140e9b92eSEd Tanous // SPDX-License-Identifier: Apache-2.0 240e9b92eSEd Tanous // SPDX-FileCopyrightText: Copyright OpenBMC Authors 340e9b92eSEd Tanous // SPDX-FileCopyrightText: Copyright 2018 Intel Corporation 488d16c9aSLewanczyk, Dawid #pragma once 588d16c9aSLewanczyk, Dawid 6d7857201SEd Tanous #include "bmcweb_config.h" 7d7857201SEd Tanous 83ccb3adbSEd Tanous #include "app.hpp" 9d7857201SEd Tanous #include "async_resp.hpp" 10a0735a4eSGunnar Mills #include "boost_formatters.hpp" 111aa375b8SEd Tanous #include "certificate_service.hpp" 123ccb3adbSEd Tanous #include "dbus_utility.hpp" 133ccb3adbSEd Tanous #include "error_messages.hpp" 140ec8b83dSEd Tanous #include "generated/enums/account_service.hpp" 15d7857201SEd Tanous #include "http_request.hpp" 16d7857201SEd Tanous #include "http_response.hpp" 17d7857201SEd Tanous #include "logging.hpp" 18d7857201SEd Tanous #include "pam_authenticate.hpp" 193ccb3adbSEd Tanous #include "persistent_data.hpp" 20d7857201SEd Tanous #include "privileges.hpp" 213ccb3adbSEd Tanous #include "query.hpp" 220ec8b83dSEd Tanous #include "registries/privilege_registry.hpp" 233281bcf1SEd Tanous #include "sessions.hpp" 241aa375b8SEd Tanous #include "utils/collection.hpp" 253ccb3adbSEd Tanous #include "utils/dbus_utils.hpp" 263ccb3adbSEd Tanous #include "utils/json_utils.hpp" 270ec8b83dSEd Tanous 28d7857201SEd Tanous #include <security/_pam_types.h> 29d7857201SEd Tanous #include <systemd/sd-bus.h> 30d7857201SEd Tanous 31d7857201SEd Tanous #include <boost/beast/http/field.hpp> 32d7857201SEd Tanous #include <boost/beast/http/status.hpp> 33d7857201SEd Tanous #include <boost/beast/http/verb.hpp> 341aa375b8SEd Tanous #include <boost/url/format.hpp> 351aa375b8SEd Tanous #include <boost/url/url.hpp> 36d7857201SEd Tanous #include <nlohmann/json.hpp> 37d7857201SEd Tanous #include <sdbusplus/message.hpp> 38d1bde9e5SKrzysztof Grobelny #include <sdbusplus/unpack_properties.hpp> 391214b7e7SGunnar Mills 40d7857201SEd Tanous #include <algorithm> 412b73119cSGeorge Liu #include <array> 42d7857201SEd Tanous #include <cstddef> 43d7857201SEd Tanous #include <cstdint> 44d7857201SEd Tanous #include <cstring> 45d7857201SEd Tanous #include <format> 46d7857201SEd Tanous #include <functional> 471aa375b8SEd Tanous #include <memory> 48c7229815SAbhishek Patel #include <optional> 493544d2a7SEd Tanous #include <ranges> 50c7229815SAbhishek Patel #include <string> 512b73119cSGeorge Liu #include <string_view> 5220fa6a2cSEd Tanous #include <utility> 53d7857201SEd Tanous #include <variant> 54c7229815SAbhishek Patel #include <vector> 55c7229815SAbhishek Patel 561abe55efSEd Tanous namespace redfish 571abe55efSEd Tanous { 5888d16c9aSLewanczyk, Dawid 5923a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 606973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 612c70f800SEd Tanous constexpr const char* adConfigObject = 62ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 63ab828d7cSRatan Gupta 64b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 656973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 666973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 676973a582SRatan Gupta constexpr const char* ldapConfigInterface = 686973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 696973a582SRatan Gupta constexpr const char* ldapCreateInterface = 706973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 716973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 7206785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 7306785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 746973a582SRatan Gupta 7554fc587aSNagaraju Goruganti struct LDAPRoleMapData 7654fc587aSNagaraju Goruganti { 7754fc587aSNagaraju Goruganti std::string groupName; 7854fc587aSNagaraju Goruganti std::string privilege; 7954fc587aSNagaraju Goruganti }; 8054fc587aSNagaraju Goruganti 816973a582SRatan Gupta struct LDAPConfigData 826973a582SRatan Gupta { 8347f2934cSEd Tanous std::string uri; 8447f2934cSEd Tanous std::string bindDN; 8547f2934cSEd Tanous std::string baseDN; 8647f2934cSEd Tanous std::string searchScope; 8747f2934cSEd Tanous std::string serverType; 886973a582SRatan Gupta bool serviceEnabled = false; 8947f2934cSEd Tanous std::string userNameAttribute; 9047f2934cSEd Tanous std::string groupAttribute; 9154fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 926973a582SRatan Gupta }; 936973a582SRatan Gupta 9454fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 9584e12cb7SAppaRao Puli { 9684e12cb7SAppaRao Puli if (role == "priv-admin") 9784e12cb7SAppaRao Puli { 9884e12cb7SAppaRao Puli return "Administrator"; 9984e12cb7SAppaRao Puli } 1003174e4dfSEd Tanous if (role == "priv-user") 10184e12cb7SAppaRao Puli { 102c80fee55SAppaRao Puli return "ReadOnly"; 10384e12cb7SAppaRao Puli } 1043174e4dfSEd Tanous if (role == "priv-operator") 10584e12cb7SAppaRao Puli { 10684e12cb7SAppaRao Puli return "Operator"; 10784e12cb7SAppaRao Puli } 10884e12cb7SAppaRao Puli return ""; 10984e12cb7SAppaRao Puli } 11054fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 11184e12cb7SAppaRao Puli { 11284e12cb7SAppaRao Puli if (role == "Administrator") 11384e12cb7SAppaRao Puli { 11484e12cb7SAppaRao Puli return "priv-admin"; 11584e12cb7SAppaRao Puli } 1163174e4dfSEd Tanous if (role == "ReadOnly") 11784e12cb7SAppaRao Puli { 11884e12cb7SAppaRao Puli return "priv-user"; 11984e12cb7SAppaRao Puli } 1203174e4dfSEd Tanous if (role == "Operator") 12184e12cb7SAppaRao Puli { 12284e12cb7SAppaRao Puli return "priv-operator"; 12384e12cb7SAppaRao Puli } 12484e12cb7SAppaRao Puli return ""; 12584e12cb7SAppaRao Puli } 126b9b2e0b2SEd Tanous 127c7229815SAbhishek Patel /** 128c7229815SAbhishek Patel * @brief Maps user group names retrieved from D-Bus object to 129c7229815SAbhishek Patel * Account Types. 130c7229815SAbhishek Patel * 131c7229815SAbhishek Patel * @param[in] userGroups List of User groups 132c7229815SAbhishek Patel * @param[out] res AccountTypes populated 133c7229815SAbhishek Patel * 134c7229815SAbhishek Patel * @return true in case of success, false if UserGroups contains 135c7229815SAbhishek Patel * invalid group name(s). 136c7229815SAbhishek Patel */ 137c7229815SAbhishek Patel inline bool translateUserGroup(const std::vector<std::string>& userGroups, 138c7229815SAbhishek Patel crow::Response& res) 139c7229815SAbhishek Patel { 140c7229815SAbhishek Patel std::vector<std::string> accountTypes; 141c7229815SAbhishek Patel for (const auto& userGroup : userGroups) 142c7229815SAbhishek Patel { 143c7229815SAbhishek Patel if (userGroup == "redfish") 144c7229815SAbhishek Patel { 145c7229815SAbhishek Patel accountTypes.emplace_back("Redfish"); 146c7229815SAbhishek Patel accountTypes.emplace_back("WebUI"); 147c7229815SAbhishek Patel } 148c7229815SAbhishek Patel else if (userGroup == "ipmi") 149c7229815SAbhishek Patel { 150c7229815SAbhishek Patel accountTypes.emplace_back("IPMI"); 151c7229815SAbhishek Patel } 152c7229815SAbhishek Patel else if (userGroup == "ssh") 153c7229815SAbhishek Patel { 154c7229815SAbhishek Patel accountTypes.emplace_back("ManagerConsole"); 155c7229815SAbhishek Patel } 1563e72c202SNinad Palsule else if (userGroup == "hostconsole") 1573e72c202SNinad Palsule { 1583e72c202SNinad Palsule // The hostconsole group controls who can access the host console 1593e72c202SNinad Palsule // port via ssh and websocket. 1603e72c202SNinad Palsule accountTypes.emplace_back("HostConsole"); 1613e72c202SNinad Palsule } 162c7229815SAbhishek Patel else if (userGroup == "web") 163c7229815SAbhishek Patel { 164c7229815SAbhishek Patel // 'web' is one of the valid groups in the UserGroups property of 165c7229815SAbhishek Patel // the user account in the D-Bus object. This group is currently not 166c7229815SAbhishek Patel // doing anything, and is considered to be equivalent to 'redfish'. 167c7229815SAbhishek Patel // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 168c7229815SAbhishek Patel // AccountTypes, so do nothing here... 169c7229815SAbhishek Patel } 170c7229815SAbhishek Patel else 171c7229815SAbhishek Patel { 1728ece0e45SEd Tanous // Invalid user group name. Caller throws an exception. 173c7229815SAbhishek Patel return false; 174c7229815SAbhishek Patel } 175c7229815SAbhishek Patel } 176c7229815SAbhishek Patel 177c7229815SAbhishek Patel res.jsonValue["AccountTypes"] = std::move(accountTypes); 178c7229815SAbhishek Patel return true; 179c7229815SAbhishek Patel } 180c7229815SAbhishek Patel 18158345856SAbhishek Patel /** 18258345856SAbhishek Patel * @brief Builds User Groups from the Account Types 18358345856SAbhishek Patel * 18458345856SAbhishek Patel * @param[in] asyncResp Async Response 18558345856SAbhishek Patel * @param[in] accountTypes List of Account Types 18658345856SAbhishek Patel * @param[out] userGroups List of User Groups mapped from Account Types 18758345856SAbhishek Patel * 18858345856SAbhishek Patel * @return true if Account Types mapped to User Groups, false otherwise. 18958345856SAbhishek Patel */ 190bd79bce8SPatrick Williams inline bool getUserGroupFromAccountType( 191bd79bce8SPatrick Williams crow::Response& res, const std::vector<std::string>& accountTypes, 19258345856SAbhishek Patel std::vector<std::string>& userGroups) 19358345856SAbhishek Patel { 19458345856SAbhishek Patel // Need both Redfish and WebUI Account Types to map to 'redfish' User Group 19558345856SAbhishek Patel bool redfishType = false; 19658345856SAbhishek Patel bool webUIType = false; 19758345856SAbhishek Patel 19858345856SAbhishek Patel for (const auto& accountType : accountTypes) 19958345856SAbhishek Patel { 20058345856SAbhishek Patel if (accountType == "Redfish") 20158345856SAbhishek Patel { 20258345856SAbhishek Patel redfishType = true; 20358345856SAbhishek Patel } 20458345856SAbhishek Patel else if (accountType == "WebUI") 20558345856SAbhishek Patel { 20658345856SAbhishek Patel webUIType = true; 20758345856SAbhishek Patel } 20858345856SAbhishek Patel else if (accountType == "IPMI") 20958345856SAbhishek Patel { 21058345856SAbhishek Patel userGroups.emplace_back("ipmi"); 21158345856SAbhishek Patel } 21258345856SAbhishek Patel else if (accountType == "HostConsole") 21358345856SAbhishek Patel { 21458345856SAbhishek Patel userGroups.emplace_back("hostconsole"); 21558345856SAbhishek Patel } 21658345856SAbhishek Patel else if (accountType == "ManagerConsole") 21758345856SAbhishek Patel { 21858345856SAbhishek Patel userGroups.emplace_back("ssh"); 21958345856SAbhishek Patel } 22058345856SAbhishek Patel else 22158345856SAbhishek Patel { 22258345856SAbhishek Patel // Invalid Account Type 22358345856SAbhishek Patel messages::propertyValueNotInList(res, "AccountTypes", accountType); 22458345856SAbhishek Patel return false; 22558345856SAbhishek Patel } 22658345856SAbhishek Patel } 22758345856SAbhishek Patel 22858345856SAbhishek Patel // Both Redfish and WebUI Account Types are needed to PATCH 22958345856SAbhishek Patel if (redfishType ^ webUIType) 23058345856SAbhishek Patel { 23162598e31SEd Tanous BMCWEB_LOG_ERROR( 23262598e31SEd Tanous "Missing Redfish or WebUI Account Type to set redfish User Group"); 23358345856SAbhishek Patel messages::strictAccountTypes(res, "AccountTypes"); 23458345856SAbhishek Patel return false; 23558345856SAbhishek Patel } 23658345856SAbhishek Patel 23758345856SAbhishek Patel if (redfishType && webUIType) 23858345856SAbhishek Patel { 23958345856SAbhishek Patel userGroups.emplace_back("redfish"); 24058345856SAbhishek Patel } 24158345856SAbhishek Patel 24258345856SAbhishek Patel return true; 24358345856SAbhishek Patel } 24458345856SAbhishek Patel 24558345856SAbhishek Patel /** 24658345856SAbhishek Patel * @brief Sets UserGroups property of the user based on the Account Types 24758345856SAbhishek Patel * 24858345856SAbhishek Patel * @param[in] accountTypes List of User Account Types 24958345856SAbhishek Patel * @param[in] asyncResp Async Response 25058345856SAbhishek Patel * @param[in] dbusObjectPath D-Bus Object Path 25158345856SAbhishek Patel * @param[in] userSelf true if User is updating OWN Account Types 25258345856SAbhishek Patel */ 253504af5a0SPatrick Williams inline void patchAccountTypes( 254504af5a0SPatrick Williams const std::vector<std::string>& accountTypes, 25558345856SAbhishek Patel const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 25658345856SAbhishek Patel const std::string& dbusObjectPath, bool userSelf) 25758345856SAbhishek Patel { 25858345856SAbhishek Patel // Check if User is disabling own Redfish Account Type 25958345856SAbhishek Patel if (userSelf && 26058345856SAbhishek Patel (accountTypes.cend() == 26158345856SAbhishek Patel std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish"))) 26258345856SAbhishek Patel { 26362598e31SEd Tanous BMCWEB_LOG_ERROR( 26462598e31SEd Tanous "User disabling OWN Redfish Account Type is not allowed"); 26558345856SAbhishek Patel messages::strictAccountTypes(asyncResp->res, "AccountTypes"); 26658345856SAbhishek Patel return; 26758345856SAbhishek Patel } 26858345856SAbhishek Patel 26958345856SAbhishek Patel std::vector<std::string> updatedUserGroups; 27058345856SAbhishek Patel if (!getUserGroupFromAccountType(asyncResp->res, accountTypes, 27158345856SAbhishek Patel updatedUserGroups)) 27258345856SAbhishek Patel { 27358345856SAbhishek Patel // Problem in mapping Account Types to User Groups, Error already 27458345856SAbhishek Patel // logged. 27558345856SAbhishek Patel return; 27658345856SAbhishek Patel } 277e93abac6SGinu George setDbusProperty(asyncResp, "AccountTypes", 278e93abac6SGinu George "xyz.openbmc_project.User.Manager", dbusObjectPath, 279e93abac6SGinu George "xyz.openbmc_project.User.Attributes", "UserGroups", 280e93abac6SGinu George updatedUserGroups); 28158345856SAbhishek Patel } 28258345856SAbhishek Patel 2838d1b46d7Szhanghch05 inline void userErrorMessageHandler( 2848d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2858d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 28666b5ca76Sjayaprakash Mutyala { 28766b5ca76Sjayaprakash Mutyala if (e == nullptr) 28866b5ca76Sjayaprakash Mutyala { 28966b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 29066b5ca76Sjayaprakash Mutyala return; 29166b5ca76Sjayaprakash Mutyala } 29266b5ca76Sjayaprakash Mutyala 293055806b3SManojkiran Eda const char* errorMessage = e->name; 29466b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 29566b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 29666b5ca76Sjayaprakash Mutyala { 297d8a5d5d8SJiaqing Zhao messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 29866b5ca76Sjayaprakash Mutyala "UserName", newUser); 29966b5ca76Sjayaprakash Mutyala } 30066b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 30166b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 30266b5ca76Sjayaprakash Mutyala { 303d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 30466b5ca76Sjayaprakash Mutyala } 305d4d25793SEd Tanous else if ((strcmp(errorMessage, 306d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 307d4d25793SEd Tanous 0) || 3080fda0f12SGeorge Liu (strcmp( 3090fda0f12SGeorge Liu errorMessage, 3100fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 3110fda0f12SGeorge Liu 0)) 31266b5ca76Sjayaprakash Mutyala { 31366b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 31466b5ca76Sjayaprakash Mutyala } 31566b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 31666b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 31766b5ca76Sjayaprakash Mutyala { 31866b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 31966b5ca76Sjayaprakash Mutyala } 32066b5ca76Sjayaprakash Mutyala else 32166b5ca76Sjayaprakash Mutyala { 322b8ad583fSGunnar Mills BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage); 32366b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 32466b5ca76Sjayaprakash Mutyala } 32566b5ca76Sjayaprakash Mutyala } 32666b5ca76Sjayaprakash Mutyala 32781ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 328ab828d7cSRatan Gupta const LDAPConfigData& confData, 329ab828d7cSRatan Gupta const std::string& ldapType) 3306973a582SRatan Gupta { 33149cc263fSEd Tanous nlohmann::json::object_t ldap; 3321476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 33349cc263fSEd Tanous nlohmann::json::array_t serviceAddresses; 33449cc263fSEd Tanous serviceAddresses.emplace_back(confData.uri); 33549cc263fSEd Tanous ldap["ServiceAddresses"] = std::move(serviceAddresses); 33649cc263fSEd Tanous 33749cc263fSEd Tanous nlohmann::json::object_t authentication; 33849cc263fSEd Tanous authentication["AuthenticationType"] = 3390ec8b83dSEd Tanous account_service::AuthenticationTypes::UsernameAndPassword; 34049cc263fSEd Tanous authentication["Username"] = confData.bindDN; 34149cc263fSEd Tanous authentication["Password"] = nullptr; 34249cc263fSEd Tanous ldap["Authentication"] = std::move(authentication); 3431476687dSEd Tanous 34449cc263fSEd Tanous nlohmann::json::object_t ldapService; 34549cc263fSEd Tanous nlohmann::json::object_t searchSettings; 34649cc263fSEd Tanous nlohmann::json::array_t baseDistinguishedNames; 34749cc263fSEd Tanous baseDistinguishedNames.emplace_back(confData.baseDN); 3481476687dSEd Tanous 34949cc263fSEd Tanous searchSettings["BaseDistinguishedNames"] = 35049cc263fSEd Tanous std::move(baseDistinguishedNames); 35149cc263fSEd Tanous searchSettings["UsernameAttribute"] = confData.userNameAttribute; 35249cc263fSEd Tanous searchSettings["GroupsAttribute"] = confData.groupAttribute; 35349cc263fSEd Tanous ldapService["SearchSettings"] = std::move(searchSettings); 35449cc263fSEd Tanous ldap["LDAPService"] = std::move(ldapService); 35549cc263fSEd Tanous 35649cc263fSEd Tanous nlohmann::json::array_t roleMapArray; 3579eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 35854fc587aSNagaraju Goruganti { 35962598e31SEd Tanous BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName); 360613dabeaSEd Tanous 361613dabeaSEd Tanous nlohmann::json::object_t remoteGroup; 362613dabeaSEd Tanous remoteGroup["RemoteGroup"] = obj.second.groupName; 363329f0348SJorge Cisneros remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 364329f0348SJorge Cisneros roleMapArray.emplace_back(std::move(remoteGroup)); 36554fc587aSNagaraju Goruganti } 36649cc263fSEd Tanous 36749cc263fSEd Tanous ldap["RemoteRoleMapping"] = std::move(roleMapArray); 36849cc263fSEd Tanous 36949cc263fSEd Tanous jsonResponse[ldapType].update(ldap); 3706973a582SRatan Gupta } 3716973a582SRatan Gupta 3726973a582SRatan Gupta /** 37306785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 37406785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 37506785244SRatan Gupta * 37606785244SRatan Gupta */ 37723a21a1cSEd Tanous inline void handleRoleMapPatch( 3788d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 37906785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 380c1019828SEd Tanous const std::string& serverType, 381c1019828SEd Tanous std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input) 38206785244SRatan Gupta { 38306785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 38406785244SRatan Gupta { 385c1019828SEd Tanous std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson = 386c1019828SEd Tanous input[index]; 387c1019828SEd Tanous nlohmann::json::object_t* obj = 388c1019828SEd Tanous std::get_if<nlohmann::json::object_t>(&thisJson); 389c1019828SEd Tanous if (obj == nullptr) 39006785244SRatan Gupta { 39106785244SRatan Gupta // delete the existing object 39206785244SRatan Gupta if (index < roleMapObjData.size()) 39306785244SRatan Gupta { 394*177612aaSEd Tanous dbus::utility::async_method_call( 395*177612aaSEd Tanous asyncResp, 39606785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 3975e7e2dc5SEd Tanous index](const boost::system::error_code& ec) { 39806785244SRatan Gupta if (ec) 39906785244SRatan Gupta { 40062598e31SEd Tanous BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 40106785244SRatan Gupta messages::internalError(asyncResp->res); 40206785244SRatan Gupta return; 40306785244SRatan Gupta } 404bd79bce8SPatrick Williams asyncResp->res 405bd79bce8SPatrick Williams .jsonValue[serverType]["RemoteRoleMapping"][index] = 406bd79bce8SPatrick Williams nullptr; 40706785244SRatan Gupta }, 40806785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 40906785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 41006785244SRatan Gupta } 41106785244SRatan Gupta else 41206785244SRatan Gupta { 41362598e31SEd Tanous BMCWEB_LOG_ERROR("Can't delete the object"); 414bd79bce8SPatrick Williams messages::propertyValueTypeError( 415bd79bce8SPatrick Williams asyncResp->res, "null", 416bd79bce8SPatrick Williams "RemoteRoleMapping/" + std::to_string(index)); 41706785244SRatan Gupta return; 41806785244SRatan Gupta } 41906785244SRatan Gupta } 420c1019828SEd Tanous else if (obj->empty()) 42106785244SRatan Gupta { 42206785244SRatan Gupta // Don't do anything for the empty objects,parse next json 42306785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 42406785244SRatan Gupta } 42506785244SRatan Gupta else 42606785244SRatan Gupta { 42706785244SRatan Gupta // update/create the object 42806785244SRatan Gupta std::optional<std::string> remoteGroup; 42906785244SRatan Gupta std::optional<std::string> localRole; 43006785244SRatan Gupta 431afc474aeSMyung Bae if (!json_util::readJsonObject( // 432afc474aeSMyung Bae *obj, asyncResp->res, // 433afc474aeSMyung Bae "LocalRole", localRole, // 434afc474aeSMyung Bae "RemoteGroup", remoteGroup // 435afc474aeSMyung Bae )) 43606785244SRatan Gupta { 43706785244SRatan Gupta continue; 43806785244SRatan Gupta } 43906785244SRatan Gupta 44006785244SRatan Gupta // Update existing RoleMapping Object 44106785244SRatan Gupta if (index < roleMapObjData.size()) 44206785244SRatan Gupta { 44362598e31SEd Tanous BMCWEB_LOG_DEBUG("Update Role Map Object"); 44406785244SRatan Gupta // If "RemoteGroup" info is provided 44506785244SRatan Gupta if (remoteGroup) 44606785244SRatan Gupta { 447d02aad39SEd Tanous setDbusProperty( 448e93abac6SGinu George asyncResp, 449d02aad39SEd Tanous std::format("RemoteRoleMapping/{}/RemoteGroup", index), 450e93abac6SGinu George ldapDbusService, roleMapObjData[index].first, 451e93abac6SGinu George "xyz.openbmc_project.User.PrivilegeMapperEntry", 452e93abac6SGinu George "GroupName", *remoteGroup); 45306785244SRatan Gupta } 45406785244SRatan Gupta 45506785244SRatan Gupta // If "LocalRole" info is provided 45606785244SRatan Gupta if (localRole) 45706785244SRatan Gupta { 4586d0b80beSRavi Teja std::string priv = getPrivilegeFromRoleId(*localRole); 4596d0b80beSRavi Teja if (priv.empty()) 4606d0b80beSRavi Teja { 4616d0b80beSRavi Teja messages::propertyValueNotInList( 4626d0b80beSRavi Teja asyncResp->res, *localRole, 4636d0b80beSRavi Teja std::format("RemoteRoleMapping/{}/LocalRole", 4646d0b80beSRavi Teja index)); 4656d0b80beSRavi Teja return; 4666d0b80beSRavi Teja } 467d02aad39SEd Tanous setDbusProperty( 468e93abac6SGinu George asyncResp, 469d02aad39SEd Tanous std::format("RemoteRoleMapping/{}/LocalRole", index), 470e93abac6SGinu George ldapDbusService, roleMapObjData[index].first, 471e93abac6SGinu George "xyz.openbmc_project.User.PrivilegeMapperEntry", 4726d0b80beSRavi Teja "Privilege", priv); 47306785244SRatan Gupta } 47406785244SRatan Gupta } 47506785244SRatan Gupta // Create a new RoleMapping Object. 47606785244SRatan Gupta else 47706785244SRatan Gupta { 47862598e31SEd Tanous BMCWEB_LOG_DEBUG( 47962598e31SEd Tanous "setRoleMappingProperties: Creating new Object"); 480bd79bce8SPatrick Williams std::string pathString = 481bd79bce8SPatrick Williams "RemoteRoleMapping/" + std::to_string(index); 48206785244SRatan Gupta 48306785244SRatan Gupta if (!localRole) 48406785244SRatan Gupta { 48506785244SRatan Gupta messages::propertyMissing(asyncResp->res, 48606785244SRatan Gupta pathString + "/LocalRole"); 48706785244SRatan Gupta continue; 48806785244SRatan Gupta } 48906785244SRatan Gupta if (!remoteGroup) 49006785244SRatan Gupta { 49106785244SRatan Gupta messages::propertyMissing(asyncResp->res, 49206785244SRatan Gupta pathString + "/RemoteGroup"); 49306785244SRatan Gupta continue; 49406785244SRatan Gupta } 49506785244SRatan Gupta 49606785244SRatan Gupta std::string dbusObjectPath; 49706785244SRatan Gupta if (serverType == "ActiveDirectory") 49806785244SRatan Gupta { 4992c70f800SEd Tanous dbusObjectPath = adConfigObject; 50006785244SRatan Gupta } 50106785244SRatan Gupta else if (serverType == "LDAP") 50206785244SRatan Gupta { 50323a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 50406785244SRatan Gupta } 50506785244SRatan Gupta 50662598e31SEd Tanous BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup, 50762598e31SEd Tanous *localRole); 50806785244SRatan Gupta 509*177612aaSEd Tanous dbus::utility::async_method_call( 510*177612aaSEd Tanous asyncResp, 511271584abSEd Tanous [asyncResp, serverType, localRole, 5125e7e2dc5SEd Tanous remoteGroup](const boost::system::error_code& ec) { 51306785244SRatan Gupta if (ec) 51406785244SRatan Gupta { 51562598e31SEd Tanous BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 51606785244SRatan Gupta messages::internalError(asyncResp->res); 51706785244SRatan Gupta return; 51806785244SRatan Gupta } 51906785244SRatan Gupta nlohmann::json& remoteRoleJson = 52006785244SRatan Gupta asyncResp->res 52106785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 5221476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 5231476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 5241476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 525b2ba3072SPatrick Williams remoteRoleJson.emplace_back(std::move(roleMapEntry)); 52606785244SRatan Gupta }, 52706785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 5283174e4dfSEd Tanous "Create", *remoteGroup, 52906785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 53006785244SRatan Gupta } 53106785244SRatan Gupta } 53206785244SRatan Gupta } 53306785244SRatan Gupta } 53406785244SRatan Gupta 53506785244SRatan Gupta /** 5366973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 5376973a582SRatan Gupta * into JSON 5386973a582SRatan Gupta */ 5396973a582SRatan Gupta template <typename CallbackFunc> 540504af5a0SPatrick Williams inline void getLDAPConfigData(const std::string& ldapType, 541504af5a0SPatrick Williams CallbackFunc&& callback) 5426973a582SRatan Gupta { 5432b73119cSGeorge Liu constexpr std::array<std::string_view, 2> interfaces = { 5442b73119cSGeorge Liu ldapEnableInterface, ldapConfigInterface}; 54554fc587aSNagaraju Goruganti 5462b73119cSGeorge Liu dbus::utility::getDbusObject( 5472b73119cSGeorge Liu ldapConfigObjectName, interfaces, 5488cb2c024SEd Tanous [callback = std::forward<CallbackFunc>(callback), 549c1019828SEd Tanous ldapType](const boost::system::error_code& ec, 550c1019828SEd Tanous const dbus::utility::MapperGetObject& resp) mutable { 55154fc587aSNagaraju Goruganti if (ec || resp.empty()) 55254fc587aSNagaraju Goruganti { 553bf2ddedeSCarson Labrado BMCWEB_LOG_WARNING( 554bd79bce8SPatrick Williams "DBUS response error during getting of service name: {}", 555bd79bce8SPatrick Williams ec); 55623a21a1cSEd Tanous LDAPConfigData empty{}; 55723a21a1cSEd Tanous callback(false, empty, ldapType); 55854fc587aSNagaraju Goruganti return; 55954fc587aSNagaraju Goruganti } 56054fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 5615eb468daSGeorge Liu sdbusplus::message::object_path path(ldapRootObject); 5625eb468daSGeorge Liu dbus::utility::getManagedObjects( 5635eb468daSGeorge Liu service, path, 564bd79bce8SPatrick Williams [callback, ldapType](const boost::system::error_code& ec2, 565bd79bce8SPatrick Williams const dbus::utility::ManagedObjectType& 566bd79bce8SPatrick Williams ldapObjects) mutable { 5676973a582SRatan Gupta LDAPConfigData confData{}; 5688b24275dSEd Tanous if (ec2) 5696973a582SRatan Gupta { 570ab828d7cSRatan Gupta callback(false, confData, ldapType); 571bf2ddedeSCarson Labrado BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2); 5726973a582SRatan Gupta return; 5736973a582SRatan Gupta } 574ab828d7cSRatan Gupta 575ab828d7cSRatan Gupta std::string ldapDbusType; 57654fc587aSNagaraju Goruganti std::string searchString; 57754fc587aSNagaraju Goruganti 578ab828d7cSRatan Gupta if (ldapType == "LDAP") 579ab828d7cSRatan Gupta { 5800fda0f12SGeorge Liu ldapDbusType = 5810fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 58254fc587aSNagaraju Goruganti searchString = "openldap"; 583ab828d7cSRatan Gupta } 584ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 585ab828d7cSRatan Gupta { 58654fc587aSNagaraju Goruganti ldapDbusType = 5870fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 58854fc587aSNagaraju Goruganti searchString = "active_directory"; 589ab828d7cSRatan Gupta } 590ab828d7cSRatan Gupta else 591ab828d7cSRatan Gupta { 592bd79bce8SPatrick Williams BMCWEB_LOG_ERROR( 593bd79bce8SPatrick Williams "Can't get the DbusType for the given type={}", 59462598e31SEd Tanous ldapType); 595ab828d7cSRatan Gupta callback(false, confData, ldapType); 596ab828d7cSRatan Gupta return; 597ab828d7cSRatan Gupta } 598ab828d7cSRatan Gupta 599ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 600ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 601ab828d7cSRatan Gupta 6026973a582SRatan Gupta for (const auto& object : ldapObjects) 6036973a582SRatan Gupta { 60454fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 60554fc587aSNagaraju Goruganti // given type 606bd79bce8SPatrick Williams if (object.first.str.find(searchString) == 607bd79bce8SPatrick Williams std::string::npos) 6086973a582SRatan Gupta { 609ab828d7cSRatan Gupta continue; 610ab828d7cSRatan Gupta } 611ab828d7cSRatan Gupta 6126973a582SRatan Gupta for (const auto& interface : object.second) 6136973a582SRatan Gupta { 6146973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 6156973a582SRatan Gupta { 6166973a582SRatan Gupta // rest of the properties are string. 6176973a582SRatan Gupta for (const auto& property : interface.second) 6186973a582SRatan Gupta { 6196973a582SRatan Gupta if (property.first == "Enabled") 6206973a582SRatan Gupta { 6216973a582SRatan Gupta const bool* value = 6226973a582SRatan Gupta std::get_if<bool>(&property.second); 6236973a582SRatan Gupta if (value == nullptr) 6246973a582SRatan Gupta { 6256973a582SRatan Gupta continue; 6266973a582SRatan Gupta } 6276973a582SRatan Gupta confData.serviceEnabled = *value; 6286973a582SRatan Gupta break; 6296973a582SRatan Gupta } 6306973a582SRatan Gupta } 6316973a582SRatan Gupta } 6326973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 6336973a582SRatan Gupta { 6346973a582SRatan Gupta for (const auto& property : interface.second) 6356973a582SRatan Gupta { 636271584abSEd Tanous const std::string* strValue = 637bd79bce8SPatrick Williams std::get_if<std::string>( 638bd79bce8SPatrick Williams &property.second); 639271584abSEd Tanous if (strValue == nullptr) 6406973a582SRatan Gupta { 6416973a582SRatan Gupta continue; 6426973a582SRatan Gupta } 6436973a582SRatan Gupta if (property.first == "LDAPServerURI") 6446973a582SRatan Gupta { 645271584abSEd Tanous confData.uri = *strValue; 6466973a582SRatan Gupta } 6476973a582SRatan Gupta else if (property.first == "LDAPBindDN") 6486973a582SRatan Gupta { 649271584abSEd Tanous confData.bindDN = *strValue; 6506973a582SRatan Gupta } 6516973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 6526973a582SRatan Gupta { 653271584abSEd Tanous confData.baseDN = *strValue; 6546973a582SRatan Gupta } 655bd79bce8SPatrick Williams else if (property.first == 656bd79bce8SPatrick Williams "LDAPSearchScope") 6576973a582SRatan Gupta { 658271584abSEd Tanous confData.searchScope = *strValue; 6596973a582SRatan Gupta } 660bd79bce8SPatrick Williams else if (property.first == 661bd79bce8SPatrick Williams "GroupNameAttribute") 6626973a582SRatan Gupta { 663271584abSEd Tanous confData.groupAttribute = *strValue; 6646973a582SRatan Gupta } 665bd79bce8SPatrick Williams else if (property.first == 666bd79bce8SPatrick Williams "UserNameAttribute") 6676973a582SRatan Gupta { 668271584abSEd Tanous confData.userNameAttribute = *strValue; 6696973a582SRatan Gupta } 67054fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 671ab828d7cSRatan Gupta { 672271584abSEd Tanous confData.serverType = *strValue; 67354fc587aSNagaraju Goruganti } 67454fc587aSNagaraju Goruganti } 67554fc587aSNagaraju Goruganti } 676bd79bce8SPatrick Williams else if ( 677bd79bce8SPatrick Williams interface.first == 6780fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 67954fc587aSNagaraju Goruganti { 68054fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 68154fc587aSNagaraju Goruganti for (const auto& property : interface.second) 68254fc587aSNagaraju Goruganti { 683271584abSEd Tanous const std::string* strValue = 684bd79bce8SPatrick Williams std::get_if<std::string>( 685bd79bce8SPatrick Williams &property.second); 68654fc587aSNagaraju Goruganti 687271584abSEd Tanous if (strValue == nullptr) 68854fc587aSNagaraju Goruganti { 68954fc587aSNagaraju Goruganti continue; 69054fc587aSNagaraju Goruganti } 69154fc587aSNagaraju Goruganti 69254fc587aSNagaraju Goruganti if (property.first == "GroupName") 69354fc587aSNagaraju Goruganti { 694271584abSEd Tanous roleMapData.groupName = *strValue; 69554fc587aSNagaraju Goruganti } 69654fc587aSNagaraju Goruganti else if (property.first == "Privilege") 69754fc587aSNagaraju Goruganti { 698271584abSEd Tanous roleMapData.privilege = *strValue; 69954fc587aSNagaraju Goruganti } 70054fc587aSNagaraju Goruganti } 70154fc587aSNagaraju Goruganti 702bd79bce8SPatrick Williams confData.groupRoleList.emplace_back( 703bd79bce8SPatrick Williams object.first.str, roleMapData); 70454fc587aSNagaraju Goruganti } 70554fc587aSNagaraju Goruganti } 70654fc587aSNagaraju Goruganti } 707ab828d7cSRatan Gupta callback(true, confData, ldapType); 7085eb468daSGeorge Liu }); 7092b73119cSGeorge Liu }); 7106973a582SRatan Gupta } 7116973a582SRatan Gupta 7128a07d286SRatan Gupta /** 7138a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 7148a07d286SRatan Gupta json response with the new value. 7158a07d286SRatan Gupta * @param serviceAddressList address to be updated. 7168a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7178a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7188a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7198a07d286SRatan Gupta */ 7208a07d286SRatan Gupta 7214f48d5f6SEd Tanous inline void handleServiceAddressPatch( 7228a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 7238d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7248a07d286SRatan Gupta const std::string& ldapServerElementName, 7258a07d286SRatan Gupta const std::string& ldapConfigObject) 7268a07d286SRatan Gupta { 727e93abac6SGinu George setDbusProperty(asyncResp, ldapServerElementName + "/ServiceAddress", 728e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 729e93abac6SGinu George "LDAPServerURI", serviceAddressList.front()); 7308a07d286SRatan Gupta } 7318a07d286SRatan Gupta /** 7328a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 7338a07d286SRatan Gupta json response with the new value. 7348a07d286SRatan Gupta * @param username name of the user which needs to be updated. 7358a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7368a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7378a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7388a07d286SRatan Gupta */ 7398a07d286SRatan Gupta 740504af5a0SPatrick Williams inline void handleUserNamePatch( 741504af5a0SPatrick Williams const std::string& username, 7428d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7438a07d286SRatan Gupta const std::string& ldapServerElementName, 7448a07d286SRatan Gupta const std::string& ldapConfigObject) 7458a07d286SRatan Gupta { 746e93abac6SGinu George setDbusProperty(asyncResp, 747d02aad39SEd Tanous ldapServerElementName + "/Authentication/Username", 748e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 749e93abac6SGinu George "LDAPBindDN", username); 7508a07d286SRatan Gupta } 7518a07d286SRatan Gupta 7528a07d286SRatan Gupta /** 7538a07d286SRatan Gupta * @brief updates the LDAP password 7548a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 7558a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7568a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7578a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 7588a07d286SRatan Gupta */ 7598a07d286SRatan Gupta 760504af5a0SPatrick Williams inline void handlePasswordPatch( 761504af5a0SPatrick Williams const std::string& password, 7628d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7638a07d286SRatan Gupta const std::string& ldapServerElementName, 7648a07d286SRatan Gupta const std::string& ldapConfigObject) 7658a07d286SRatan Gupta { 766e93abac6SGinu George setDbusProperty(asyncResp, 767d02aad39SEd Tanous ldapServerElementName + "/Authentication/Password", 768e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 769e93abac6SGinu George "LDAPBindDNPassword", password); 7708a07d286SRatan Gupta } 7718a07d286SRatan Gupta 7728a07d286SRatan Gupta /** 7738a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7748a07d286SRatan Gupta json response with the new value. 7758a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7768a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7778a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7788a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7798a07d286SRatan Gupta */ 7808a07d286SRatan Gupta 781504af5a0SPatrick Williams inline void handleBaseDNPatch( 782504af5a0SPatrick Williams const std::vector<std::string>& baseDNList, 7838d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7848a07d286SRatan Gupta const std::string& ldapServerElementName, 7858a07d286SRatan Gupta const std::string& ldapConfigObject) 7868a07d286SRatan Gupta { 787e93abac6SGinu George setDbusProperty(asyncResp, 788d02aad39SEd Tanous ldapServerElementName + 789d02aad39SEd Tanous "/LDAPService/SearchSettings/BaseDistinguishedNames", 790e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 791e93abac6SGinu George "LDAPBaseDN", baseDNList.front()); 7928a07d286SRatan Gupta } 7938a07d286SRatan Gupta /** 7948a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 7958a07d286SRatan Gupta json response with the new value. 7968a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 7978a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7988a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7998a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8008a07d286SRatan Gupta */ 8018a07d286SRatan Gupta 802bd79bce8SPatrick Williams inline void handleUserNameAttrPatch( 803bd79bce8SPatrick Williams const std::string& userNameAttribute, 8048d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8058a07d286SRatan Gupta const std::string& ldapServerElementName, 8068a07d286SRatan Gupta const std::string& ldapConfigObject) 8078a07d286SRatan Gupta { 808bd79bce8SPatrick Williams setDbusProperty( 809bd79bce8SPatrick Williams asyncResp, 810bd79bce8SPatrick Williams ldapServerElementName + "LDAPService/SearchSettings/UsernameAttribute", 811e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 812e93abac6SGinu George "UserNameAttribute", userNameAttribute); 8138a07d286SRatan Gupta } 8148a07d286SRatan Gupta /** 8158a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 8168a07d286SRatan Gupta json response with the new value. 8178a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 8188a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8198a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8208a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8218a07d286SRatan Gupta */ 8228a07d286SRatan Gupta 8234f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 8248d1b46d7Szhanghch05 const std::string& groupsAttribute, 8258d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8268a07d286SRatan Gupta const std::string& ldapServerElementName, 8278a07d286SRatan Gupta const std::string& ldapConfigObject) 8288a07d286SRatan Gupta { 829bd79bce8SPatrick Williams setDbusProperty( 830bd79bce8SPatrick Williams asyncResp, 831bd79bce8SPatrick Williams ldapServerElementName + "/LDAPService/SearchSettings/GroupsAttribute", 832e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 833e93abac6SGinu George "GroupNameAttribute", groupsAttribute); 8348a07d286SRatan Gupta } 8358a07d286SRatan Gupta /** 8368a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8378a07d286SRatan Gupta json response with the new value. 8388a07d286SRatan Gupta * @param input JSON data. 8398a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8408a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8418a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8428a07d286SRatan Gupta */ 8438a07d286SRatan Gupta 8444f48d5f6SEd Tanous inline void handleServiceEnablePatch( 8456c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8468a07d286SRatan Gupta const std::string& ldapServerElementName, 8478a07d286SRatan Gupta const std::string& ldapConfigObject) 8488a07d286SRatan Gupta { 849e93abac6SGinu George setDbusProperty(asyncResp, ldapServerElementName + "/ServiceEnabled", 850e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapEnableInterface, 851e93abac6SGinu George "Enabled", serviceEnabled); 8528a07d286SRatan Gupta } 8538a07d286SRatan Gupta 854c1019828SEd Tanous struct AuthMethods 85578158631SZbigniew Kurzynski { 85678158631SZbigniew Kurzynski std::optional<bool> basicAuth; 85778158631SZbigniew Kurzynski std::optional<bool> cookie; 85878158631SZbigniew Kurzynski std::optional<bool> sessionToken; 85978158631SZbigniew Kurzynski std::optional<bool> xToken; 860501f1e58SZbigniew Kurzynski std::optional<bool> tls; 861c1019828SEd Tanous }; 86278158631SZbigniew Kurzynski 863504af5a0SPatrick Williams inline void handleAuthMethodsPatch( 864504af5a0SPatrick Williams const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 865c1019828SEd Tanous const AuthMethods& auth) 86678158631SZbigniew Kurzynski { 867c1019828SEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 86852cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 86978158631SZbigniew Kurzynski 870c1019828SEd Tanous if (auth.basicAuth) 87178158631SZbigniew Kurzynski { 87225b54dbaSEd Tanous if constexpr (!BMCWEB_BASIC_AUTH) 87325b54dbaSEd Tanous { 874f16f6263SAlan Kuo messages::actionNotSupported( 8750fda0f12SGeorge Liu asyncResp->res, 8760fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 877f16f6263SAlan Kuo return; 87825b54dbaSEd Tanous } 87925b54dbaSEd Tanous 880c1019828SEd Tanous authMethodsConfig.basic = *auth.basicAuth; 88178158631SZbigniew Kurzynski } 88278158631SZbigniew Kurzynski 883c1019828SEd Tanous if (auth.cookie) 88478158631SZbigniew Kurzynski { 88525b54dbaSEd Tanous if constexpr (!BMCWEB_COOKIE_AUTH) 88625b54dbaSEd Tanous { 8870fda0f12SGeorge Liu messages::actionNotSupported( 8880fda0f12SGeorge Liu asyncResp->res, 8890fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 890f16f6263SAlan Kuo return; 89125b54dbaSEd Tanous } 892c1019828SEd Tanous authMethodsConfig.cookie = *auth.cookie; 89378158631SZbigniew Kurzynski } 89478158631SZbigniew Kurzynski 895c1019828SEd Tanous if (auth.sessionToken) 89678158631SZbigniew Kurzynski { 89725b54dbaSEd Tanous if constexpr (!BMCWEB_SESSION_AUTH) 89825b54dbaSEd Tanous { 899f16f6263SAlan Kuo messages::actionNotSupported( 9000fda0f12SGeorge Liu asyncResp->res, 9010fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 902f16f6263SAlan Kuo return; 90325b54dbaSEd Tanous } 904c1019828SEd Tanous authMethodsConfig.sessionToken = *auth.sessionToken; 90578158631SZbigniew Kurzynski } 90678158631SZbigniew Kurzynski 907c1019828SEd Tanous if (auth.xToken) 90878158631SZbigniew Kurzynski { 90925b54dbaSEd Tanous if constexpr (!BMCWEB_XTOKEN_AUTH) 91025b54dbaSEd Tanous { 9110fda0f12SGeorge Liu messages::actionNotSupported( 9120fda0f12SGeorge Liu asyncResp->res, 9130fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 914f16f6263SAlan Kuo return; 91525b54dbaSEd Tanous } 916c1019828SEd Tanous authMethodsConfig.xtoken = *auth.xToken; 91778158631SZbigniew Kurzynski } 91878158631SZbigniew Kurzynski 919c1019828SEd Tanous if (auth.tls) 920501f1e58SZbigniew Kurzynski { 92125b54dbaSEd Tanous if constexpr (!BMCWEB_MUTUAL_TLS_AUTH) 92225b54dbaSEd Tanous { 9230fda0f12SGeorge Liu messages::actionNotSupported( 9240fda0f12SGeorge Liu asyncResp->res, 9250fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 926f16f6263SAlan Kuo return; 92725b54dbaSEd Tanous } 928c1019828SEd Tanous authMethodsConfig.tls = *auth.tls; 929501f1e58SZbigniew Kurzynski } 930501f1e58SZbigniew Kurzynski 93178158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 932501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 933501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 93478158631SZbigniew Kurzynski { 93578158631SZbigniew Kurzynski // Do not allow user to disable everything 93678158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 93778158631SZbigniew Kurzynski "of disabling all available methods"); 93878158631SZbigniew Kurzynski return; 93978158631SZbigniew Kurzynski } 94078158631SZbigniew Kurzynski 94152cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 94252cc112dSEd Tanous authMethodsConfig); 94378158631SZbigniew Kurzynski // Save configuration immediately 94452cc112dSEd Tanous persistent_data::getConfig().writeData(); 94578158631SZbigniew Kurzynski 94678158631SZbigniew Kurzynski messages::success(asyncResp->res); 94778158631SZbigniew Kurzynski } 94878158631SZbigniew Kurzynski 9498a07d286SRatan Gupta /** 9508a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 9518a07d286SRatan Gupta * value and create the LDAP config object. 9528a07d286SRatan Gupta * @param input JSON data 9538a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9548a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 9558a07d286SRatan Gupta */ 9568a07d286SRatan Gupta 95710cb44f3SEd Tanous struct LdapPatchParams 95810cb44f3SEd Tanous { 95910cb44f3SEd Tanous std::optional<std::string> authType; 96010cb44f3SEd Tanous std::optional<std::vector<std::string>> serviceAddressList; 96110cb44f3SEd Tanous std::optional<bool> serviceEnabled; 96210cb44f3SEd Tanous std::optional<std::vector<std::string>> baseDNList; 96310cb44f3SEd Tanous std::optional<std::string> userNameAttribute; 96410cb44f3SEd Tanous std::optional<std::string> groupsAttribute; 96510cb44f3SEd Tanous std::optional<std::string> userName; 96610cb44f3SEd Tanous std::optional<std::string> password; 96710cb44f3SEd Tanous std::optional< 96810cb44f3SEd Tanous std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>> 96910cb44f3SEd Tanous remoteRoleMapData; 97010cb44f3SEd Tanous }; 97110cb44f3SEd Tanous 97210cb44f3SEd Tanous inline void handleLDAPPatch(LdapPatchParams&& input, 9738d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9748a07d286SRatan Gupta const std::string& serverType) 9758a07d286SRatan Gupta { 976eb2bbe56SRatan Gupta std::string dbusObjectPath; 977eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 978eb2bbe56SRatan Gupta { 9792c70f800SEd Tanous dbusObjectPath = adConfigObject; 980eb2bbe56SRatan Gupta } 981eb2bbe56SRatan Gupta else if (serverType == "LDAP") 982eb2bbe56SRatan Gupta { 98323a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 984eb2bbe56SRatan Gupta } 985cb13a392SEd Tanous else 986cb13a392SEd Tanous { 98710cb44f3SEd Tanous BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????", 98810cb44f3SEd Tanous serverType); 989cb13a392SEd Tanous return; 990cb13a392SEd Tanous } 991eb2bbe56SRatan Gupta 99210cb44f3SEd Tanous if (input.authType && *input.authType != "UsernameAndPassword") 9938a07d286SRatan Gupta { 99410cb44f3SEd Tanous messages::propertyValueNotInList(asyncResp->res, *input.authType, 995c1019828SEd Tanous "AuthenticationType"); 996c1019828SEd Tanous return; 9978a07d286SRatan Gupta } 998c1019828SEd Tanous 99910cb44f3SEd Tanous if (input.serviceAddressList) 10008a07d286SRatan Gupta { 100110cb44f3SEd Tanous if (input.serviceAddressList->empty()) 10028a07d286SRatan Gupta { 1003e2616cc5SEd Tanous messages::propertyValueNotInList( 100410cb44f3SEd Tanous asyncResp->res, *input.serviceAddressList, "ServiceAddress"); 10058a07d286SRatan Gupta return; 10068a07d286SRatan Gupta } 10078a07d286SRatan Gupta } 100810cb44f3SEd Tanous if (input.baseDNList) 10098a07d286SRatan Gupta { 101010cb44f3SEd Tanous if (input.baseDNList->empty()) 10118a07d286SRatan Gupta { 101210cb44f3SEd Tanous messages::propertyValueNotInList(asyncResp->res, *input.baseDNList, 10138a07d286SRatan Gupta "BaseDistinguishedNames"); 10148a07d286SRatan Gupta return; 10158a07d286SRatan Gupta } 10168a07d286SRatan Gupta } 10178a07d286SRatan Gupta 10188a07d286SRatan Gupta // nothing to update, then return 101910cb44f3SEd Tanous if (!input.userName && !input.password && !input.serviceAddressList && 102010cb44f3SEd Tanous !input.baseDNList && !input.userNameAttribute && 102110cb44f3SEd Tanous !input.groupsAttribute && !input.serviceEnabled && 102210cb44f3SEd Tanous !input.remoteRoleMapData) 10238a07d286SRatan Gupta { 10248a07d286SRatan Gupta return; 10258a07d286SRatan Gupta } 10268a07d286SRatan Gupta 10278a07d286SRatan Gupta // Get the existing resource first then keep modifying 10288a07d286SRatan Gupta // whenever any property gets updated. 1029bd79bce8SPatrick Williams getLDAPConfigData(serverType, [asyncResp, input = std::move(input), 103010cb44f3SEd Tanous dbusObjectPath = std::move(dbusObjectPath)]( 1031bd79bce8SPatrick Williams bool success, 1032bd79bce8SPatrick Williams const LDAPConfigData& confData, 1033c1019828SEd Tanous const std::string& serverT) mutable { 10348a07d286SRatan Gupta if (!success) 10358a07d286SRatan Gupta { 10368a07d286SRatan Gupta messages::internalError(asyncResp->res); 10378a07d286SRatan Gupta return; 10388a07d286SRatan Gupta } 10396c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 10408a07d286SRatan Gupta if (confData.serviceEnabled) 10418a07d286SRatan Gupta { 10428a07d286SRatan Gupta // Disable the service first and update the rest of 10438a07d286SRatan Gupta // the properties. 10446c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 10458a07d286SRatan Gupta } 10468a07d286SRatan Gupta 104710cb44f3SEd Tanous if (input.serviceAddressList) 10488a07d286SRatan Gupta { 104910cb44f3SEd Tanous handleServiceAddressPatch(*input.serviceAddressList, asyncResp, 105010cb44f3SEd Tanous serverT, dbusObjectPath); 105110cb44f3SEd Tanous } 105210cb44f3SEd Tanous if (input.userName) 105310cb44f3SEd Tanous { 105410cb44f3SEd Tanous handleUserNamePatch(*input.userName, asyncResp, serverT, 10556c51eab1SEd Tanous dbusObjectPath); 10568a07d286SRatan Gupta } 105710cb44f3SEd Tanous if (input.password) 10588a07d286SRatan Gupta { 105910cb44f3SEd Tanous handlePasswordPatch(*input.password, asyncResp, serverT, 106010cb44f3SEd Tanous dbusObjectPath); 10618a07d286SRatan Gupta } 10628a07d286SRatan Gupta 106310cb44f3SEd Tanous if (input.baseDNList) 10648a07d286SRatan Gupta { 106510cb44f3SEd Tanous handleBaseDNPatch(*input.baseDNList, asyncResp, serverT, 10666c51eab1SEd Tanous dbusObjectPath); 10678a07d286SRatan Gupta } 106810cb44f3SEd Tanous if (input.userNameAttribute) 10698a07d286SRatan Gupta { 107010cb44f3SEd Tanous handleUserNameAttrPatch(*input.userNameAttribute, asyncResp, 107110cb44f3SEd Tanous serverT, dbusObjectPath); 107210cb44f3SEd Tanous } 107310cb44f3SEd Tanous if (input.groupsAttribute) 107410cb44f3SEd Tanous { 107510cb44f3SEd Tanous handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT, 10766c51eab1SEd Tanous dbusObjectPath); 10778a07d286SRatan Gupta } 107810cb44f3SEd Tanous if (input.serviceEnabled) 10798a07d286SRatan Gupta { 10808a07d286SRatan Gupta // if user has given the value as true then enable 10818a07d286SRatan Gupta // the service. if user has given false then no-op 10828a07d286SRatan Gupta // as service is already stopped. 108310cb44f3SEd Tanous if (*input.serviceEnabled) 10848a07d286SRatan Gupta { 108510cb44f3SEd Tanous handleServiceEnablePatch(*input.serviceEnabled, asyncResp, 108610cb44f3SEd Tanous serverT, dbusObjectPath); 10878a07d286SRatan Gupta } 10888a07d286SRatan Gupta } 10898a07d286SRatan Gupta else 10908a07d286SRatan Gupta { 10918a07d286SRatan Gupta // if user has not given the service enabled value 10928a07d286SRatan Gupta // then revert it to the same state as it was 10938a07d286SRatan Gupta // before. 10948a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 109523a21a1cSEd Tanous serverT, dbusObjectPath); 10968a07d286SRatan Gupta } 109706785244SRatan Gupta 109810cb44f3SEd Tanous if (input.remoteRoleMapData) 109906785244SRatan Gupta { 11006c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 110110cb44f3SEd Tanous *input.remoteRoleMapData); 110206785244SRatan Gupta } 11038a07d286SRatan Gupta }); 11048a07d286SRatan Gupta } 1105d4b5443fSEd Tanous 1106492ec93aSEd Tanous struct UserUpdateParams 11071abe55efSEd Tanous { 1108492ec93aSEd Tanous std::string username; 1109492ec93aSEd Tanous std::optional<std::string> password; 1110492ec93aSEd Tanous std::optional<bool> enabled; 1111492ec93aSEd Tanous std::optional<std::string> roleId; 1112492ec93aSEd Tanous std::optional<bool> locked; 1113492ec93aSEd Tanous std::optional<std::vector<std::string>> accountTypes; 1114492ec93aSEd Tanous bool userSelf; 1115492ec93aSEd Tanous std::shared_ptr<persistent_data::UserSession> session; 1116492ec93aSEd Tanous std::string dbusObjectPath; 1117492ec93aSEd Tanous }; 11186c51eab1SEd Tanous 1119504af5a0SPatrick Williams inline void afterVerifyUserExists( 1120504af5a0SPatrick Williams const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1121492ec93aSEd Tanous const UserUpdateParams& params, int rc) 1122492ec93aSEd Tanous { 1123e662eae8SEd Tanous if (rc <= 0) 11246c51eab1SEd Tanous { 1125d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1126492ec93aSEd Tanous params.username); 11276c51eab1SEd Tanous return; 11286c51eab1SEd Tanous } 11296c51eab1SEd Tanous 1130492ec93aSEd Tanous if (params.password) 11316c51eab1SEd Tanous { 1132492ec93aSEd Tanous int retval = pamUpdatePassword(params.username, *params.password); 11336c51eab1SEd Tanous 11346c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 11356c51eab1SEd Tanous { 1136d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1137492ec93aSEd Tanous params.username); 11386c51eab1SEd Tanous } 11396c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 11406c51eab1SEd Tanous { 11416c51eab1SEd Tanous // If password is invalid 11429bd80831SJason M. Bills messages::propertyValueFormatError(asyncResp->res, nullptr, 11439bd80831SJason M. Bills "Password"); 114462598e31SEd Tanous BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 11456c51eab1SEd Tanous } 11466c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 11476c51eab1SEd Tanous { 11486c51eab1SEd Tanous messages::internalError(asyncResp->res); 11496c51eab1SEd Tanous return; 11506c51eab1SEd Tanous } 1151e7b1b62bSEd Tanous else 1152e7b1b62bSEd Tanous { 1153bd79bce8SPatrick Williams // Remove existing sessions of the user when password 1154bd79bce8SPatrick Williams // changed 1155e518ef32SRavi Teja persistent_data::SessionStore::getInstance() 1156492ec93aSEd Tanous .removeSessionsByUsernameExceptSession(params.username, 1157492ec93aSEd Tanous params.session); 1158e7b1b62bSEd Tanous messages::success(asyncResp->res); 1159e7b1b62bSEd Tanous } 11606c51eab1SEd Tanous } 11616c51eab1SEd Tanous 1162492ec93aSEd Tanous if (params.enabled) 11636c51eab1SEd Tanous { 1164bd79bce8SPatrick Williams setDbusProperty( 1165bd79bce8SPatrick Williams asyncResp, "Enabled", "xyz.openbmc_project.User.Manager", 1166492ec93aSEd Tanous params.dbusObjectPath, "xyz.openbmc_project.User.Attributes", 1167492ec93aSEd Tanous "UserEnabled", *params.enabled); 11686c51eab1SEd Tanous } 11696c51eab1SEd Tanous 1170492ec93aSEd Tanous if (params.roleId) 11716c51eab1SEd Tanous { 1172492ec93aSEd Tanous std::string priv = getPrivilegeFromRoleId(*params.roleId); 11736c51eab1SEd Tanous if (priv.empty()) 11746c51eab1SEd Tanous { 1175492ec93aSEd Tanous messages::propertyValueNotInList(asyncResp->res, true, "Locked"); 11766c51eab1SEd Tanous return; 11776c51eab1SEd Tanous } 1178492ec93aSEd Tanous setDbusProperty(asyncResp, "RoleId", "xyz.openbmc_project.User.Manager", 1179492ec93aSEd Tanous params.dbusObjectPath, 1180492ec93aSEd Tanous "xyz.openbmc_project.User.Attributes", "UserPrivilege", 1181492ec93aSEd Tanous priv); 11826c51eab1SEd Tanous } 11836c51eab1SEd Tanous 1184492ec93aSEd Tanous if (params.locked) 11856c51eab1SEd Tanous { 11866c51eab1SEd Tanous // admin can unlock the account which is locked by 11876c51eab1SEd Tanous // successive authentication failures but admin should 11886c51eab1SEd Tanous // not be allowed to lock an account. 1189492ec93aSEd Tanous if (*params.locked) 11906c51eab1SEd Tanous { 1191492ec93aSEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", "Locked"); 11926c51eab1SEd Tanous return; 11936c51eab1SEd Tanous } 1194492ec93aSEd Tanous setDbusProperty(asyncResp, "Locked", "xyz.openbmc_project.User.Manager", 1195492ec93aSEd Tanous params.dbusObjectPath, 1196492ec93aSEd Tanous "xyz.openbmc_project.User.Attributes", 1197492ec93aSEd Tanous "UserLockedForFailedAttempt", *params.locked); 11986c51eab1SEd Tanous } 119958345856SAbhishek Patel 1200492ec93aSEd Tanous if (params.accountTypes) 120158345856SAbhishek Patel { 1202492ec93aSEd Tanous patchAccountTypes(*params.accountTypes, asyncResp, 1203492ec93aSEd Tanous params.dbusObjectPath, params.userSelf); 120458345856SAbhishek Patel } 1205492ec93aSEd Tanous } 1206492ec93aSEd Tanous 1207492ec93aSEd Tanous inline void updateUserProperties( 1208492ec93aSEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1209492ec93aSEd Tanous const std::string& username, const std::optional<std::string>& password, 1210492ec93aSEd Tanous const std::optional<bool>& enabled, 1211492ec93aSEd Tanous const std::optional<std::string>& roleId, const std::optional<bool>& locked, 1212492ec93aSEd Tanous const std::optional<std::vector<std::string>>& accountTypes, bool userSelf, 1213492ec93aSEd Tanous const std::shared_ptr<persistent_data::UserSession>& session) 1214492ec93aSEd Tanous { 1215492ec93aSEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1216492ec93aSEd Tanous tempObjPath /= username; 1217492ec93aSEd Tanous std::string dbusObjectPath(tempObjPath); 1218492ec93aSEd Tanous 1219492ec93aSEd Tanous UserUpdateParams params{username, password, enabled, 1220492ec93aSEd Tanous roleId, locked, accountTypes, 1221492ec93aSEd Tanous userSelf, session, dbusObjectPath}; 1222492ec93aSEd Tanous 1223492ec93aSEd Tanous dbus::utility::checkDbusPathExists( 1224492ec93aSEd Tanous dbusObjectPath, 1225492ec93aSEd Tanous std::bind_front(afterVerifyUserExists, asyncResp, std::move(params))); 12266c51eab1SEd Tanous } 12276c51eab1SEd Tanous 12284c7d4d33SEd Tanous inline void handleAccountServiceHead( 12294c7d4d33SEd Tanous App& app, const crow::Request& req, 12301ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 12316c51eab1SEd Tanous { 12323ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 123345ca1b86SEd Tanous { 123445ca1b86SEd Tanous return; 123545ca1b86SEd Tanous } 12364c7d4d33SEd Tanous asyncResp->res.addHeader( 12374c7d4d33SEd Tanous boost::beast::http::field::link, 12384c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 12394c7d4d33SEd Tanous } 12404c7d4d33SEd Tanous 1241504af5a0SPatrick Williams inline void getClientCertificates( 1242504af5a0SPatrick Williams const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 12431aa375b8SEd Tanous const nlohmann::json::json_pointer& keyLocation) 12441aa375b8SEd Tanous { 12451aa375b8SEd Tanous boost::urls::url url( 12461aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"); 12471aa375b8SEd Tanous std::array<std::string_view, 1> interfaces = { 12481aa375b8SEd Tanous "xyz.openbmc_project.Certs.Certificate"}; 12491aa375b8SEd Tanous std::string path = "/xyz/openbmc_project/certs/authority/truststore"; 12501aa375b8SEd Tanous 12511aa375b8SEd Tanous collection_util::getCollectionToKey(asyncResp, url, interfaces, path, 12521aa375b8SEd Tanous keyLocation); 12531aa375b8SEd Tanous } 12541aa375b8SEd Tanous 12551aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesInstanceHead( 12561aa375b8SEd Tanous App& app, const crow::Request& req, 12571aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 12581aa375b8SEd Tanous const std::string& /*id*/) 12591aa375b8SEd Tanous { 12601aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12611aa375b8SEd Tanous { 12621aa375b8SEd Tanous return; 12631aa375b8SEd Tanous } 12641aa375b8SEd Tanous 12651aa375b8SEd Tanous asyncResp->res.addHeader( 12661aa375b8SEd Tanous boost::beast::http::field::link, 12671aa375b8SEd Tanous "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby"); 12681aa375b8SEd Tanous } 12691aa375b8SEd Tanous 12701aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesInstanceGet( 12711aa375b8SEd Tanous App& app, const crow::Request& req, 12721aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id) 12731aa375b8SEd Tanous { 12741aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12751aa375b8SEd Tanous { 12761aa375b8SEd Tanous return; 12771aa375b8SEd Tanous } 12781aa375b8SEd Tanous BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id); 12791aa375b8SEd Tanous const boost::urls::url certURL = boost::urls::format( 12801aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}", 12811aa375b8SEd Tanous id); 12821aa375b8SEd Tanous std::string objPath = 12831aa375b8SEd Tanous sdbusplus::message::object_path(certs::authorityObjectPath) / id; 12841aa375b8SEd Tanous getCertificateProperties( 12851aa375b8SEd Tanous asyncResp, objPath, 12861aa375b8SEd Tanous "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL, 12871aa375b8SEd Tanous "Client Certificate"); 12881aa375b8SEd Tanous } 12891aa375b8SEd Tanous 12901aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesHead( 12911aa375b8SEd Tanous App& app, const crow::Request& req, 12921aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 12931aa375b8SEd Tanous { 12941aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12951aa375b8SEd Tanous { 12961aa375b8SEd Tanous return; 12971aa375b8SEd Tanous } 12981aa375b8SEd Tanous 12991aa375b8SEd Tanous asyncResp->res.addHeader( 13001aa375b8SEd Tanous boost::beast::http::field::link, 13011aa375b8SEd Tanous "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby"); 13021aa375b8SEd Tanous } 13031aa375b8SEd Tanous 13041aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesGet( 13051aa375b8SEd Tanous App& app, const crow::Request& req, 13061aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 13071aa375b8SEd Tanous { 13081aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 13091aa375b8SEd Tanous { 13101aa375b8SEd Tanous return; 13111aa375b8SEd Tanous } 13120f09ed32SMyung Bae 13130f09ed32SMyung Bae nlohmann::json& json = asyncResp->res.jsonValue; 13140f09ed32SMyung Bae json["@odata.id"] = 13150f09ed32SMyung Bae "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"; 13160f09ed32SMyung Bae json["@odata.type"] = "#CertificateCollection.CertificateCollection"; 13170f09ed32SMyung Bae json["Name"] = "Certificates Collection"; 13180f09ed32SMyung Bae json["Description"] = "Multi-factor Authentication Client Certificates"; 13191aa375b8SEd Tanous getClientCertificates(asyncResp, "/Members"_json_pointer); 13201aa375b8SEd Tanous } 13211aa375b8SEd Tanous 13223ce3688aSEd Tanous using account_service::CertificateMappingAttribute; 13233ce3688aSEd Tanous using persistent_data::MTLSCommonNameParseMode; 1324504af5a0SPatrick Williams inline CertificateMappingAttribute getCertificateMapping( 1325504af5a0SPatrick Williams MTLSCommonNameParseMode parse) 13263ce3688aSEd Tanous { 13273ce3688aSEd Tanous switch (parse) 13283ce3688aSEd Tanous { 13293ce3688aSEd Tanous case MTLSCommonNameParseMode::CommonName: 13303ce3688aSEd Tanous { 13313ce3688aSEd Tanous return CertificateMappingAttribute::CommonName; 13323ce3688aSEd Tanous } 13333ce3688aSEd Tanous break; 13343ce3688aSEd Tanous case MTLSCommonNameParseMode::Whole: 13353ce3688aSEd Tanous { 13363ce3688aSEd Tanous return CertificateMappingAttribute::Whole; 13373ce3688aSEd Tanous } 13383ce3688aSEd Tanous break; 13393ce3688aSEd Tanous case MTLSCommonNameParseMode::UserPrincipalName: 13403ce3688aSEd Tanous { 13413ce3688aSEd Tanous return CertificateMappingAttribute::UserPrincipalName; 13423ce3688aSEd Tanous } 13433ce3688aSEd Tanous break; 13443ce3688aSEd Tanous 13453ce3688aSEd Tanous case MTLSCommonNameParseMode::Meta: 13463ce3688aSEd Tanous { 13473ce3688aSEd Tanous if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING) 13483ce3688aSEd Tanous { 13493ce3688aSEd Tanous return CertificateMappingAttribute::CommonName; 13503ce3688aSEd Tanous } 13513ce3688aSEd Tanous } 13523ce3688aSEd Tanous break; 13533ce3688aSEd Tanous default: 13543ce3688aSEd Tanous { 13553ce3688aSEd Tanous return CertificateMappingAttribute::Invalid; 13563ce3688aSEd Tanous } 13573ce3688aSEd Tanous break; 13583ce3688aSEd Tanous } 13593ce3688aSEd Tanous } 13603ce3688aSEd Tanous 1361504af5a0SPatrick Williams inline void handleAccountServiceGet( 1362504af5a0SPatrick Williams App& app, const crow::Request& req, 13634c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 13644c7d4d33SEd Tanous { 1365afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1366afd369c6SJiaqing Zhao { 1367afd369c6SJiaqing Zhao return; 1368afd369c6SJiaqing Zhao } 13693e72c202SNinad Palsule 13703e72c202SNinad Palsule if (req.session == nullptr) 13713e72c202SNinad Palsule { 13723e72c202SNinad Palsule messages::internalError(asyncResp->res); 13733e72c202SNinad Palsule return; 13743e72c202SNinad Palsule } 13753e72c202SNinad Palsule 1376c1019828SEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 1377c1019828SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 1378c1019828SEd Tanous 1379afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1380afd369c6SJiaqing Zhao boost::beast::http::field::link, 1381afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1382afd369c6SJiaqing Zhao 13831476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 13841476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 1385482a69e7SRavi Teja json["@odata.type"] = "#AccountService.v1_15_0.AccountService"; 13861476687dSEd Tanous json["Id"] = "AccountService"; 13871476687dSEd Tanous json["Name"] = "Account Service"; 13881476687dSEd Tanous json["Description"] = "Account Service"; 13891476687dSEd Tanous json["ServiceEnabled"] = true; 13901476687dSEd Tanous json["MaxPasswordLength"] = 20; 13911ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 13921476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 1393482a69e7SRavi Teja json["HTTPBasicAuth"] = authMethodsConfig.basic 1394482a69e7SRavi Teja ? account_service::BasicAuthState::Enabled 1395482a69e7SRavi Teja : account_service::BasicAuthState::Disabled; 1396482a69e7SRavi Teja 1397482a69e7SRavi Teja nlohmann::json::array_t allowed; 1398482a69e7SRavi Teja allowed.emplace_back(account_service::BasicAuthState::Enabled); 1399482a69e7SRavi Teja allowed.emplace_back(account_service::BasicAuthState::Disabled); 1400482a69e7SRavi Teja json["HTTPBasicAuth@AllowableValues"] = std::move(allowed); 1401482a69e7SRavi Teja 14021aa375b8SEd Tanous nlohmann::json::object_t clientCertificate; 14031aa375b8SEd Tanous clientCertificate["Enabled"] = authMethodsConfig.tls; 14043281bcf1SEd Tanous clientCertificate["RespondToUnauthenticatedClients"] = 14053281bcf1SEd Tanous !authMethodsConfig.tlsStrict; 14063ce3688aSEd Tanous 14073ce3688aSEd Tanous using account_service::CertificateMappingAttribute; 14083ce3688aSEd Tanous 14093ce3688aSEd Tanous CertificateMappingAttribute mapping = 14103ce3688aSEd Tanous getCertificateMapping(authMethodsConfig.mTLSCommonNameParsingMode); 14113ce3688aSEd Tanous if (mapping == CertificateMappingAttribute::Invalid) 14123ce3688aSEd Tanous { 14133ce3688aSEd Tanous messages::internalError(asyncResp->res); 14143ce3688aSEd Tanous } 14153ce3688aSEd Tanous else 14163ce3688aSEd Tanous { 14173ce3688aSEd Tanous clientCertificate["CertificateMappingAttribute"] = mapping; 14183ce3688aSEd Tanous } 14191aa375b8SEd Tanous nlohmann::json::object_t certificates; 14201aa375b8SEd Tanous certificates["@odata.id"] = 14211aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"; 14221aa375b8SEd Tanous certificates["@odata.type"] = 14231aa375b8SEd Tanous "#CertificateCollection.CertificateCollection"; 14241aa375b8SEd Tanous clientCertificate["Certificates"] = std::move(certificates); 14251aa375b8SEd Tanous json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate); 14261aa375b8SEd Tanous 14271aa375b8SEd Tanous getClientCertificates( 14281aa375b8SEd Tanous asyncResp, 14291aa375b8SEd Tanous "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer); 14301aa375b8SEd Tanous 14311476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 14325b5574acSEd Tanous "#OpenBMCAccountService.v1_0_0.AccountService"; 14331476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 14341476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 14351476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 14361476687dSEd Tanous authMethodsConfig.basic; 14371476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 14381476687dSEd Tanous authMethodsConfig.sessionToken; 14391ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 14401ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 14411ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 14421476687dSEd Tanous 14431ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 14441ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 14451ef4c342SEd Tanous // permissions ConfigureManager 144672048780SAbhishek Patel Privileges effectiveUserPrivileges = 14473e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 144872048780SAbhishek Patel 144972048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 145072048780SAbhishek Patel effectiveUserPrivileges)) 145172048780SAbhishek Patel { 14521ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 14531476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 145472048780SAbhishek Patel } 1455deae6a78SEd Tanous dbus::utility::getAllProperties( 1456deae6a78SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1457deae6a78SEd Tanous "xyz.openbmc_project.User.AccountPolicy", 14585e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec, 14591ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 14603d958bbcSAppaRao Puli if (ec) 14613d958bbcSAppaRao Puli { 14623d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 14633d958bbcSAppaRao Puli return; 14643d958bbcSAppaRao Puli } 1465d1bde9e5SKrzysztof Grobelny 146662598e31SEd Tanous BMCWEB_LOG_DEBUG("Got {} properties for AccountService", 146762598e31SEd Tanous propertiesList.size()); 1468d1bde9e5SKrzysztof Grobelny 1469d1bde9e5SKrzysztof Grobelny const uint8_t* minPasswordLength = nullptr; 1470d1bde9e5SKrzysztof Grobelny const uint32_t* accountUnlockTimeout = nullptr; 1471d1bde9e5SKrzysztof Grobelny const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1472d1bde9e5SKrzysztof Grobelny 1473d1bde9e5SKrzysztof Grobelny const bool success = sdbusplus::unpackPropertiesNoThrow( 1474d1bde9e5SKrzysztof Grobelny dbus_utils::UnpackErrorPrinter(), propertiesList, 1475d1bde9e5SKrzysztof Grobelny "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1476d1bde9e5SKrzysztof Grobelny accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1477d1bde9e5SKrzysztof Grobelny maxLoginAttemptBeforeLockout); 1478d1bde9e5SKrzysztof Grobelny 1479d1bde9e5SKrzysztof Grobelny if (!success) 14803d958bbcSAppaRao Puli { 1481d1bde9e5SKrzysztof Grobelny messages::internalError(asyncResp->res); 1482d1bde9e5SKrzysztof Grobelny return; 14833d958bbcSAppaRao Puli } 1484d1bde9e5SKrzysztof Grobelny 1485d1bde9e5SKrzysztof Grobelny if (minPasswordLength != nullptr) 14863d958bbcSAppaRao Puli { 1487bd79bce8SPatrick Williams asyncResp->res.jsonValue["MinPasswordLength"] = 1488bd79bce8SPatrick Williams *minPasswordLength; 14893d958bbcSAppaRao Puli } 1490d1bde9e5SKrzysztof Grobelny 1491d1bde9e5SKrzysztof Grobelny if (accountUnlockTimeout != nullptr) 14923d958bbcSAppaRao Puli { 1493d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["AccountLockoutDuration"] = 1494d1bde9e5SKrzysztof Grobelny *accountUnlockTimeout; 1495d1bde9e5SKrzysztof Grobelny } 1496d1bde9e5SKrzysztof Grobelny 1497d1bde9e5SKrzysztof Grobelny if (maxLoginAttemptBeforeLockout != nullptr) 14983d958bbcSAppaRao Puli { 1499002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1500d1bde9e5SKrzysztof Grobelny *maxLoginAttemptBeforeLockout; 15013d958bbcSAppaRao Puli } 1502d1bde9e5SKrzysztof Grobelny }); 15036973a582SRatan Gupta 150402cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1505ab828d7cSRatan Gupta const std::string& ldapType) { 1506cb13a392SEd Tanous if (!success) 1507cb13a392SEd Tanous { 1508cb13a392SEd Tanous return; 1509cb13a392SEd Tanous } 1510002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1511ab828d7cSRatan Gupta }; 1512ab828d7cSRatan Gupta 1513ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1514ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 15151ef4c342SEd Tanous } 15166973a582SRatan Gupta 1517bd79bce8SPatrick Williams inline void handleCertificateMappingAttributePatch( 1518bd79bce8SPatrick Williams crow::Response& res, const std::string& certMapAttribute) 15193ce3688aSEd Tanous { 15203ce3688aSEd Tanous MTLSCommonNameParseMode parseMode = 15213ce3688aSEd Tanous persistent_data::getMTLSCommonNameParseMode(certMapAttribute); 15223ce3688aSEd Tanous if (parseMode == MTLSCommonNameParseMode::Invalid) 15233ce3688aSEd Tanous { 15243ce3688aSEd Tanous messages::propertyValueNotInList(res, "CertificateMappingAttribute", 15253ce3688aSEd Tanous certMapAttribute); 15263ce3688aSEd Tanous return; 15273ce3688aSEd Tanous } 15283ce3688aSEd Tanous 15293ce3688aSEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 15303ce3688aSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 15313ce3688aSEd Tanous authMethodsConfig.mTLSCommonNameParsingMode = parseMode; 15323ce3688aSEd Tanous } 15333ce3688aSEd Tanous 15343281bcf1SEd Tanous inline void handleRespondToUnauthenticatedClientsPatch( 15353281bcf1SEd Tanous App& app, const crow::Request& req, crow::Response& res, 15363281bcf1SEd Tanous bool respondToUnauthenticatedClients) 15373281bcf1SEd Tanous { 15383281bcf1SEd Tanous if (req.session != nullptr) 15393281bcf1SEd Tanous { 15403281bcf1SEd Tanous // Sanity check. If the user isn't currently authenticated with mutual 15413281bcf1SEd Tanous // TLS, they very likely are about to permanently lock themselves out. 15423281bcf1SEd Tanous // Make sure they're using mutual TLS before allowing locking. 15433281bcf1SEd Tanous if (req.session->sessionType != persistent_data::SessionType::MutualTLS) 15443281bcf1SEd Tanous { 15453281bcf1SEd Tanous messages::propertyValueExternalConflict( 15463281bcf1SEd Tanous res, 15473281bcf1SEd Tanous "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients", 15483281bcf1SEd Tanous respondToUnauthenticatedClients); 15493281bcf1SEd Tanous return; 15503281bcf1SEd Tanous } 15513281bcf1SEd Tanous } 15523281bcf1SEd Tanous 15533281bcf1SEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 15543281bcf1SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 15553281bcf1SEd Tanous 15563281bcf1SEd Tanous // Change the settings 15573281bcf1SEd Tanous authMethodsConfig.tlsStrict = !respondToUnauthenticatedClients; 15583281bcf1SEd Tanous 15593281bcf1SEd Tanous // Write settings to disk 15603281bcf1SEd Tanous persistent_data::getConfig().writeData(); 15613281bcf1SEd Tanous 15623281bcf1SEd Tanous // Trigger a reload, to apply the new settings to new connections 15633281bcf1SEd Tanous app.loadCertificate(); 15643281bcf1SEd Tanous } 15653281bcf1SEd Tanous 15661ef4c342SEd Tanous inline void handleAccountServicePatch( 15671ef4c342SEd Tanous App& app, const crow::Request& req, 15681ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15691ef4c342SEd Tanous { 15703ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 157145ca1b86SEd Tanous { 157245ca1b86SEd Tanous return; 157345ca1b86SEd Tanous } 1574f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1575f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1576ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1577f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 157810cb44f3SEd Tanous LdapPatchParams ldapObject; 15793ce3688aSEd Tanous std::optional<std::string> certificateMappingAttribute; 15803281bcf1SEd Tanous std::optional<bool> respondToUnauthenticatedClients; 158110cb44f3SEd Tanous LdapPatchParams activeDirectoryObject; 1582c1019828SEd Tanous AuthMethods auth; 1583482a69e7SRavi Teja std::optional<std::string> httpBasicAuth; 15843ce3688aSEd Tanous 1585afc474aeSMyung Bae if (!json_util::readJsonPatch( // 1586afc474aeSMyung Bae req, asyncResp->res, // 1587afc474aeSMyung Bae "AccountLockoutDuration", unlockTimeout, // 1588afc474aeSMyung Bae "AccountLockoutThreshold", lockoutThreshold, // 1589afc474aeSMyung Bae "ActiveDirectory/Authentication/AuthenticationType", 1590afc474aeSMyung Bae activeDirectoryObject.authType, // 1591afc474aeSMyung Bae "ActiveDirectory/Authentication/Password", 1592afc474aeSMyung Bae activeDirectoryObject.password, // 1593afc474aeSMyung Bae "ActiveDirectory/Authentication/Username", 1594afc474aeSMyung Bae activeDirectoryObject.userName, // 1595afc474aeSMyung Bae "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", 1596afc474aeSMyung Bae activeDirectoryObject.baseDNList, // 1597afc474aeSMyung Bae "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", 1598afc474aeSMyung Bae activeDirectoryObject.groupsAttribute, // 1599afc474aeSMyung Bae "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", 1600afc474aeSMyung Bae activeDirectoryObject.userNameAttribute, // 1601afc474aeSMyung Bae "ActiveDirectory/RemoteRoleMapping", 1602afc474aeSMyung Bae activeDirectoryObject.remoteRoleMapData, // 1603afc474aeSMyung Bae "ActiveDirectory/ServiceAddresses", 1604afc474aeSMyung Bae activeDirectoryObject.serviceAddressList, // 1605afc474aeSMyung Bae "ActiveDirectory/ServiceEnabled", 1606afc474aeSMyung Bae activeDirectoryObject.serviceEnabled, // 1607afc474aeSMyung Bae "HTTPBasicAuth", httpBasicAuth, // 1608afc474aeSMyung Bae "LDAP/Authentication/AuthenticationType", ldapObject.authType, // 1609afc474aeSMyung Bae "LDAP/Authentication/Password", ldapObject.password, // 1610afc474aeSMyung Bae "LDAP/Authentication/Username", ldapObject.userName, // 1611afc474aeSMyung Bae "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", 1612afc474aeSMyung Bae ldapObject.baseDNList, // 1613afc474aeSMyung Bae "LDAP/LDAPService/SearchSettings/GroupsAttribute", 1614afc474aeSMyung Bae ldapObject.groupsAttribute, // 1615afc474aeSMyung Bae "LDAP/LDAPService/SearchSettings/UsernameAttribute", 1616afc474aeSMyung Bae ldapObject.userNameAttribute, // 1617afc474aeSMyung Bae "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData, // 1618afc474aeSMyung Bae "LDAP/ServiceAddresses", ldapObject.serviceAddressList, // 1619afc474aeSMyung Bae "LDAP/ServiceEnabled", ldapObject.serviceEnabled, // 1620afc474aeSMyung Bae "MaxPasswordLength", maxPasswordLength, // 1621afc474aeSMyung Bae "MinPasswordLength", minPasswordLength, // 1622afc474aeSMyung Bae "MultiFactorAuth/ClientCertificate/CertificateMappingAttribute", 1623afc474aeSMyung Bae certificateMappingAttribute, // 1624afc474aeSMyung Bae "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients", 1625afc474aeSMyung Bae respondToUnauthenticatedClients, // 1626afc474aeSMyung Bae "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth, // 1627afc474aeSMyung Bae "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie, // 1628afc474aeSMyung Bae "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken, // 1629afc474aeSMyung Bae "Oem/OpenBMC/AuthMethods/TLS", auth.tls, // 1630afc474aeSMyung Bae "Oem/OpenBMC/AuthMethods/XToken", auth.xToken // 1631afc474aeSMyung Bae )) 1632f5ffd806SEd Tanous { 1633f5ffd806SEd Tanous return; 1634f5ffd806SEd Tanous } 1635f5ffd806SEd Tanous 1636482a69e7SRavi Teja if (httpBasicAuth) 1637482a69e7SRavi Teja { 1638482a69e7SRavi Teja if (*httpBasicAuth == "Enabled") 1639482a69e7SRavi Teja { 1640482a69e7SRavi Teja auth.basicAuth = true; 1641482a69e7SRavi Teja } 1642482a69e7SRavi Teja else if (*httpBasicAuth == "Disabled") 1643482a69e7SRavi Teja { 1644482a69e7SRavi Teja auth.basicAuth = false; 1645482a69e7SRavi Teja } 1646482a69e7SRavi Teja else 1647482a69e7SRavi Teja { 1648482a69e7SRavi Teja messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth", 1649482a69e7SRavi Teja *httpBasicAuth); 1650482a69e7SRavi Teja } 1651482a69e7SRavi Teja } 1652482a69e7SRavi Teja 16533281bcf1SEd Tanous if (respondToUnauthenticatedClients) 16543281bcf1SEd Tanous { 16553281bcf1SEd Tanous handleRespondToUnauthenticatedClientsPatch( 16563281bcf1SEd Tanous app, req, asyncResp->res, *respondToUnauthenticatedClients); 16573281bcf1SEd Tanous } 16583281bcf1SEd Tanous 16593ce3688aSEd Tanous if (certificateMappingAttribute) 16603ce3688aSEd Tanous { 16613ce3688aSEd Tanous handleCertificateMappingAttributePatch(asyncResp->res, 16623ce3688aSEd Tanous *certificateMappingAttribute); 16633ce3688aSEd Tanous } 16643ce3688aSEd Tanous 1665f5ffd806SEd Tanous if (minPasswordLength) 1666f5ffd806SEd Tanous { 1667d02aad39SEd Tanous setDbusProperty( 1668e93abac6SGinu George asyncResp, "MinPasswordLength", "xyz.openbmc_project.User.Manager", 1669d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 16709ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1671e93abac6SGinu George *minPasswordLength); 1672f5ffd806SEd Tanous } 1673f5ffd806SEd Tanous 1674f5ffd806SEd Tanous if (maxPasswordLength) 1675f5ffd806SEd Tanous { 16761ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1677f5ffd806SEd Tanous } 1678f5ffd806SEd Tanous 167910cb44f3SEd Tanous handleLDAPPatch(std::move(activeDirectoryObject), asyncResp, 168010cb44f3SEd Tanous "ActiveDirectory"); 168110cb44f3SEd Tanous handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP"); 1682f5ffd806SEd Tanous 1683c1019828SEd Tanous handleAuthMethodsPatch(asyncResp, auth); 1684f5ffd806SEd Tanous 1685f5ffd806SEd Tanous if (unlockTimeout) 1686f5ffd806SEd Tanous { 1687d02aad39SEd Tanous setDbusProperty( 1688e93abac6SGinu George asyncResp, "AccountLockoutDuration", 1689e93abac6SGinu George "xyz.openbmc_project.User.Manager", 1690d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 16919ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1692e93abac6SGinu George *unlockTimeout); 1693f5ffd806SEd Tanous } 1694f5ffd806SEd Tanous if (lockoutThreshold) 1695f5ffd806SEd Tanous { 1696d02aad39SEd Tanous setDbusProperty( 1697e93abac6SGinu George asyncResp, "AccountLockoutThreshold", 1698e93abac6SGinu George "xyz.openbmc_project.User.Manager", 1699d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 17009ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", 1701e93abac6SGinu George "MaxLoginAttemptBeforeLockout", *lockoutThreshold); 1702f5ffd806SEd Tanous } 17031ef4c342SEd Tanous } 1704f5ffd806SEd Tanous 17054c7d4d33SEd Tanous inline void handleAccountCollectionHead( 17061ef4c342SEd Tanous App& app, const crow::Request& req, 17071ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 17081ef4c342SEd Tanous { 17093ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 171045ca1b86SEd Tanous { 171145ca1b86SEd Tanous return; 171245ca1b86SEd Tanous } 17134c7d4d33SEd Tanous asyncResp->res.addHeader( 17144c7d4d33SEd Tanous boost::beast::http::field::link, 17154c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 17164c7d4d33SEd Tanous } 17174c7d4d33SEd Tanous 17184c7d4d33SEd Tanous inline void handleAccountCollectionGet( 17194c7d4d33SEd Tanous App& app, const crow::Request& req, 17204c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 17214c7d4d33SEd Tanous { 1722afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1723afd369c6SJiaqing Zhao { 1724afd369c6SJiaqing Zhao return; 1725afd369c6SJiaqing Zhao } 17263e72c202SNinad Palsule 17273e72c202SNinad Palsule if (req.session == nullptr) 17283e72c202SNinad Palsule { 17293e72c202SNinad Palsule messages::internalError(asyncResp->res); 17303e72c202SNinad Palsule return; 17313e72c202SNinad Palsule } 17323e72c202SNinad Palsule 1733afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1734afd369c6SJiaqing Zhao boost::beast::http::field::link, 1735afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 17361476687dSEd Tanous 17371476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 17381476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 17391ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 17401476687dSEd Tanous "ManagerAccountCollection"; 17411476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 17421476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 17430f74e643SEd Tanous 17446c51eab1SEd Tanous Privileges effectiveUserPrivileges = 17453e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 17466c51eab1SEd Tanous 1747f5e29f33SJunLin Chen std::string thisUser; 1748f5e29f33SJunLin Chen if (req.session) 1749f5e29f33SJunLin Chen { 1750f5e29f33SJunLin Chen thisUser = req.session->username; 1751f5e29f33SJunLin Chen } 17525eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 17535eb468daSGeorge Liu dbus::utility::getManagedObjects( 17545eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 1755cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 17565e7e2dc5SEd Tanous const boost::system::error_code& ec, 1757711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1758b9b2e0b2SEd Tanous if (ec) 1759b9b2e0b2SEd Tanous { 1760f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1761b9b2e0b2SEd Tanous return; 1762b9b2e0b2SEd Tanous } 1763b9b2e0b2SEd Tanous 1764cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1765002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1766cef1ddfbSEd Tanous 1767cef1ddfbSEd Tanous bool userCanSeeSelf = 1768002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1769cef1ddfbSEd Tanous 1770002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1771b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1772b9b2e0b2SEd Tanous 17739eb808c1SEd Tanous for (const auto& userpath : users) 1774b9b2e0b2SEd Tanous { 17752dfd18efSEd Tanous std::string user = userpath.first.filename(); 17762dfd18efSEd Tanous if (user.empty()) 1777b9b2e0b2SEd Tanous { 17782dfd18efSEd Tanous messages::internalError(asyncResp->res); 177962598e31SEd Tanous BMCWEB_LOG_ERROR("Invalid firmware ID"); 17802dfd18efSEd Tanous 17812dfd18efSEd Tanous return; 1782b9b2e0b2SEd Tanous } 1783f365910cSGunnar Mills 1784f365910cSGunnar Mills // As clarified by Redfish here: 1785f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 17866c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 17876c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 17886c51eab1SEd Tanous // accounts. 1789bd79bce8SPatrick Williams if (userCanSeeAllAccounts || 1790bd79bce8SPatrick Williams (thisUser == user && userCanSeeSelf)) 1791f365910cSGunnar Mills { 17921476687dSEd Tanous nlohmann::json::object_t member; 17933b32780dSEd Tanous member["@odata.id"] = boost::urls::format( 17943b32780dSEd Tanous "/redfish/v1/AccountService/Accounts/{}", user); 1795b2ba3072SPatrick Williams memberArray.emplace_back(std::move(member)); 1796b9b2e0b2SEd Tanous } 1797f365910cSGunnar Mills } 1798bd79bce8SPatrick Williams asyncResp->res.jsonValue["Members@odata.count"] = 1799bd79bce8SPatrick Williams memberArray.size(); 18005eb468daSGeorge Liu }); 18011ef4c342SEd Tanous } 18026c51eab1SEd Tanous 180397e90da3SNinad Palsule inline void processAfterCreateUser( 180497e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 180597e90da3SNinad Palsule const std::string& username, const std::string& password, 180697e90da3SNinad Palsule const boost::system::error_code& ec, sdbusplus::message_t& m) 180797e90da3SNinad Palsule { 180897e90da3SNinad Palsule if (ec) 180997e90da3SNinad Palsule { 181097e90da3SNinad Palsule userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 181197e90da3SNinad Palsule return; 181297e90da3SNinad Palsule } 181397e90da3SNinad Palsule 181497e90da3SNinad Palsule if (pamUpdatePassword(username, password) != PAM_SUCCESS) 181597e90da3SNinad Palsule { 181697e90da3SNinad Palsule // At this point we have a user that's been 181797e90da3SNinad Palsule // created, but the password set 181897e90da3SNinad Palsule // failed.Something is wrong, so delete the user 181997e90da3SNinad Palsule // that we've already created 182097e90da3SNinad Palsule sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 182197e90da3SNinad Palsule tempObjPath /= username; 182297e90da3SNinad Palsule const std::string userPath(tempObjPath); 182397e90da3SNinad Palsule 1824*177612aaSEd Tanous dbus::utility::async_method_call( 1825*177612aaSEd Tanous asyncResp, 182697e90da3SNinad Palsule [asyncResp, password](const boost::system::error_code& ec3) { 182797e90da3SNinad Palsule if (ec3) 182897e90da3SNinad Palsule { 182997e90da3SNinad Palsule messages::internalError(asyncResp->res); 183097e90da3SNinad Palsule return; 183197e90da3SNinad Palsule } 183297e90da3SNinad Palsule 183397e90da3SNinad Palsule // If password is invalid 18349bd80831SJason M. Bills messages::propertyValueFormatError(asyncResp->res, nullptr, 183597e90da3SNinad Palsule "Password"); 183697e90da3SNinad Palsule }, 183797e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", userPath, 183897e90da3SNinad Palsule "xyz.openbmc_project.Object.Delete", "Delete"); 183997e90da3SNinad Palsule 184062598e31SEd Tanous BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 184197e90da3SNinad Palsule return; 184297e90da3SNinad Palsule } 184397e90da3SNinad Palsule 184497e90da3SNinad Palsule messages::created(asyncResp->res); 184597e90da3SNinad Palsule asyncResp->res.addHeader("Location", 184697e90da3SNinad Palsule "/redfish/v1/AccountService/Accounts/" + username); 184797e90da3SNinad Palsule } 184897e90da3SNinad Palsule 184997e90da3SNinad Palsule inline void processAfterGetAllGroups( 185097e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 185197e90da3SNinad Palsule const std::string& username, const std::string& password, 1852e01d0c36SEd Tanous const std::string& roleId, bool enabled, 18539ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes, 185497e90da3SNinad Palsule const std::vector<std::string>& allGroupsList) 185597e90da3SNinad Palsule { 18563e72c202SNinad Palsule std::vector<std::string> userGroups; 18579ba73934SNinad Palsule std::vector<std::string> accountTypeUserGroups; 18589ba73934SNinad Palsule 18599ba73934SNinad Palsule // If user specified account types then convert them to unix user groups 18609ba73934SNinad Palsule if (accountTypes) 18619ba73934SNinad Palsule { 18629ba73934SNinad Palsule if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes, 18639ba73934SNinad Palsule accountTypeUserGroups)) 18649ba73934SNinad Palsule { 18659ba73934SNinad Palsule // Problem in mapping Account Types to User Groups, Error already 18669ba73934SNinad Palsule // logged. 18679ba73934SNinad Palsule return; 18689ba73934SNinad Palsule } 18699ba73934SNinad Palsule } 18709ba73934SNinad Palsule 18713e72c202SNinad Palsule for (const auto& grp : allGroupsList) 18723e72c202SNinad Palsule { 18739ba73934SNinad Palsule // If user specified the account type then only accept groups which are 18749ba73934SNinad Palsule // in the account types group list. 18759ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 18769ba73934SNinad Palsule { 18779ba73934SNinad Palsule bool found = false; 18789ba73934SNinad Palsule for (const auto& grp1 : accountTypeUserGroups) 18799ba73934SNinad Palsule { 18809ba73934SNinad Palsule if (grp == grp1) 18819ba73934SNinad Palsule { 18829ba73934SNinad Palsule found = true; 18839ba73934SNinad Palsule break; 18849ba73934SNinad Palsule } 18859ba73934SNinad Palsule } 18869ba73934SNinad Palsule if (!found) 18879ba73934SNinad Palsule { 18889ba73934SNinad Palsule continue; 18899ba73934SNinad Palsule } 18909ba73934SNinad Palsule } 18919ba73934SNinad Palsule 18923e72c202SNinad Palsule // Console access is provided to the user who is a member of 18933e72c202SNinad Palsule // hostconsole group and has a administrator role. So, set 18943e72c202SNinad Palsule // hostconsole group only for the administrator. 18959ba73934SNinad Palsule if ((grp == "hostconsole") && (roleId != "priv-admin")) 18963e72c202SNinad Palsule { 18979ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 18989ba73934SNinad Palsule { 189962598e31SEd Tanous BMCWEB_LOG_ERROR( 190062598e31SEd Tanous "Only administrator can get HostConsole access"); 19019ba73934SNinad Palsule asyncResp->res.result(boost::beast::http::status::bad_request); 19029ba73934SNinad Palsule return; 19039ba73934SNinad Palsule } 19049ba73934SNinad Palsule continue; 19059ba73934SNinad Palsule } 19063e72c202SNinad Palsule userGroups.emplace_back(grp); 19073e72c202SNinad Palsule } 19089ba73934SNinad Palsule 19099ba73934SNinad Palsule // Make sure user specified groups are valid. This is internal error because 19109ba73934SNinad Palsule // it some inconsistencies between user manager and bmcweb. 19119ba73934SNinad Palsule if (!accountTypeUserGroups.empty() && 19129ba73934SNinad Palsule accountTypeUserGroups.size() != userGroups.size()) 19139ba73934SNinad Palsule { 19149ba73934SNinad Palsule messages::internalError(asyncResp->res); 19159ba73934SNinad Palsule return; 19163e72c202SNinad Palsule } 1917*177612aaSEd Tanous dbus::utility::async_method_call( 1918*177612aaSEd Tanous asyncResp, 191997e90da3SNinad Palsule [asyncResp, username, password](const boost::system::error_code& ec2, 192097e90da3SNinad Palsule sdbusplus::message_t& m) { 192197e90da3SNinad Palsule processAfterCreateUser(asyncResp, username, password, ec2, m); 192297e90da3SNinad Palsule }, 192397e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 19243e72c202SNinad Palsule "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups, 1925e01d0c36SEd Tanous roleId, enabled); 192697e90da3SNinad Palsule } 192797e90da3SNinad Palsule 19281ef4c342SEd Tanous inline void handleAccountCollectionPost( 19291ef4c342SEd Tanous App& app, const crow::Request& req, 19301ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 19311ef4c342SEd Tanous { 19323ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 193345ca1b86SEd Tanous { 193445ca1b86SEd Tanous return; 193545ca1b86SEd Tanous } 19369712f8acSEd Tanous std::string username; 19379712f8acSEd Tanous std::string password; 1938e01d0c36SEd Tanous std::optional<std::string> roleIdJson; 1939e01d0c36SEd Tanous std::optional<bool> enabledJson; 19409ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes; 1941afc474aeSMyung Bae if (!json_util::readJsonPatch( // 1942afc474aeSMyung Bae req, asyncResp->res, // 1943afc474aeSMyung Bae "AccountTypes", accountTypes, // 1944afc474aeSMyung Bae "Enabled", enabledJson, // 1945afc474aeSMyung Bae "Password", password, // 1946afc474aeSMyung Bae "RoleId", roleIdJson, // 1947afc474aeSMyung Bae "UserName", username // 1948afc474aeSMyung Bae )) 194904ae99ecSEd Tanous { 195004ae99ecSEd Tanous return; 195104ae99ecSEd Tanous } 195204ae99ecSEd Tanous 1953e01d0c36SEd Tanous std::string roleId = roleIdJson.value_or("User"); 1954e01d0c36SEd Tanous std::string priv = getPrivilegeFromRoleId(roleId); 195584e12cb7SAppaRao Puli if (priv.empty()) 195604ae99ecSEd Tanous { 1957e01d0c36SEd Tanous messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId"); 195804ae99ecSEd Tanous return; 195904ae99ecSEd Tanous } 19609712f8acSEd Tanous roleId = priv; 196104ae99ecSEd Tanous 1962e01d0c36SEd Tanous bool enabled = enabledJson.value_or(true); 1963e01d0c36SEd Tanous 1964599c71d8SAyushi Smriti // Reading AllGroups property 1965deae6a78SEd Tanous dbus::utility::getProperty<std::vector<std::string>>( 1966deae6a78SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1967deae6a78SEd Tanous "xyz.openbmc_project.User.Manager", "AllGroups", 19689ba73934SNinad Palsule [asyncResp, username, password{std::move(password)}, roleId, enabled, 19699ba73934SNinad Palsule accountTypes](const boost::system::error_code& ec, 19701e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1971599c71d8SAyushi Smriti if (ec) 1972599c71d8SAyushi Smriti { 1973a0735a4eSGunnar Mills BMCWEB_LOG_ERROR("D-Bus response error {}", ec); 1974599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1975599c71d8SAyushi Smriti return; 1976599c71d8SAyushi Smriti } 1977599c71d8SAyushi Smriti 19781e1e598dSJonathan Doman if (allGroupsList.empty()) 1979599c71d8SAyushi Smriti { 1980599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1981599c71d8SAyushi Smriti return; 1982599c71d8SAyushi Smriti } 1983599c71d8SAyushi Smriti 1984bd79bce8SPatrick Williams processAfterGetAllGroups(asyncResp, username, password, roleId, 1985bd79bce8SPatrick Williams enabled, accountTypes, allGroupsList); 19861e1e598dSJonathan Doman }); 19871ef4c342SEd Tanous } 1988b9b2e0b2SEd Tanous 1989504af5a0SPatrick Williams inline void handleAccountHead( 1990504af5a0SPatrick Williams App& app, const crow::Request& req, 19916c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19924c7d4d33SEd Tanous const std::string& /*accountName*/) 19931ef4c342SEd Tanous { 19943ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 199545ca1b86SEd Tanous { 199645ca1b86SEd Tanous return; 199745ca1b86SEd Tanous } 19984c7d4d33SEd Tanous asyncResp->res.addHeader( 19994c7d4d33SEd Tanous boost::beast::http::field::link, 20004c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 20014c7d4d33SEd Tanous } 2002afd369c6SJiaqing Zhao 2003504af5a0SPatrick Williams inline void handleAccountGet( 2004504af5a0SPatrick Williams App& app, const crow::Request& req, 20054c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 20064c7d4d33SEd Tanous const std::string& accountName) 20074c7d4d33SEd Tanous { 2008afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 2009afd369c6SJiaqing Zhao { 2010afd369c6SJiaqing Zhao return; 2011afd369c6SJiaqing Zhao } 2012afd369c6SJiaqing Zhao asyncResp->res.addHeader( 2013afd369c6SJiaqing Zhao boost::beast::http::field::link, 2014afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 2015afd369c6SJiaqing Zhao 201625b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 201725b54dbaSEd Tanous { 2018031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 201925b54dbaSEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 202025b54dbaSEd Tanous accountName); 2021031514fbSJunLin Chen return; 202225b54dbaSEd Tanous } 2023afd369c6SJiaqing Zhao 2024031514fbSJunLin Chen if (req.session == nullptr) 2025031514fbSJunLin Chen { 2026031514fbSJunLin Chen messages::internalError(asyncResp->res); 2027031514fbSJunLin Chen return; 2028031514fbSJunLin Chen } 20296c51eab1SEd Tanous if (req.session->username != accountName) 2030b9b2e0b2SEd Tanous { 20316c51eab1SEd Tanous // At this point we've determined that the user is trying to 20321ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 20331ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 20341ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 20356c51eab1SEd Tanous Privileges effectiveUserPrivileges = 20363e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 20371ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 20381ef4c342SEd Tanous "ConfigureManager"}; 20396c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 20406c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 2041900f9497SJoseph Reynolds { 204262598e31SEd Tanous BMCWEB_LOG_DEBUG("GET Account denied access"); 2043900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2044900f9497SJoseph Reynolds return; 2045900f9497SJoseph Reynolds } 2046900f9497SJoseph Reynolds } 2047900f9497SJoseph Reynolds 20485eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 20495eb468daSGeorge Liu dbus::utility::getManagedObjects( 20505eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 20511ef4c342SEd Tanous [asyncResp, 20525e7e2dc5SEd Tanous accountName](const boost::system::error_code& ec, 2053711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 2054b9b2e0b2SEd Tanous if (ec) 2055b9b2e0b2SEd Tanous { 2056f12894f8SJason M. Bills messages::internalError(asyncResp->res); 2057b9b2e0b2SEd Tanous return; 2058b9b2e0b2SEd Tanous } 20593544d2a7SEd Tanous const auto userIt = std::ranges::find_if( 206080f79a40SMichael Shen users, 206180f79a40SMichael Shen [accountName]( 2062b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 206380f79a40SMichael Shen dbus::utility::DBusInterfacesMap>& user) { 206455f79e6fSEd Tanous return accountName == user.first.filename(); 2065b477fd44SP Dheeraj Srujan Kumar }); 2066b9b2e0b2SEd Tanous 206784e12cb7SAppaRao Puli if (userIt == users.end()) 2068b9b2e0b2SEd Tanous { 2069002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 2070002d39b4SEd Tanous accountName); 207184e12cb7SAppaRao Puli return; 207284e12cb7SAppaRao Puli } 20734e68c45bSAyushi Smriti 20741476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 207558345856SAbhishek Patel "#ManagerAccount.v1_7_0.ManagerAccount"; 20761476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 20771476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 20781476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 207958345856SAbhishek Patel asyncResp->res.jsonValue["StrictAccountTypes"] = true; 20804e68c45bSAyushi Smriti 208184e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 208265b0dc32SEd Tanous { 2083002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 208465b0dc32SEd Tanous { 2085b437a535SAsmitha Karunanithi const bool* userEnabled = nullptr; 2086b437a535SAsmitha Karunanithi const bool* userLocked = nullptr; 2087b437a535SAsmitha Karunanithi const std::string* userPrivPtr = nullptr; 2088b437a535SAsmitha Karunanithi const bool* userPasswordExpired = nullptr; 2089b437a535SAsmitha Karunanithi const std::vector<std::string>* userGroups = nullptr; 2090b437a535SAsmitha Karunanithi 2091b437a535SAsmitha Karunanithi const bool success = sdbusplus::unpackPropertiesNoThrow( 2092b437a535SAsmitha Karunanithi dbus_utils::UnpackErrorPrinter(), interface.second, 2093b437a535SAsmitha Karunanithi "UserEnabled", userEnabled, 2094b437a535SAsmitha Karunanithi "UserLockedForFailedAttempt", userLocked, 2095b437a535SAsmitha Karunanithi "UserPrivilege", userPrivPtr, "UserPasswordExpired", 2096b437a535SAsmitha Karunanithi userPasswordExpired, "UserGroups", userGroups); 2097b437a535SAsmitha Karunanithi if (!success) 209865b0dc32SEd Tanous { 2099b437a535SAsmitha Karunanithi messages::internalError(asyncResp->res); 2100b437a535SAsmitha Karunanithi return; 2101b437a535SAsmitha Karunanithi } 210265b0dc32SEd Tanous if (userEnabled == nullptr) 210365b0dc32SEd Tanous { 210462598e31SEd Tanous BMCWEB_LOG_ERROR("UserEnabled wasn't a bool"); 210584e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 210684e12cb7SAppaRao Puli return; 210765b0dc32SEd Tanous } 2108002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 2109b437a535SAsmitha Karunanithi 211065b0dc32SEd Tanous if (userLocked == nullptr) 211165b0dc32SEd Tanous { 211262598e31SEd Tanous BMCWEB_LOG_ERROR("UserLockedForF" 211384e12cb7SAppaRao Puli "ailedAttempt " 211462598e31SEd Tanous "wasn't a bool"); 211584e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 211684e12cb7SAppaRao Puli return; 211765b0dc32SEd Tanous } 2118002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 211920fa6a2cSEd Tanous nlohmann::json::array_t allowed; 212020fa6a2cSEd Tanous // can only unlock accounts 212120fa6a2cSEd Tanous allowed.emplace_back("false"); 2122b437a535SAsmitha Karunanithi asyncResp->res.jsonValue["Locked@Redfish.AllowableValues"] = 212320fa6a2cSEd Tanous std::move(allowed); 2124b437a535SAsmitha Karunanithi 212554fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 212684e12cb7SAppaRao Puli { 212762598e31SEd Tanous BMCWEB_LOG_ERROR("UserPrivilege wasn't a " 212862598e31SEd Tanous "string"); 212984e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 213084e12cb7SAppaRao Puli return; 213184e12cb7SAppaRao Puli } 2132b437a535SAsmitha Karunanithi std::string role = getRoleIdFromPrivilege(*userPrivPtr); 213354fc587aSNagaraju Goruganti if (role.empty()) 213484e12cb7SAppaRao Puli { 213562598e31SEd Tanous BMCWEB_LOG_ERROR("Invalid user role"); 213684e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 213784e12cb7SAppaRao Puli return; 213884e12cb7SAppaRao Puli } 213954fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 214084e12cb7SAppaRao Puli 21411476687dSEd Tanous nlohmann::json& roleEntry = 2142002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 21433b32780dSEd Tanous roleEntry["@odata.id"] = boost::urls::format( 21443b32780dSEd Tanous "/redfish/v1/AccountService/Roles/{}", role); 2145b437a535SAsmitha Karunanithi 21463bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 21473bf4e632SJoseph Reynolds { 2148b437a535SAsmitha Karunanithi BMCWEB_LOG_ERROR("UserPasswordExpired wasn't a bool"); 21493bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 21503bf4e632SJoseph Reynolds return; 21513bf4e632SJoseph Reynolds } 2152002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 21533bf4e632SJoseph Reynolds *userPasswordExpired; 2154b437a535SAsmitha Karunanithi 2155c7229815SAbhishek Patel if (userGroups == nullptr) 2156c7229815SAbhishek Patel { 2157b437a535SAsmitha Karunanithi BMCWEB_LOG_ERROR("userGroups wasn't a string vector"); 2158c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2159c7229815SAbhishek Patel return; 2160c7229815SAbhishek Patel } 2161b437a535SAsmitha Karunanithi if (!translateUserGroup(*userGroups, asyncResp->res)) 2162c7229815SAbhishek Patel { 216362598e31SEd Tanous BMCWEB_LOG_ERROR("userGroups mapping failed"); 2164c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2165c7229815SAbhishek Patel return; 2166c7229815SAbhishek Patel } 2167c7229815SAbhishek Patel } 216865b0dc32SEd Tanous } 216965b0dc32SEd Tanous 21703b32780dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = boost::urls::format( 21713b32780dSEd Tanous "/redfish/v1/AccountService/Accounts/{}", accountName); 2172b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 2173b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 21745eb468daSGeorge Liu }); 21751ef4c342SEd Tanous } 2176a840879dSEd Tanous 2177504af5a0SPatrick Williams inline void handleAccountDelete( 2178504af5a0SPatrick Williams App& app, const crow::Request& req, 21796c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21801ef4c342SEd Tanous const std::string& username) 21811ef4c342SEd Tanous { 21823ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 218345ca1b86SEd Tanous { 218445ca1b86SEd Tanous return; 218545ca1b86SEd Tanous } 21861ef4c342SEd Tanous 218725b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 218825b54dbaSEd Tanous { 2189031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 2190d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 2191031514fbSJunLin Chen return; 219225b54dbaSEd Tanous } 21931ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 21941ef4c342SEd Tanous tempObjPath /= username; 21951ef4c342SEd Tanous const std::string userPath(tempObjPath); 21961ef4c342SEd Tanous 2197*177612aaSEd Tanous dbus::utility::async_method_call( 2198*177612aaSEd Tanous asyncResp, 21995e7e2dc5SEd Tanous [asyncResp, username](const boost::system::error_code& ec) { 22001ef4c342SEd Tanous if (ec) 22011ef4c342SEd Tanous { 2202d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 22031ef4c342SEd Tanous username); 22041ef4c342SEd Tanous return; 22051ef4c342SEd Tanous } 22061ef4c342SEd Tanous 22071ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 22081ef4c342SEd Tanous }, 22091ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 22101ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 22111ef4c342SEd Tanous } 22121ef4c342SEd Tanous 2213504af5a0SPatrick Williams inline void handleAccountPatch( 2214504af5a0SPatrick Williams App& app, const crow::Request& req, 22151ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 22161ef4c342SEd Tanous const std::string& username) 22171ef4c342SEd Tanous { 22181ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 22191ef4c342SEd Tanous { 22201ef4c342SEd Tanous return; 22211ef4c342SEd Tanous } 222225b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 222325b54dbaSEd Tanous { 22241ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 2225d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 22261ef4c342SEd Tanous return; 222725b54dbaSEd Tanous } 2228a24526dcSEd Tanous std::optional<std::string> newUserName; 2229a24526dcSEd Tanous std::optional<std::string> password; 2230a24526dcSEd Tanous std::optional<bool> enabled; 2231a24526dcSEd Tanous std::optional<std::string> roleId; 223224c8542dSRatan Gupta std::optional<bool> locked; 223358345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes; 223458345856SAbhishek Patel 2235031514fbSJunLin Chen if (req.session == nullptr) 2236031514fbSJunLin Chen { 2237031514fbSJunLin Chen messages::internalError(asyncResp->res); 2238031514fbSJunLin Chen return; 2239031514fbSJunLin Chen } 2240031514fbSJunLin Chen 22412b9c1dfeSEd Tanous bool userSelf = (username == req.session->username); 22422b9c1dfeSEd Tanous 2243e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 22443e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 2245e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 2246e9cc5172SEd Tanous bool userHasConfigureUsers = 2247e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 2248e9cc5172SEd Tanous if (userHasConfigureUsers) 2249e9cc5172SEd Tanous { 2250e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 2251afc474aeSMyung Bae if (!json_util::readJsonPatch( // 2252afc474aeSMyung Bae req, asyncResp->res, // 2253afc474aeSMyung Bae "AccountTypes", accountTypes, // 2254afc474aeSMyung Bae "Enabled", enabled, // 2255afc474aeSMyung Bae "Locked", locked, // 2256afc474aeSMyung Bae "Password", password, // 2257afc474aeSMyung Bae "RoleId", roleId, // 2258afc474aeSMyung Bae "UserName", newUserName // 2259afc474aeSMyung Bae )) 2260a840879dSEd Tanous { 2261a840879dSEd Tanous return; 2262a840879dSEd Tanous } 2263e9cc5172SEd Tanous } 2264e9cc5172SEd Tanous else 2265900f9497SJoseph Reynolds { 2266e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 226758345856SAbhishek Patel if (!userSelf) 2268900f9497SJoseph Reynolds { 2269900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2270900f9497SJoseph Reynolds return; 2271900f9497SJoseph Reynolds } 2272031514fbSJunLin Chen 2273e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 22741ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 22751ef4c342SEd Tanous password)) 2276e9cc5172SEd Tanous { 2277e9cc5172SEd Tanous return; 2278e9cc5172SEd Tanous } 2279900f9497SJoseph Reynolds } 2280900f9497SJoseph Reynolds 228166b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 22826c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 22836c51eab1SEd Tanous // updating user properties other then username. If username 22846c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 22856c51eab1SEd Tanous // user rename request. 228666b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 2287a840879dSEd Tanous { 22881ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 2289e518ef32SRavi Teja locked, accountTypes, userSelf, req.session); 229084e12cb7SAppaRao Puli return; 229184e12cb7SAppaRao Puli } 2292*177612aaSEd Tanous dbus::utility::async_method_call( 2293*177612aaSEd Tanous asyncResp, 22946c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 22951ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 2296608ad2ccSEd Tanous locked, userSelf, session = req.session, 2297608ad2ccSEd Tanous accountTypes(std::move(accountTypes))]( 2298e81de512SEd Tanous const boost::system::error_code& ec, sdbusplus::message_t& m) { 229984e12cb7SAppaRao Puli if (ec) 230084e12cb7SAppaRao Puli { 2301002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2302002d39b4SEd Tanous username); 2303a840879dSEd Tanous return; 2304a840879dSEd Tanous } 2305a840879dSEd Tanous 2306002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 2307608ad2ccSEd Tanous locked, accountTypes, userSelf, session); 230884e12cb7SAppaRao Puli }, 23091ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 231084e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 231184e12cb7SAppaRao Puli *newUserName); 23121ef4c342SEd Tanous } 23131ef4c342SEd Tanous 23141ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 23151ef4c342SEd Tanous { 23161ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 23174c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 23184c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 23194c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 23204c7d4d33SEd Tanous 23214c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 23221ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 23231ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23241ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 23251ef4c342SEd Tanous 23261ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 23271ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 23281ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 23291ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 23301ef4c342SEd Tanous 23311aa375b8SEd Tanous BMCWEB_ROUTE( 23321aa375b8SEd Tanous app, 2333e9f12014SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/") 23341aa375b8SEd Tanous .privileges(redfish::privileges::headCertificateCollection) 23351aa375b8SEd Tanous .methods(boost::beast::http::verb::head)(std::bind_front( 23361aa375b8SEd Tanous handleAccountServiceClientCertificatesHead, std::ref(app))); 23371aa375b8SEd Tanous 23381aa375b8SEd Tanous BMCWEB_ROUTE( 23391aa375b8SEd Tanous app, 2340e9f12014SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/") 23411aa375b8SEd Tanous .privileges(redfish::privileges::getCertificateCollection) 23421aa375b8SEd Tanous .methods(boost::beast::http::verb::get)(std::bind_front( 23431aa375b8SEd Tanous handleAccountServiceClientCertificatesGet, std::ref(app))); 23441aa375b8SEd Tanous 23451aa375b8SEd Tanous BMCWEB_ROUTE( 23461aa375b8SEd Tanous app, 2347e9f12014SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/") 23481aa375b8SEd Tanous .privileges(redfish::privileges::headCertificate) 23491aa375b8SEd Tanous .methods(boost::beast::http::verb::head)(std::bind_front( 23501aa375b8SEd Tanous handleAccountServiceClientCertificatesInstanceHead, std::ref(app))); 23511aa375b8SEd Tanous 23521aa375b8SEd Tanous BMCWEB_ROUTE( 23531aa375b8SEd Tanous app, 23541aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/") 23551aa375b8SEd Tanous .privileges(redfish::privileges::getCertificate) 23561aa375b8SEd Tanous .methods(boost::beast::http::verb::get)(std::bind_front( 23571aa375b8SEd Tanous handleAccountServiceClientCertificatesInstanceGet, std::ref(app))); 23581aa375b8SEd Tanous 23591ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 23604c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 23614c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 23624c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 23634c7d4d33SEd Tanous 23644c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 23651ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 23661ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23671ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 23681ef4c342SEd Tanous 23691ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 23701ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 23711ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 23721ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 23731ef4c342SEd Tanous 23741ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23754c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 23764c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 23774c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 23784c7d4d33SEd Tanous 23794c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23801ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 23811ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23821ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 23831ef4c342SEd Tanous 23841ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23851ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 23861ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 23871ef4c342SEd Tanous // yet 23881ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 23891ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 23901ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 239184e12cb7SAppaRao Puli 23926c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2393ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 23946c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 239520fc307fSGunnar Mills std::bind_front(handleAccountDelete, std::ref(app))); 239606e086d9SEd Tanous } 239788d16c9aSLewanczyk, Dawid 239888d16c9aSLewanczyk, Dawid } // namespace redfish 2399