzynski if (basicAuth) 89478158631SZbigniew Kurzynski { 895f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION 896f16f6263SAlan Kuo messages::actionNotSupported( 8970fda0f12SGeorge Liu asyncResp->res, 8980fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 899f16f6263SAlan Kuo return; 900f16f6263SAlan Kuo #endif 90178158631SZbigniew Kurzynski authMethodsConfig.basic = *basicAuth; 90278158631SZbigniew Kurzynski } 90378158631SZbigniew Kurzynski 90478158631SZbigniew Kurzynski if (cookie) 90578158631SZbigniew Kurzynski { 906f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 9070fda0f12SGeorge Liu messages::actionNotSupported( 9080fda0f12SGeorge Liu asyncResp->res, 9090fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 910f16f6263SAlan Kuo return; 911f16f6263SAlan Kuo #endif 91278158631SZbigniew Kurzynski authMethodsConfig.cookie = *cookie; 91378158631SZbigniew Kurzynski } 91478158631SZbigniew Kurzynski 91578158631SZbigniew Kurzynski if (sessionToken) 91678158631SZbigniew Kurzynski { 917f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION 918f16f6263SAlan Kuo messages::actionNotSupported( 9190fda0f12SGeorge Liu asyncResp->res, 9200fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 921f16f6263SAlan Kuo return; 922f16f6263SAlan Kuo #endif 92378158631SZbigniew Kurzynski authMethodsConfig.sessionToken = *sessionToken; 92478158631SZbigniew Kurzynski } 92578158631SZbigniew Kurzynski 92678158631SZbigniew Kurzynski if (xToken) 92778158631SZbigniew Kurzynski { 928f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 9290fda0f12SGeorge Liu messages::actionNotSupported( 9300fda0f12SGeorge Liu asyncResp->res, 9310fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 932f16f6263SAlan Kuo return; 933f16f6263SAlan Kuo #endif 93478158631SZbigniew Kurzynski authMethodsConfig.xtoken = *xToken; 93578158631SZbigniew Kurzynski } 93678158631SZbigniew Kurzynski 937501f1e58SZbigniew Kurzynski if (tls) 938501f1e58SZbigniew Kurzynski { 939f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 9400fda0f12SGeorge Liu messages::actionNotSupported( 9410fda0f12SGeorge Liu asyncResp->res, 9420fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 943f16f6263SAlan Kuo return; 944f16f6263SAlan Kuo #endif 945501f1e58SZbigniew Kurzynski authMethodsConfig.tls = *tls; 946501f1e58SZbigniew Kurzynski } 947501f1e58SZbigniew Kurzynski 94878158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 949501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 950501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 95178158631SZbigniew Kurzynski { 95278158631SZbigniew Kurzynski // Do not allow user to disable everything 95378158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 95478158631SZbigniew Kurzynski "of disabling all available methods"); 95578158631SZbigniew Kurzynski return; 95678158631SZbigniew Kurzynski } 95778158631SZbigniew Kurzynski 95852cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 95952cc112dSEd Tanous authMethodsConfig); 96078158631SZbigniew Kurzynski // Save configuration immediately 96152cc112dSEd Tanous persistent_data::getConfig().writeData(); 96278158631SZbigniew Kurzynski 96378158631SZbigniew Kurzynski messages::success(asyncResp->res); 96478158631SZbigniew Kurzynski } 96578158631SZbigniew Kurzynski 9668a07d286SRatan Gupta /** 9678a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 9688a07d286SRatan Gupta * value and create the LDAP config object. 9698a07d286SRatan Gupta * @param input JSON data 9708a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9718a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 9728a07d286SRatan Gupta */ 9738a07d286SRatan Gupta 9746c51eab1SEd Tanous inline void handleLDAPPatch(nlohmann::json& input, 9758d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9768a07d286SRatan Gupta const std::string& serverType) 9778a07d286SRatan Gupta { 978eb2bbe56SRatan Gupta std::string dbusObjectPath; 979eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 980eb2bbe56SRatan Gupta { 9812c70f800SEd Tanous dbusObjectPath = adConfigObject; 982eb2bbe56SRatan Gupta } 983eb2bbe56SRatan Gupta else if (serverType == "LDAP") 984eb2bbe56SRatan Gupta { 98523a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 986eb2bbe56SRatan Gupta } 987cb13a392SEd Tanous else 988cb13a392SEd Tanous { 989cb13a392SEd Tanous return; 990cb13a392SEd Tanous } 991eb2bbe56SRatan Gupta 9928a07d286SRatan Gupta std::optional<nlohmann::json> authentication; 9938a07d286SRatan Gupta std::optional<nlohmann::json> ldapService; 9948a07d286SRatan Gupta std::optional<std::vector<std::string>> serviceAddressList; 9958a07d286SRatan Gupta std::optional<bool> serviceEnabled; 9968a07d286SRatan Gupta std::optional<std::vector<std::string>> baseDNList; 9978a07d286SRatan Gupta std::optional<std::string> userNameAttribute; 9988a07d286SRatan Gupta std::optional<std::string> groupsAttribute; 9998a07d286SRatan Gupta std::optional<std::string> userName; 10008a07d286SRatan Gupta std::optional<std::string> password; 100106785244SRatan Gupta std::optional<std::vector<nlohmann::json>> remoteRoleMapData; 10028a07d286SRatan Gupta 10038a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "Authentication", 10048a07d286SRatan Gupta authentication, "LDAPService", ldapService, 10058a07d286SRatan Gupta "ServiceAddresses", serviceAddressList, 100606785244SRatan Gupta "ServiceEnabled", serviceEnabled, 100706785244SRatan Gupta "RemoteRoleMapping", remoteRoleMapData)) 10088a07d286SRatan Gupta { 10098a07d286SRatan Gupta return; 10108a07d286SRatan Gupta } 10118a07d286SRatan Gupta 10128a07d286SRatan Gupta if (authentication) 10138a07d286SRatan Gupta { 10148a07d286SRatan Gupta parseLDAPAuthenticationJson(*authentication, asyncResp, userName, 10158a07d286SRatan Gupta password); 10168a07d286SRatan Gupta } 10178a07d286SRatan Gupta if (ldapService) 10188a07d286SRatan Gupta { 10198a07d286SRatan Gupta parseLDAPServiceJson(*ldapService, asyncResp, baseDNList, 10208a07d286SRatan Gupta userNameAttribute, groupsAttribute); 10218a07d286SRatan Gupta } 10228a07d286SRatan Gupta if (serviceAddressList) 10238a07d286SRatan Gupta { 102426f6976fSEd Tanous if (serviceAddressList->empty()) 10258a07d286SRatan Gupta { 10268a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10278a07d286SRatan Gupta "ServiceAddress"); 10288a07d286SRatan Gupta return; 10298a07d286SRatan Gupta } 10308a07d286SRatan Gupta } 10318a07d286SRatan Gupta if (baseDNList) 10328a07d286SRatan Gupta { 103326f6976fSEd Tanous if (baseDNList->empty()) 10348a07d286SRatan Gupta { 10358a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10368a07d286SRatan Gupta "BaseDistinguishedNames"); 10378a07d286SRatan Gupta return; 10388a07d286SRatan Gupta } 10398a07d286SRatan Gupta } 10408a07d286SRatan Gupta 10418a07d286SRatan Gupta // nothing to update, then return 10428a07d286SRatan Gupta if (!userName && !password && !serviceAddressList && !baseDNList && 104306785244SRatan Gupta !userNameAttribute && !groupsAttribute && !serviceEnabled && 104406785244SRatan Gupta !remoteRoleMapData) 10458a07d286SRatan Gupta { 10468a07d286SRatan Gupta return; 10478a07d286SRatan Gupta } 10488a07d286SRatan Gupta 10498a07d286SRatan Gupta // Get the existing resource first then keep modifying 10508a07d286SRatan Gupta // whenever any property gets updated. 10516c51eab1SEd Tanous getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList, 10526c51eab1SEd Tanous userNameAttribute, groupsAttribute, 10536c51eab1SEd Tanous serviceAddressList, serviceEnabled, 10546c51eab1SEd Tanous dbusObjectPath, remoteRoleMapData]( 10556c51eab1SEd Tanous bool success, 10566c51eab1SEd Tanous const LDAPConfigData& confData, 105723a21a1cSEd Tanous const std::string& serverT) { 10588a07d286SRatan Gupta if (!success) 10598a07d286SRatan Gupta { 10608a07d286SRatan Gupta messages::internalError(asyncResp->res); 10618a07d286SRatan Gupta return; 10628a07d286SRatan Gupta } 10636c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 10648a07d286SRatan Gupta if (confData.serviceEnabled) 10658a07d286SRatan Gupta { 10668a07d286SRatan Gupta // Disable the service first and update the rest of 10678a07d286SRatan Gupta // the properties. 10686c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 10698a07d286SRatan Gupta } 10708a07d286SRatan Gupta 10718a07d286SRatan Gupta if (serviceAddressList) 10728a07d286SRatan Gupta { 10736c51eab1SEd Tanous handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT, 10746c51eab1SEd Tanous dbusObjectPath); 10758a07d286SRatan Gupta } 10768a07d286SRatan Gupta if (userName) 10778a07d286SRatan Gupta { 10786c51eab1SEd Tanous handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath); 10798a07d286SRatan Gupta } 10808a07d286SRatan Gupta if (password) 10818a07d286SRatan Gupta { 10826c51eab1SEd Tanous handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath); 10838a07d286SRatan Gupta } 10848a07d286SRatan Gupta 10858a07d286SRatan Gupta if (baseDNList) 10868a07d286SRatan Gupta { 10876c51eab1SEd Tanous handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath); 10888a07d286SRatan Gupta } 10898a07d286SRatan Gupta if (userNameAttribute) 10908a07d286SRatan Gupta { 10916c51eab1SEd Tanous handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT, 10926c51eab1SEd Tanous dbusObjectPath); 10938a07d286SRatan Gupta } 10948a07d286SRatan Gupta if (groupsAttribute) 10958a07d286SRatan Gupta { 10966c51eab1SEd Tanous handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT, 10976c51eab1SEd Tanous dbusObjectPath); 10988a07d286SRatan Gupta } 10998a07d286SRatan Gupta if (serviceEnabled) 11008a07d286SRatan Gupta { 11018a07d286SRatan Gupta // if user has given the value as true then enable 11028a07d286SRatan Gupta // the service. if user has given false then no-op 11038a07d286SRatan Gupta // as service is already stopped. 11048a07d286SRatan Gupta if (*serviceEnabled) 11058a07d286SRatan Gupta { 11066c51eab1SEd Tanous handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT, 11076c51eab1SEd Tanous dbusObjectPath); 11088a07d286SRatan Gupta } 11098a07d286SRatan Gupta } 11108a07d286SRatan Gupta else 11118a07d286SRatan Gupta { 11128a07d286SRatan Gupta // if user has not given the service enabled value 11138a07d286SRatan Gupta // then revert it to the same state as it was 11148a07d286SRatan Gupta // before. 11158a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 111623a21a1cSEd Tanous serverT, dbusObjectPath); 11178a07d286SRatan Gupta } 111806785244SRatan Gupta 111906785244SRatan Gupta if (remoteRoleMapData) 112006785244SRatan Gupta { 11216c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 11226c51eab1SEd Tanous *remoteRoleMapData); 112306785244SRatan Gupta } 11248a07d286SRatan Gupta }); 11258a07d286SRatan Gupta } 1126d4b5443fSEd Tanous 11276c51eab1SEd Tanous inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp, 11286c51eab1SEd Tanous const std::string& username, 11296c51eab1SEd Tanous std::optional<std::string> password, 11306c51eab1SEd Tanous std::optional<bool> enabled, 11316c51eab1SEd Tanous std::optional<std::string> roleId, 11326c51eab1SEd Tanous std::optional<bool> locked) 11331abe55efSEd Tanous { 1134b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1135b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1136b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 11376c51eab1SEd Tanous 11386c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 11396c51eab1SEd Tanous dbusObjectPath, 11401106333aSEd Tanous [dbusObjectPath, username, password(std::move(password)), 11411106333aSEd Tanous roleId(std::move(roleId)), enabled, locked, 11421106333aSEd Tanous asyncResp{std::move(asyncResp)}](int rc) { 1143e662eae8SEd Tanous if (rc <= 0) 11446c51eab1SEd Tanous { 11456c51eab1SEd Tanous messages::resourceNotFound( 11466c51eab1SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 11476c51eab1SEd Tanous username); 11486c51eab1SEd Tanous return; 11496c51eab1SEd Tanous } 11506c51eab1SEd Tanous 11516c51eab1SEd Tanous if (password) 11526c51eab1SEd Tanous { 11536c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 11546c51eab1SEd Tanous 11556c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 11566c51eab1SEd Tanous { 11576c51eab1SEd Tanous messages::resourceNotFound( 11586c51eab1SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 11596c51eab1SEd Tanous username); 11606c51eab1SEd Tanous } 11616c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 11626c51eab1SEd Tanous { 11636c51eab1SEd Tanous // If password is invalid 11646c51eab1SEd Tanous messages::propertyValueFormatError(asyncResp->res, 11656c51eab1SEd Tanous *password, "Password"); 11666c51eab1SEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 11676c51eab1SEd Tanous } 11686c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 11696c51eab1SEd Tanous { 11706c51eab1SEd Tanous messages::internalError(asyncResp->res); 11716c51eab1SEd Tanous return; 11726c51eab1SEd Tanous } 1173e7b1b62bSEd Tanous else 1174e7b1b62bSEd Tanous { 1175e7b1b62bSEd Tanous messages::success(asyncResp->res); 1176e7b1b62bSEd Tanous } 11776c51eab1SEd Tanous } 11786c51eab1SEd Tanous 11796c51eab1SEd Tanous if (enabled) 11806c51eab1SEd Tanous { 11816c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 11826c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 11836c51eab1SEd Tanous if (ec) 11846c51eab1SEd Tanous { 11856c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 11866c51eab1SEd Tanous messages::internalError(asyncResp->res); 11876c51eab1SEd Tanous return; 11886c51eab1SEd Tanous } 11896c51eab1SEd Tanous messages::success(asyncResp->res); 11906c51eab1SEd Tanous return; 11916c51eab1SEd Tanous }, 1192e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 11936c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 11946c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserEnabled", 1195168e20c1SEd Tanous dbus::utility::DbusVariantType{*enabled}); 11966c51eab1SEd Tanous } 11976c51eab1SEd Tanous 11986c51eab1SEd Tanous if (roleId) 11996c51eab1SEd Tanous { 12006c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 12016c51eab1SEd Tanous if (priv.empty()) 12026c51eab1SEd Tanous { 12036c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 12046c51eab1SEd Tanous "RoleId"); 12056c51eab1SEd Tanous return; 12066c51eab1SEd Tanous } 12076c51eab1SEd Tanous if (priv == "priv-noaccess") 12086c51eab1SEd Tanous { 12096c51eab1SEd Tanous priv = ""; 12106c51eab1SEd Tanous } 12116c51eab1SEd Tanous 12126c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 12136c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 12146c51eab1SEd Tanous if (ec) 12156c51eab1SEd Tanous { 12166c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 12176c51eab1SEd Tanous messages::internalError(asyncResp->res); 12186c51eab1SEd Tanous return; 12196c51eab1SEd Tanous } 12206c51eab1SEd Tanous messages::success(asyncResp->res); 12216c51eab1SEd Tanous }, 1222e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12236c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12246c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserPrivilege", 1225168e20c1SEd Tanous dbus::utility::DbusVariantType{priv}); 12266c51eab1SEd Tanous } 12276c51eab1SEd Tanous 12286c51eab1SEd Tanous if (locked) 12296c51eab1SEd Tanous { 12306c51eab1SEd Tanous // admin can unlock the account which is locked by 12316c51eab1SEd Tanous // successive authentication failures but admin should 12326c51eab1SEd Tanous // not be allowed to lock an account. 12336c51eab1SEd Tanous if (*locked) 12346c51eab1SEd Tanous { 12356c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 12366c51eab1SEd Tanous "Locked"); 12376c51eab1SEd Tanous return; 12386c51eab1SEd Tanous } 12396c51eab1SEd Tanous 12406c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 12416c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 12426c51eab1SEd Tanous if (ec) 12436c51eab1SEd Tanous { 12446c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 12456c51eab1SEd Tanous messages::internalError(asyncResp->res); 12466c51eab1SEd Tanous return; 12476c51eab1SEd Tanous } 12486c51eab1SEd Tanous messages::success(asyncResp->res); 12496c51eab1SEd Tanous return; 12506c51eab1SEd Tanous }, 1251e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12526c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12536c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", 1254168e20c1SEd Tanous "UserLockedForFailedAttempt", 1255168e20c1SEd Tanous dbus::utility::DbusVariantType{*locked}); 12566c51eab1SEd Tanous } 12576c51eab1SEd Tanous }); 12586c51eab1SEd Tanous } 12596c51eab1SEd Tanous 12606c51eab1SEd Tanous inline void requestAccountServiceRoutes(App& app) 12616c51eab1SEd Tanous { 12626c51eab1SEd Tanous 12636c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 1264ed398213SEd Tanous .privileges(redfish::privileges::getAccountService) 126545ca1b86SEd Tanous .methods(boost::beast::http::verb::get)([&app](const crow::Request& req, 12666c51eab1SEd Tanous const std::shared_ptr< 126745ca1b86SEd Tanous bmcweb::AsyncResp>& 126845ca1b86SEd Tanous asyncResp) -> void { 126945ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 127045ca1b86SEd Tanous { 127145ca1b86SEd Tanous return; 127245ca1b86SEd Tanous } 127352cc112dSEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 12746c51eab1SEd Tanous persistent_data::SessionStore::getInstance() 12756c51eab1SEd Tanous .getAuthMethodsConfig(); 127678158631SZbigniew Kurzynski 1277*1476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 1278*1476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 1279*1476687dSEd Tanous json["@odata.type"] = "#AccountService." 1280*1476687dSEd Tanous "v1_10_0.AccountService"; 1281*1476687dSEd Tanous json["Id"] = "AccountService"; 1282*1476687dSEd Tanous json["Name"] = "Account Service"; 1283*1476687dSEd Tanous json["Description"] = "Account Service"; 1284*1476687dSEd Tanous json["ServiceEnabled"] = true; 1285*1476687dSEd Tanous json["MaxPasswordLength"] = 20; 1286*1476687dSEd Tanous json["Accounts"]["@odata.id"] = 1287*1476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 1288*1476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 1289*1476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 1290*1476687dSEd Tanous "#OemAccountService.v1_0_0.AccountService"; 1291*1476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 1292*1476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 1293*1476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 1294*1476687dSEd Tanous authMethodsConfig.basic; 1295*1476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 1296*1476687dSEd Tanous authMethodsConfig.sessionToken; 1297*1476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = 1298*1476687dSEd Tanous authMethodsConfig.xtoken; 1299*1476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = 1300*1476687dSEd Tanous authMethodsConfig.cookie; 1301*1476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = 1302*1476687dSEd Tanous authMethodsConfig.tls; 1303*1476687dSEd Tanous 130472048780SAbhishek Patel // /redfish/v1/AccountService/LDAP/Certificates is something only 130572048780SAbhishek Patel // ConfigureManager can access then only display when the user has 130672048780SAbhishek Patel // permissions ConfigureManager 130772048780SAbhishek Patel Privileges effectiveUserPrivileges = 130872048780SAbhishek Patel redfish::getUserPrivileges(req.userRole); 130972048780SAbhishek Patel 131072048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 131172048780SAbhishek Patel effectiveUserPrivileges)) 131272048780SAbhishek Patel { 1313*1476687dSEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 1314*1476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 131572048780SAbhishek Patel } 13163d958bbcSAppaRao Puli crow::connections::systemBus->async_method_call( 13173d958bbcSAppaRao Puli [asyncResp]( 13183d958bbcSAppaRao Puli const boost::system::error_code ec, 1319b9d36b47SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 13203d958bbcSAppaRao Puli if (ec) 13213d958bbcSAppaRao Puli { 13223d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 13233d958bbcSAppaRao Puli return; 13243d958bbcSAppaRao Puli } 13253d958bbcSAppaRao Puli BMCWEB_LOG_DEBUG << "Got " << propertiesList.size() 13263d958bbcSAppaRao Puli << "properties for AccountService"; 13273d958bbcSAppaRao Puli for (const std::pair<std::string, 1328168e20c1SEd Tanous dbus::utility::DbusVariantType>& 1329168e20c1SEd Tanous property : propertiesList) 13303d958bbcSAppaRao Puli { 13313d958bbcSAppaRao Puli if (property.first == "MinPasswordLength") 13323d958bbcSAppaRao Puli { 13333d958bbcSAppaRao Puli const uint8_t* value = 1334abf2add6SEd Tanous std::get_if<uint8_t>(&property.second); 13353d958bbcSAppaRao Puli if (value != nullptr) 13363d958bbcSAppaRao Puli { 13373d958bbcSAppaRao Puli asyncResp->res.jsonValue["MinPasswordLength"] = 13383d958bbcSAppaRao Puli *value; 13393d958bbcSAppaRao Puli } 13403d958bbcSAppaRao Puli } 13413d958bbcSAppaRao Puli if (property.first == "AccountUnlockTimeout") 13423d958bbcSAppaRao Puli { 13433d958bbcSAppaRao Puli const uint32_t* value = 1344abf2add6SEd Tanous std::get_if<uint32_t>(&property.second); 13453d958bbcSAppaRao Puli if (value != nullptr) 13463d958bbcSAppaRao Puli { 13476c51eab1SEd Tanous asyncResp->res 13486c51eab1SEd Tanous .jsonValue["AccountLockoutDuration"] = 13493d958bbcSAppaRao Puli *value; 13503d958bbcSAppaRao Puli } 13513d958bbcSAppaRao Puli } 13523d958bbcSAppaRao Puli if (property.first == "MaxLoginAttemptBeforeLockout") 13533d958bbcSAppaRao Puli { 13543d958bbcSAppaRao Puli const uint16_t* value = 1355abf2add6SEd Tanous std::get_if<uint16_t>(&property.second); 13563d958bbcSAppaRao Puli if (value != nullptr) 13573d958bbcSAppaRao Puli { 13583d958bbcSAppaRao Puli asyncResp->res 13596c51eab1SEd Tanous .jsonValue["AccountLockoutThreshold"] = 13606c51eab1SEd Tanous *value; 13613d958bbcSAppaRao Puli } 13623d958bbcSAppaRao Puli } 13633d958bbcSAppaRao Puli } 13643d958bbcSAppaRao Puli }, 13653d958bbcSAppaRao Puli "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 13663d958bbcSAppaRao Puli "org.freedesktop.DBus.Properties", "GetAll", 13673d958bbcSAppaRao Puli "xyz.openbmc_project.User.AccountPolicy"); 13686973a582SRatan Gupta 1369ab828d7cSRatan Gupta auto callback = [asyncResp](bool success, LDAPConfigData& confData, 1370ab828d7cSRatan Gupta const std::string& ldapType) { 1371cb13a392SEd Tanous if (!success) 1372cb13a392SEd Tanous { 1373cb13a392SEd Tanous return; 1374cb13a392SEd Tanous } 13756c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, 13766c51eab1SEd Tanous ldapType); 1377ab828d7cSRatan Gupta }; 1378ab828d7cSRatan Gupta 1379ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1380ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 13816c51eab1SEd Tanous }); 13826973a582SRatan Gupta 1383f5ffd806SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 13841ec43ee3SGunnar Mills .privileges(redfish::privileges::patchAccountService) 1385f5ffd806SEd Tanous .methods(boost::beast::http::verb::patch)( 138645ca1b86SEd Tanous [&app]( 138745ca1b86SEd Tanous const crow::Request& req, 1388f5ffd806SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 138945ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 139045ca1b86SEd Tanous { 139145ca1b86SEd Tanous return; 139245ca1b86SEd Tanous } 1393f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1394f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1395ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1396f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 1397f5ffd806SEd Tanous std::optional<nlohmann::json> ldapObject; 1398f5ffd806SEd Tanous std::optional<nlohmann::json> activeDirectoryObject; 1399f5ffd806SEd Tanous std::optional<nlohmann::json> oemObject; 1400f5ffd806SEd Tanous 140115ed6780SWilly Tu if (!json_util::readJsonPatch( 1402f5ffd806SEd Tanous req, asyncResp->res, "AccountLockoutDuration", 1403f5ffd806SEd Tanous unlockTimeout, "AccountLockoutThreshold", 1404f5ffd806SEd Tanous lockoutThreshold, "MaxPasswordLength", 1405f5ffd806SEd Tanous maxPasswordLength, "MinPasswordLength", 1406f5ffd806SEd Tanous minPasswordLength, "LDAP", ldapObject, 1407f5ffd806SEd Tanous "ActiveDirectory", activeDirectoryObject, "Oem", 1408f5ffd806SEd Tanous oemObject)) 1409f5ffd806SEd Tanous { 1410f5ffd806SEd Tanous return; 1411f5ffd806SEd Tanous } 1412f5ffd806SEd Tanous 1413f5ffd806SEd Tanous if (minPasswordLength) 1414f5ffd806SEd Tanous { 1415ef73ad0dSPaul Fertser crow::connections::systemBus->async_method_call( 1416ef73ad0dSPaul Fertser [asyncResp](const boost::system::error_code ec) { 1417ef73ad0dSPaul Fertser if (ec) 1418ef73ad0dSPaul Fertser { 1419ef73ad0dSPaul Fertser messages::internalError(asyncResp->res); 1420ef73ad0dSPaul Fertser return; 1421ef73ad0dSPaul Fertser } 1422ef73ad0dSPaul Fertser messages::success(asyncResp->res); 1423ef73ad0dSPaul Fertser }, 1424ef73ad0dSPaul Fertser "xyz.openbmc_project.User.Manager", 1425ef73ad0dSPaul Fertser "/xyz/openbmc_project/user", 1426ef73ad0dSPaul Fertser "org.freedesktop.DBus.Properties", "Set", 1427ef73ad0dSPaul Fertser "xyz.openbmc_project.User.AccountPolicy", 1428ef73ad0dSPaul Fertser "MinPasswordLength", 1429ef73ad0dSPaul Fertser dbus::utility::DbusVariantType(*minPasswordLength)); 1430f5ffd806SEd Tanous } 1431f5ffd806SEd Tanous 1432f5ffd806SEd Tanous if (maxPasswordLength) 1433f5ffd806SEd Tanous { 1434f5ffd806SEd Tanous messages::propertyNotWritable(asyncResp->res, 1435f5ffd806SEd Tanous "MaxPasswordLength"); 1436f5ffd806SEd Tanous } 1437f5ffd806SEd Tanous 1438f5ffd806SEd Tanous if (ldapObject) 1439f5ffd806SEd Tanous { 1440f5ffd806SEd Tanous handleLDAPPatch(*ldapObject, asyncResp, "LDAP"); 1441f5ffd806SEd Tanous } 1442f5ffd806SEd Tanous 1443f5ffd806SEd Tanous if (std::optional<nlohmann::json> oemOpenBMCObject; 1444f5ffd806SEd Tanous oemObject && 1445f5ffd806SEd Tanous json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", 1446f5ffd806SEd Tanous oemOpenBMCObject)) 1447f5ffd806SEd Tanous { 1448f5ffd806SEd Tanous if (std::optional<nlohmann::json> authMethodsObject; 1449f5ffd806SEd Tanous oemOpenBMCObject && 1450f5ffd806SEd Tanous json_util::readJson(*oemOpenBMCObject, asyncResp->res, 1451f5ffd806SEd Tanous "AuthMethods", authMethodsObject)) 1452f5ffd806SEd Tanous { 1453f5ffd806SEd Tanous if (authMethodsObject) 1454f5ffd806SEd Tanous { 1455f5ffd806SEd Tanous handleAuthMethodsPatch(*authMethodsObject, 1456f5ffd806SEd Tanous asyncResp); 1457f5ffd806SEd Tanous } 1458f5ffd806SEd Tanous } 1459f5ffd806SEd Tanous } 1460f5ffd806SEd Tanous 1461f5ffd806SEd Tanous if (activeDirectoryObject) 1462f5ffd806SEd Tanous { 1463f5ffd806SEd Tanous handleLDAPPatch(*activeDirectoryObject, asyncResp, 1464f5ffd806SEd Tanous "ActiveDirectory"); 1465f5ffd806SEd Tanous } 1466f5ffd806SEd Tanous 1467f5ffd806SEd Tanous if (unlockTimeout) 1468f5ffd806SEd Tanous { 1469f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 1470f5ffd806SEd Tanous [asyncResp](const boost::system::error_code ec) { 1471f5ffd806SEd Tanous if (ec) 1472f5ffd806SEd Tanous { 1473f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1474f5ffd806SEd Tanous return; 1475f5ffd806SEd Tanous } 1476f5ffd806SEd Tanous messages::success(asyncResp->res); 1477f5ffd806SEd Tanous }, 1478f5ffd806SEd Tanous "xyz.openbmc_project.User.Manager", 1479f5ffd806SEd Tanous "/xyz/openbmc_project/user", 1480f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1481f5ffd806SEd Tanous "xyz.openbmc_project.User.AccountPolicy", 1482f5ffd806SEd Tanous "AccountUnlockTimeout", 1483168e20c1SEd Tanous dbus::utility::DbusVariantType(*unlockTimeout)); 1484f5ffd806SEd Tanous } 1485f5ffd806SEd Tanous if (lockoutThreshold) 1486f5ffd806SEd Tanous { 1487f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 1488f5ffd806SEd Tanous [asyncResp](const boost::system::error_code ec) { 1489f5ffd806SEd Tanous if (ec) 1490f5ffd806SEd Tanous { 1491f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1492f5ffd806SEd Tanous return; 1493f5ffd806SEd Tanous } 1494f5ffd806SEd Tanous messages::success(asyncResp->res); 1495f5ffd806SEd Tanous }, 1496f5ffd806SEd Tanous "xyz.openbmc_project.User.Manager", 1497f5ffd806SEd Tanous "/xyz/openbmc_project/user", 1498f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1499f5ffd806SEd Tanous "xyz.openbmc_project.User.AccountPolicy", 1500f5ffd806SEd Tanous "MaxLoginAttemptBeforeLockout", 1501168e20c1SEd Tanous dbus::utility::DbusVariantType(*lockoutThreshold)); 1502f5ffd806SEd Tanous } 1503f5ffd806SEd Tanous }); 1504f5ffd806SEd Tanous 15056c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 1506ed398213SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 15076c51eab1SEd Tanous .methods(boost::beast::http::verb::get)( 150845ca1b86SEd Tanous [&app]( 150945ca1b86SEd Tanous const crow::Request& req, 15106c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 151145ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 151245ca1b86SEd Tanous { 151345ca1b86SEd Tanous return; 151445ca1b86SEd Tanous } 1515*1476687dSEd Tanous 1516*1476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 1517*1476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 1518*1476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 1519*1476687dSEd Tanous "#ManagerAccountCollection." 1520*1476687dSEd Tanous "ManagerAccountCollection"; 1521*1476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 1522*1476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 15230f74e643SEd Tanous 15246c51eab1SEd Tanous Privileges effectiveUserPrivileges = 15256c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 15266c51eab1SEd Tanous 1527f5e29f33SJunLin Chen std::string thisUser; 1528f5e29f33SJunLin Chen if (req.session) 1529f5e29f33SJunLin Chen { 1530f5e29f33SJunLin Chen thisUser = req.session->username; 1531f5e29f33SJunLin Chen } 1532b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1533cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 1534cef1ddfbSEd Tanous const boost::system::error_code ec, 1535711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1536b9b2e0b2SEd Tanous if (ec) 1537b9b2e0b2SEd Tanous { 1538f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1539b9b2e0b2SEd Tanous return; 1540b9b2e0b2SEd Tanous } 1541b9b2e0b2SEd Tanous 1542cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1543cef1ddfbSEd Tanous effectiveUserPrivileges.isSupersetOf( 15444f48d5f6SEd Tanous {"ConfigureUsers"}); 1545cef1ddfbSEd Tanous 1546cef1ddfbSEd Tanous bool userCanSeeSelf = 1547cef1ddfbSEd Tanous effectiveUserPrivileges.isSupersetOf( 15484f48d5f6SEd Tanous {"ConfigureSelf"}); 1549cef1ddfbSEd Tanous 1550b9b2e0b2SEd Tanous nlohmann::json& memberArray = 1551b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Members"]; 1552b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1553b9b2e0b2SEd Tanous 15549eb808c1SEd Tanous for (const auto& userpath : users) 1555b9b2e0b2SEd Tanous { 15562dfd18efSEd Tanous std::string user = userpath.first.filename(); 15572dfd18efSEd Tanous if (user.empty()) 1558b9b2e0b2SEd Tanous { 15592dfd18efSEd Tanous messages::internalError(asyncResp->res); 15602dfd18efSEd Tanous BMCWEB_LOG_ERROR << "Invalid firmware ID"; 15612dfd18efSEd Tanous 15622dfd18efSEd Tanous return; 1563b9b2e0b2SEd Tanous } 1564f365910cSGunnar Mills 1565f365910cSGunnar Mills // As clarified by Redfish here: 1566f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 15676c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 15686c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 15696c51eab1SEd Tanous // accounts. 1570cef1ddfbSEd Tanous if (userCanSeeAllAccounts || 1571cef1ddfbSEd Tanous (thisUser == user && userCanSeeSelf)) 1572f365910cSGunnar Mills { 1573*1476687dSEd Tanous nlohmann::json::object_t member; 1574*1476687dSEd Tanous member["@odata.id"] = 15756c51eab1SEd Tanous "/redfish/v1/AccountService/Accounts/" + 1576*1476687dSEd Tanous user; 1577*1476687dSEd Tanous memberArray.push_back(std::move(member)); 1578b9b2e0b2SEd Tanous } 1579f365910cSGunnar Mills } 1580f365910cSGunnar Mills asyncResp->res.jsonValue["Members@odata.count"] = 1581f365910cSGunnar Mills memberArray.size(); 1582b9b2e0b2SEd Tanous }, 15836c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", 15846c51eab1SEd Tanous "/xyz/openbmc_project/user", 1585b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 15866c51eab1SEd Tanous }); 15876c51eab1SEd Tanous 15886c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 1589ed398213SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 159045ca1b86SEd Tanous .methods( 159145ca1b86SEd Tanous boost::beast::http::verb::post)([&app](const crow::Request& req, 15926c51eab1SEd Tanous const std::shared_ptr< 15936c51eab1SEd Tanous bmcweb::AsyncResp>& 15946c51eab1SEd Tanous asyncResp) -> void { 159545ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 159645ca1b86SEd Tanous { 159745ca1b86SEd Tanous return; 159845ca1b86SEd Tanous } 15999712f8acSEd Tanous std::string username; 16009712f8acSEd Tanous std::string password; 1601a24526dcSEd Tanous std::optional<std::string> roleId("User"); 1602a24526dcSEd Tanous std::optional<bool> enabled = true; 160315ed6780SWilly Tu if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", 160415ed6780SWilly Tu username, "Password", password, 160515ed6780SWilly Tu "RoleId", roleId, "Enabled", enabled)) 160604ae99ecSEd Tanous { 160704ae99ecSEd Tanous return; 160804ae99ecSEd Tanous } 160904ae99ecSEd Tanous 161054fc587aSNagaraju Goruganti std::string priv = getPrivilegeFromRoleId(*roleId); 161184e12cb7SAppaRao Puli if (priv.empty()) 161204ae99ecSEd Tanous { 16136c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 16146c51eab1SEd Tanous "RoleId"); 161504ae99ecSEd Tanous return; 161604ae99ecSEd Tanous } 161796200606Sjayaprakash Mutyala // TODO: Following override will be reverted once support in 16186c51eab1SEd Tanous // phosphor-user-manager is added. In order to avoid dependency 16196c51eab1SEd Tanous // issues, this is added in bmcweb, which will removed, once 162096200606Sjayaprakash Mutyala // phosphor-user-manager supports priv-noaccess. 162196200606Sjayaprakash Mutyala if (priv == "priv-noaccess") 162296200606Sjayaprakash Mutyala { 162396200606Sjayaprakash Mutyala roleId = ""; 162496200606Sjayaprakash Mutyala } 162596200606Sjayaprakash Mutyala else 162696200606Sjayaprakash Mutyala { 16279712f8acSEd Tanous roleId = priv; 162896200606Sjayaprakash Mutyala } 162904ae99ecSEd Tanous 1630599c71d8SAyushi Smriti // Reading AllGroups property 16311e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 16321e1e598dSJonathan Doman *crow::connections::systemBus, 16331e1e598dSJonathan Doman "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 16341e1e598dSJonathan Doman "xyz.openbmc_project.User.Manager", "AllGroups", 1635599c71d8SAyushi Smriti [asyncResp, username, password{std::move(password)}, roleId, 1636168e20c1SEd Tanous enabled](const boost::system::error_code ec, 16371e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1638599c71d8SAyushi Smriti if (ec) 1639599c71d8SAyushi Smriti { 1640599c71d8SAyushi Smriti BMCWEB_LOG_DEBUG << "ERROR with async_method_call"; 1641599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1642599c71d8SAyushi Smriti return; 1643599c71d8SAyushi Smriti } 1644599c71d8SAyushi Smriti 16451e1e598dSJonathan Doman if (allGroupsList.empty()) 1646599c71d8SAyushi Smriti { 1647599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1648599c71d8SAyushi Smriti return; 1649599c71d8SAyushi Smriti } 1650599c71d8SAyushi Smriti 165104ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 1652f23b7296SEd Tanous [asyncResp, username, 1653f23b7296SEd Tanous password](const boost::system::error_code ec2, 16540d4197e0Sanil kumar appana sdbusplus::message::message& m) { 165523a21a1cSEd Tanous if (ec2) 165604ae99ecSEd Tanous { 16576c51eab1SEd Tanous userErrorMessageHandler( 16586c51eab1SEd Tanous m.get_error(), asyncResp, username, ""); 165904ae99ecSEd Tanous return; 166004ae99ecSEd Tanous } 166104ae99ecSEd Tanous 166266b5ca76Sjayaprakash Mutyala if (pamUpdatePassword(username, password) != 166366b5ca76Sjayaprakash Mutyala PAM_SUCCESS) 166404ae99ecSEd Tanous { 16656c51eab1SEd Tanous // At this point we have a user that's been 16666c51eab1SEd Tanous // created, but the password set 16676c51eab1SEd Tanous // failed.Something is wrong, so delete the user 16686c51eab1SEd Tanous // that we've already created 1669b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath( 1670b477fd44SP Dheeraj Srujan Kumar rootUserDbusPath); 1671b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1672b477fd44SP Dheeraj Srujan Kumar const std::string userPath(tempObjPath); 1673b477fd44SP Dheeraj Srujan Kumar 167404ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 167523a21a1cSEd Tanous [asyncResp, password]( 167623a21a1cSEd Tanous const boost::system::error_code ec3) { 167723a21a1cSEd Tanous if (ec3) 167804ae99ecSEd Tanous { 16796c51eab1SEd Tanous messages::internalError( 16806c51eab1SEd Tanous asyncResp->res); 168104ae99ecSEd Tanous return; 168204ae99ecSEd Tanous } 168304ae99ecSEd Tanous 16840d4197e0Sanil kumar appana // If password is invalid 16850d4197e0Sanil kumar appana messages::propertyValueFormatError( 16866c51eab1SEd Tanous asyncResp->res, password, 16876c51eab1SEd Tanous "Password"); 168804ae99ecSEd Tanous }, 168904ae99ecSEd Tanous "xyz.openbmc_project.User.Manager", 1690b477fd44SP Dheeraj Srujan Kumar userPath, 16916c51eab1SEd Tanous "xyz.openbmc_project.Object.Delete", 16926c51eab1SEd Tanous "Delete"); 169304ae99ecSEd Tanous 169404ae99ecSEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 169504ae99ecSEd Tanous return; 169604ae99ecSEd Tanous } 169704ae99ecSEd Tanous 1698f12894f8SJason M. Bills messages::created(asyncResp->res); 169904ae99ecSEd Tanous asyncResp->res.addHeader( 170004ae99ecSEd Tanous "Location", 17016c51eab1SEd Tanous "/redfish/v1/AccountService/Accounts/" + 17026c51eab1SEd Tanous username); 170304ae99ecSEd Tanous }, 1704599c71d8SAyushi Smriti "xyz.openbmc_project.User.Manager", 1705599c71d8SAyushi Smriti "/xyz/openbmc_project/user", 17066c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", "CreateUser", 17071e1e598dSJonathan Doman username, allGroupsList, *roleId, *enabled); 17081e1e598dSJonathan Doman }); 17096c51eab1SEd Tanous }); 1710b9b2e0b2SEd Tanous 17116c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1712ed398213SEd Tanous .privileges(redfish::privileges::getManagerAccount) 17136c51eab1SEd Tanous .methods( 17146c51eab1SEd Tanous boost::beast::http::verb:: 1715031514fbSJunLin Chen get)([&app]([[maybe_unused]] const crow::Request& req, 17166c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 17176c51eab1SEd Tanous const std::string& accountName) -> void { 171845ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 171945ca1b86SEd Tanous { 172045ca1b86SEd Tanous return; 172145ca1b86SEd Tanous } 1722031514fbSJunLin Chen #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1723031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1724031514fbSJunLin Chen messages::resourceNotFound(asyncResp->res, 1725031514fbSJunLin Chen "#ManagerAccount.v1_4_0.ManagerAccount", 1726031514fbSJunLin Chen accountName); 1727031514fbSJunLin Chen return; 1728031514fbSJunLin Chen 1729031514fbSJunLin Chen #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1730031514fbSJunLin Chen if (req.session == nullptr) 1731031514fbSJunLin Chen { 1732031514fbSJunLin Chen messages::internalError(asyncResp->res); 1733031514fbSJunLin Chen return; 1734031514fbSJunLin Chen } 17356c51eab1SEd Tanous if (req.session->username != accountName) 1736b9b2e0b2SEd Tanous { 17376c51eab1SEd Tanous // At this point we've determined that the user is trying to 17386c51eab1SEd Tanous // modify a user that isn't them. We need to verify that they 17396c51eab1SEd Tanous // have permissions to modify other users, so re-run the auth 17406c51eab1SEd Tanous // check with the same permissions, minus ConfigureSelf. 17416c51eab1SEd Tanous Privileges effectiveUserPrivileges = 17426c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 17436c51eab1SEd Tanous Privileges requiredPermissionsToChangeNonSelf = { 17444f48d5f6SEd Tanous "ConfigureUsers", "ConfigureManager"}; 17456c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 17466c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1747900f9497SJoseph Reynolds { 1748900f9497SJoseph Reynolds BMCWEB_LOG_DEBUG << "GET Account denied access"; 1749900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1750900f9497SJoseph Reynolds return; 1751900f9497SJoseph Reynolds } 1752900f9497SJoseph Reynolds } 1753900f9497SJoseph Reynolds 1754b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1755711ac7a9SEd Tanous [asyncResp, 1756711ac7a9SEd Tanous accountName](const boost::system::error_code ec, 1757711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1758b9b2e0b2SEd Tanous if (ec) 1759b9b2e0b2SEd Tanous { 1760f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1761b9b2e0b2SEd Tanous return; 1762b9b2e0b2SEd Tanous } 1763711ac7a9SEd Tanous const auto userIt = std::find_if( 1764b477fd44SP Dheeraj Srujan Kumar users.begin(), users.end(), 1765b477fd44SP Dheeraj Srujan Kumar [accountName]( 1766b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 1767711ac7a9SEd Tanous dbus::utility::DBusInteracesMap>& 1768711ac7a9SEd Tanous user) { 176955f79e6fSEd Tanous return accountName == user.first.filename(); 1770b477fd44SP Dheeraj Srujan Kumar }); 1771b9b2e0b2SEd Tanous 177284e12cb7SAppaRao Puli if (userIt == users.end()) 1773b9b2e0b2SEd Tanous { 17746c51eab1SEd Tanous messages::resourceNotFound( 17756c51eab1SEd Tanous asyncResp->res, "ManagerAccount", accountName); 177684e12cb7SAppaRao Puli return; 177784e12cb7SAppaRao Puli } 17784e68c45bSAyushi Smriti 1779*1476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 1780*1476687dSEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount"; 1781*1476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 1782*1476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 1783*1476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 1784*1476687dSEd Tanous asyncResp->res.jsonValue["AccountTypes"] = {"Redfish"}; 17854e68c45bSAyushi Smriti 178684e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 178765b0dc32SEd Tanous { 178865b0dc32SEd Tanous if (interface.first == 178965b0dc32SEd Tanous "xyz.openbmc_project.User.Attributes") 179065b0dc32SEd Tanous { 179165b0dc32SEd Tanous for (const auto& property : interface.second) 179265b0dc32SEd Tanous { 179365b0dc32SEd Tanous if (property.first == "UserEnabled") 179465b0dc32SEd Tanous { 179565b0dc32SEd Tanous const bool* userEnabled = 1796abf2add6SEd Tanous std::get_if<bool>(&property.second); 179765b0dc32SEd Tanous if (userEnabled == nullptr) 179865b0dc32SEd Tanous { 179965b0dc32SEd Tanous BMCWEB_LOG_ERROR 180065b0dc32SEd Tanous << "UserEnabled wasn't a bool"; 180184e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 180284e12cb7SAppaRao Puli return; 180365b0dc32SEd Tanous } 180465b0dc32SEd Tanous asyncResp->res.jsonValue["Enabled"] = 180565b0dc32SEd Tanous *userEnabled; 180665b0dc32SEd Tanous } 180765b0dc32SEd Tanous else if (property.first == 180865b0dc32SEd Tanous "UserLockedForFailedAttempt") 180965b0dc32SEd Tanous { 181065b0dc32SEd Tanous const bool* userLocked = 1811abf2add6SEd Tanous std::get_if<bool>(&property.second); 181265b0dc32SEd Tanous if (userLocked == nullptr) 181365b0dc32SEd Tanous { 181484e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "UserLockedForF" 181584e12cb7SAppaRao Puli "ailedAttempt " 181684e12cb7SAppaRao Puli "wasn't a bool"; 181784e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 181884e12cb7SAppaRao Puli return; 181965b0dc32SEd Tanous } 182065b0dc32SEd Tanous asyncResp->res.jsonValue["Locked"] = 182165b0dc32SEd Tanous *userLocked; 182224c8542dSRatan Gupta asyncResp->res.jsonValue 182324c8542dSRatan Gupta ["Locked@Redfish.AllowableValues"] = { 18243bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 182565b0dc32SEd Tanous } 182684e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 182784e12cb7SAppaRao Puli { 182854fc587aSNagaraju Goruganti const std::string* userPrivPtr = 18296c51eab1SEd Tanous std::get_if<std::string>( 18306c51eab1SEd Tanous &property.second); 183154fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 183284e12cb7SAppaRao Puli { 183384e12cb7SAppaRao Puli BMCWEB_LOG_ERROR 183484e12cb7SAppaRao Puli << "UserPrivilege wasn't a " 183584e12cb7SAppaRao Puli "string"; 183684e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 183784e12cb7SAppaRao Puli return; 183884e12cb7SAppaRao Puli } 183954fc587aSNagaraju Goruganti std::string role = 184054fc587aSNagaraju Goruganti getRoleIdFromPrivilege(*userPrivPtr); 184154fc587aSNagaraju Goruganti if (role.empty()) 184284e12cb7SAppaRao Puli { 184384e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "Invalid user role"; 184484e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 184584e12cb7SAppaRao Puli return; 184684e12cb7SAppaRao Puli } 184754fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 184884e12cb7SAppaRao Puli 1849*1476687dSEd Tanous nlohmann::json& roleEntry = 1850*1476687dSEd Tanous asyncResp->res 1851*1476687dSEd Tanous .jsonValue["Links"]["Role"]; 1852*1476687dSEd Tanous roleEntry["@odata.id"] = 18530fda0f12SGeorge Liu "/redfish/v1/AccountService/Roles/" + 1854*1476687dSEd Tanous role; 185584e12cb7SAppaRao Puli } 18566c51eab1SEd Tanous else if (property.first == 18576c51eab1SEd Tanous "UserPasswordExpired") 18583bf4e632SJoseph Reynolds { 18593bf4e632SJoseph Reynolds const bool* userPasswordExpired = 18603bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 18613bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 18623bf4e632SJoseph Reynolds { 18630fda0f12SGeorge Liu BMCWEB_LOG_ERROR 18640fda0f12SGeorge Liu << "UserPasswordExpired wasn't a bool"; 18653bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 18663bf4e632SJoseph Reynolds return; 18673bf4e632SJoseph Reynolds } 18683bf4e632SJoseph Reynolds asyncResp->res 18693bf4e632SJoseph Reynolds .jsonValue["PasswordChangeRequired"] = 18703bf4e632SJoseph Reynolds *userPasswordExpired; 18713bf4e632SJoseph Reynolds } 187265b0dc32SEd Tanous } 187365b0dc32SEd Tanous } 187465b0dc32SEd Tanous } 187565b0dc32SEd Tanous 1876b9b2e0b2SEd Tanous asyncResp->res.jsonValue["@odata.id"] = 187784e12cb7SAppaRao Puli "/redfish/v1/AccountService/Accounts/" + accountName; 1878b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 1879b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 1880b9b2e0b2SEd Tanous }, 1881b9b2e0b2SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1882b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 18836c51eab1SEd Tanous }); 1884a840879dSEd Tanous 18856c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1886ed398213SEd Tanous // TODO this privilege should be using the generated endpoints, but 1887ed398213SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 1888ed398213SEd Tanous // yet 18896c51eab1SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 18906c51eab1SEd Tanous .methods(boost::beast::http::verb::patch)( 189145ca1b86SEd Tanous [&app](const crow::Request& req, 18926c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 18936c51eab1SEd Tanous const std::string& username) -> void { 189445ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 189545ca1b86SEd Tanous { 189645ca1b86SEd Tanous return; 189745ca1b86SEd Tanous } 1898031514fbSJunLin Chen #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1899031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1900031514fbSJunLin Chen messages::resourceNotFound( 1901031514fbSJunLin Chen asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 1902031514fbSJunLin Chen username); 1903031514fbSJunLin Chen return; 1904031514fbSJunLin Chen 1905031514fbSJunLin Chen #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1906a24526dcSEd Tanous std::optional<std::string> newUserName; 1907a24526dcSEd Tanous std::optional<std::string> password; 1908a24526dcSEd Tanous std::optional<bool> enabled; 1909a24526dcSEd Tanous std::optional<std::string> roleId; 191024c8542dSRatan Gupta std::optional<bool> locked; 1911e9cc5172SEd Tanous 1912031514fbSJunLin Chen if (req.session == nullptr) 1913031514fbSJunLin Chen { 1914031514fbSJunLin Chen messages::internalError(asyncResp->res); 1915031514fbSJunLin Chen return; 1916031514fbSJunLin Chen } 1917031514fbSJunLin Chen 1918e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 1919e9cc5172SEd Tanous redfish::getUserPrivileges(req.userRole); 1920e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 1921e9cc5172SEd Tanous bool userHasConfigureUsers = 1922e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 1923e9cc5172SEd Tanous if (userHasConfigureUsers) 1924e9cc5172SEd Tanous { 1925e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 192615ed6780SWilly Tu if (!json_util::readJsonPatch( 192715ed6780SWilly Tu req, asyncResp->res, "UserName", newUserName, 192815ed6780SWilly Tu "Password", password, "RoleId", roleId, "Enabled", 1929e9cc5172SEd Tanous enabled, "Locked", locked)) 1930a840879dSEd Tanous { 1931a840879dSEd Tanous return; 1932a840879dSEd Tanous } 1933e9cc5172SEd Tanous } 1934e9cc5172SEd Tanous else 1935900f9497SJoseph Reynolds { 1936e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 1937e9cc5172SEd Tanous if (username != req.session->username) 1938900f9497SJoseph Reynolds { 1939900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1940900f9497SJoseph Reynolds return; 1941900f9497SJoseph Reynolds } 1942031514fbSJunLin Chen 1943e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 194415ed6780SWilly Tu if (!json_util::readJsonPatch(req, asyncResp->res, 194515ed6780SWilly Tu "Password", password)) 1946e9cc5172SEd Tanous { 1947e9cc5172SEd Tanous return; 1948e9cc5172SEd Tanous } 1949900f9497SJoseph Reynolds } 1950900f9497SJoseph Reynolds 195166b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 19526c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 19536c51eab1SEd Tanous // updating user properties other then username. If username 19546c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 19556c51eab1SEd Tanous // user rename request. 195666b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 1957a840879dSEd Tanous { 19586c51eab1SEd Tanous updateUserProperties(asyncResp, username, password, enabled, 19596c51eab1SEd Tanous roleId, locked); 196084e12cb7SAppaRao Puli return; 196184e12cb7SAppaRao Puli } 196284e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 19636c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 1964f23b7296SEd Tanous roleId(std::move(roleId)), enabled, 196566b5ca76Sjayaprakash Mutyala newUser{std::string(*newUserName)}, 1966f23b7296SEd Tanous locked](const boost::system::error_code ec, 196766b5ca76Sjayaprakash Mutyala sdbusplus::message::message& m) { 196884e12cb7SAppaRao Puli if (ec) 196984e12cb7SAppaRao Puli { 19706c51eab1SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, 19716c51eab1SEd Tanous newUser, username); 1972a840879dSEd Tanous return; 1973a840879dSEd Tanous } 1974a840879dSEd Tanous 19756c51eab1SEd Tanous updateUserProperties(asyncResp, newUser, password, 19766c51eab1SEd Tanous enabled, roleId, locked); 197784e12cb7SAppaRao Puli }, 19786c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", 19796c51eab1SEd Tanous "/xyz/openbmc_project/user", 198084e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 198184e12cb7SAppaRao Puli *newUserName); 19826c51eab1SEd Tanous }); 198384e12cb7SAppaRao Puli 19846c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1985ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 19866c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 198745ca1b86SEd Tanous [&app](const crow::Request& req, 19886c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19896c51eab1SEd Tanous const std::string& username) -> void { 199045ca1b86SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp->res)) 199145ca1b86SEd Tanous { 199245ca1b86SEd Tanous return; 199345ca1b86SEd Tanous } 1994031514fbSJunLin Chen 1995031514fbSJunLin Chen #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1996031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1997031514fbSJunLin Chen messages::resourceNotFound( 1998031514fbSJunLin Chen asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 1999031514fbSJunLin Chen username); 2000031514fbSJunLin Chen return; 2001031514fbSJunLin Chen 2002031514fbSJunLin Chen #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 2003b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 2004b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 2005b477fd44SP Dheeraj Srujan Kumar const std::string userPath(tempObjPath); 200624c8542dSRatan Gupta 20076c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 20086c51eab1SEd Tanous [asyncResp, username](const boost::system::error_code ec) { 20096c51eab1SEd Tanous if (ec) 201066b5ca76Sjayaprakash Mutyala { 201166b5ca76Sjayaprakash Mutyala messages::resourceNotFound( 201266b5ca76Sjayaprakash Mutyala asyncResp->res, 20136c51eab1SEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount", 2014f12894f8SJason M. Bills username); 201506e086d9SEd Tanous return; 201606e086d9SEd Tanous } 201706e086d9SEd Tanous 2018f12894f8SJason M. Bills messages::accountRemoved(asyncResp->res); 201906e086d9SEd Tanous }, 202006e086d9SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 202106e086d9SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 20226c51eab1SEd Tanous }); 202306e086d9SEd Tanous } 202488d16c9aSLewanczyk, Dawid 202588d16c9aSLewanczyk, Dawid } // namespace redfish 2026