188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 183ccb3adbSEd Tanous #include "app.hpp" 19*1aa375b8SEd Tanous #include "certificate_service.hpp" 203ccb3adbSEd Tanous #include "dbus_utility.hpp" 213ccb3adbSEd Tanous #include "error_messages.hpp" 220ec8b83dSEd Tanous #include "generated/enums/account_service.hpp" 233ccb3adbSEd Tanous #include "openbmc_dbus_rest.hpp" 243ccb3adbSEd Tanous #include "persistent_data.hpp" 253ccb3adbSEd Tanous #include "query.hpp" 260ec8b83dSEd Tanous #include "registries/privilege_registry.hpp" 27*1aa375b8SEd Tanous #include "utils/collection.hpp" 283ccb3adbSEd Tanous #include "utils/dbus_utils.hpp" 293ccb3adbSEd Tanous #include "utils/json_utils.hpp" 300ec8b83dSEd Tanous 31*1aa375b8SEd Tanous #include <boost/url/format.hpp> 32*1aa375b8SEd Tanous #include <boost/url/url.hpp> 331e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 34d1bde9e5SKrzysztof Grobelny #include <sdbusplus/unpack_properties.hpp> 351214b7e7SGunnar Mills 362b73119cSGeorge Liu #include <array> 37*1aa375b8SEd Tanous #include <memory> 38c7229815SAbhishek Patel #include <optional> 393544d2a7SEd Tanous #include <ranges> 40c7229815SAbhishek Patel #include <string> 412b73119cSGeorge Liu #include <string_view> 42c7229815SAbhishek Patel #include <vector> 43c7229815SAbhishek Patel 441abe55efSEd Tanous namespace redfish 451abe55efSEd Tanous { 4688d16c9aSLewanczyk, Dawid 4723a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 486973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 492c70f800SEd Tanous constexpr const char* adConfigObject = 50ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 51ab828d7cSRatan Gupta 52b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 536973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 546973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 556973a582SRatan Gupta constexpr const char* ldapConfigInterface = 566973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 576973a582SRatan Gupta constexpr const char* ldapCreateInterface = 586973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 596973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 6006785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 6106785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 626973a582SRatan Gupta 6354fc587aSNagaraju Goruganti struct LDAPRoleMapData 6454fc587aSNagaraju Goruganti { 6554fc587aSNagaraju Goruganti std::string groupName; 6654fc587aSNagaraju Goruganti std::string privilege; 6754fc587aSNagaraju Goruganti }; 6854fc587aSNagaraju Goruganti 696973a582SRatan Gupta struct LDAPConfigData 706973a582SRatan Gupta { 7147f2934cSEd Tanous std::string uri; 7247f2934cSEd Tanous std::string bindDN; 7347f2934cSEd Tanous std::string baseDN; 7447f2934cSEd Tanous std::string searchScope; 7547f2934cSEd Tanous std::string serverType; 766973a582SRatan Gupta bool serviceEnabled = false; 7747f2934cSEd Tanous std::string userNameAttribute; 7847f2934cSEd Tanous std::string groupAttribute; 7954fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 806973a582SRatan Gupta }; 816973a582SRatan Gupta 8254fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 8384e12cb7SAppaRao Puli { 8484e12cb7SAppaRao Puli if (role == "priv-admin") 8584e12cb7SAppaRao Puli { 8684e12cb7SAppaRao Puli return "Administrator"; 8784e12cb7SAppaRao Puli } 883174e4dfSEd Tanous if (role == "priv-user") 8984e12cb7SAppaRao Puli { 90c80fee55SAppaRao Puli return "ReadOnly"; 9184e12cb7SAppaRao Puli } 923174e4dfSEd Tanous if (role == "priv-operator") 9384e12cb7SAppaRao Puli { 9484e12cb7SAppaRao Puli return "Operator"; 9584e12cb7SAppaRao Puli } 9684e12cb7SAppaRao Puli return ""; 9784e12cb7SAppaRao Puli } 9854fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 9984e12cb7SAppaRao Puli { 10084e12cb7SAppaRao Puli if (role == "Administrator") 10184e12cb7SAppaRao Puli { 10284e12cb7SAppaRao Puli return "priv-admin"; 10384e12cb7SAppaRao Puli } 1043174e4dfSEd Tanous if (role == "ReadOnly") 10584e12cb7SAppaRao Puli { 10684e12cb7SAppaRao Puli return "priv-user"; 10784e12cb7SAppaRao Puli } 1083174e4dfSEd Tanous if (role == "Operator") 10984e12cb7SAppaRao Puli { 11084e12cb7SAppaRao Puli return "priv-operator"; 11184e12cb7SAppaRao Puli } 11284e12cb7SAppaRao Puli return ""; 11384e12cb7SAppaRao Puli } 114b9b2e0b2SEd Tanous 115c7229815SAbhishek Patel /** 116c7229815SAbhishek Patel * @brief Maps user group names retrieved from D-Bus object to 117c7229815SAbhishek Patel * Account Types. 118c7229815SAbhishek Patel * 119c7229815SAbhishek Patel * @param[in] userGroups List of User groups 120c7229815SAbhishek Patel * @param[out] res AccountTypes populated 121c7229815SAbhishek Patel * 122c7229815SAbhishek Patel * @return true in case of success, false if UserGroups contains 123c7229815SAbhishek Patel * invalid group name(s). 124c7229815SAbhishek Patel */ 125c7229815SAbhishek Patel inline bool translateUserGroup(const std::vector<std::string>& userGroups, 126c7229815SAbhishek Patel crow::Response& res) 127c7229815SAbhishek Patel { 128c7229815SAbhishek Patel std::vector<std::string> accountTypes; 129c7229815SAbhishek Patel for (const auto& userGroup : userGroups) 130c7229815SAbhishek Patel { 131c7229815SAbhishek Patel if (userGroup == "redfish") 132c7229815SAbhishek Patel { 133c7229815SAbhishek Patel accountTypes.emplace_back("Redfish"); 134c7229815SAbhishek Patel accountTypes.emplace_back("WebUI"); 135c7229815SAbhishek Patel } 136c7229815SAbhishek Patel else if (userGroup == "ipmi") 137c7229815SAbhishek Patel { 138c7229815SAbhishek Patel accountTypes.emplace_back("IPMI"); 139c7229815SAbhishek Patel } 140c7229815SAbhishek Patel else if (userGroup == "ssh") 141c7229815SAbhishek Patel { 142c7229815SAbhishek Patel accountTypes.emplace_back("ManagerConsole"); 143c7229815SAbhishek Patel } 1443e72c202SNinad Palsule else if (userGroup == "hostconsole") 1453e72c202SNinad Palsule { 1463e72c202SNinad Palsule // The hostconsole group controls who can access the host console 1473e72c202SNinad Palsule // port via ssh and websocket. 1483e72c202SNinad Palsule accountTypes.emplace_back("HostConsole"); 1493e72c202SNinad Palsule } 150c7229815SAbhishek Patel else if (userGroup == "web") 151c7229815SAbhishek Patel { 152c7229815SAbhishek Patel // 'web' is one of the valid groups in the UserGroups property of 153c7229815SAbhishek Patel // the user account in the D-Bus object. This group is currently not 154c7229815SAbhishek Patel // doing anything, and is considered to be equivalent to 'redfish'. 155c7229815SAbhishek Patel // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 156c7229815SAbhishek Patel // AccountTypes, so do nothing here... 157c7229815SAbhishek Patel } 158c7229815SAbhishek Patel else 159c7229815SAbhishek Patel { 1608ece0e45SEd Tanous // Invalid user group name. Caller throws an exception. 161c7229815SAbhishek Patel return false; 162c7229815SAbhishek Patel } 163c7229815SAbhishek Patel } 164c7229815SAbhishek Patel 165c7229815SAbhishek Patel res.jsonValue["AccountTypes"] = std::move(accountTypes); 166c7229815SAbhishek Patel return true; 167c7229815SAbhishek Patel } 168c7229815SAbhishek Patel 16958345856SAbhishek Patel /** 17058345856SAbhishek Patel * @brief Builds User Groups from the Account Types 17158345856SAbhishek Patel * 17258345856SAbhishek Patel * @param[in] asyncResp Async Response 17358345856SAbhishek Patel * @param[in] accountTypes List of Account Types 17458345856SAbhishek Patel * @param[out] userGroups List of User Groups mapped from Account Types 17558345856SAbhishek Patel * 17658345856SAbhishek Patel * @return true if Account Types mapped to User Groups, false otherwise. 17758345856SAbhishek Patel */ 17858345856SAbhishek Patel inline bool 17958345856SAbhishek Patel getUserGroupFromAccountType(crow::Response& res, 18058345856SAbhishek Patel const std::vector<std::string>& accountTypes, 18158345856SAbhishek Patel std::vector<std::string>& userGroups) 18258345856SAbhishek Patel { 18358345856SAbhishek Patel // Need both Redfish and WebUI Account Types to map to 'redfish' User Group 18458345856SAbhishek Patel bool redfishType = false; 18558345856SAbhishek Patel bool webUIType = false; 18658345856SAbhishek Patel 18758345856SAbhishek Patel for (const auto& accountType : accountTypes) 18858345856SAbhishek Patel { 18958345856SAbhishek Patel if (accountType == "Redfish") 19058345856SAbhishek Patel { 19158345856SAbhishek Patel redfishType = true; 19258345856SAbhishek Patel } 19358345856SAbhishek Patel else if (accountType == "WebUI") 19458345856SAbhishek Patel { 19558345856SAbhishek Patel webUIType = true; 19658345856SAbhishek Patel } 19758345856SAbhishek Patel else if (accountType == "IPMI") 19858345856SAbhishek Patel { 19958345856SAbhishek Patel userGroups.emplace_back("ipmi"); 20058345856SAbhishek Patel } 20158345856SAbhishek Patel else if (accountType == "HostConsole") 20258345856SAbhishek Patel { 20358345856SAbhishek Patel userGroups.emplace_back("hostconsole"); 20458345856SAbhishek Patel } 20558345856SAbhishek Patel else if (accountType == "ManagerConsole") 20658345856SAbhishek Patel { 20758345856SAbhishek Patel userGroups.emplace_back("ssh"); 20858345856SAbhishek Patel } 20958345856SAbhishek Patel else 21058345856SAbhishek Patel { 21158345856SAbhishek Patel // Invalid Account Type 21258345856SAbhishek Patel messages::propertyValueNotInList(res, "AccountTypes", accountType); 21358345856SAbhishek Patel return false; 21458345856SAbhishek Patel } 21558345856SAbhishek Patel } 21658345856SAbhishek Patel 21758345856SAbhishek Patel // Both Redfish and WebUI Account Types are needed to PATCH 21858345856SAbhishek Patel if (redfishType ^ webUIType) 21958345856SAbhishek Patel { 22062598e31SEd Tanous BMCWEB_LOG_ERROR( 22162598e31SEd Tanous "Missing Redfish or WebUI Account Type to set redfish User Group"); 22258345856SAbhishek Patel messages::strictAccountTypes(res, "AccountTypes"); 22358345856SAbhishek Patel return false; 22458345856SAbhishek Patel } 22558345856SAbhishek Patel 22658345856SAbhishek Patel if (redfishType && webUIType) 22758345856SAbhishek Patel { 22858345856SAbhishek Patel userGroups.emplace_back("redfish"); 22958345856SAbhishek Patel } 23058345856SAbhishek Patel 23158345856SAbhishek Patel return true; 23258345856SAbhishek Patel } 23358345856SAbhishek Patel 23458345856SAbhishek Patel /** 23558345856SAbhishek Patel * @brief Sets UserGroups property of the user based on the Account Types 23658345856SAbhishek Patel * 23758345856SAbhishek Patel * @param[in] accountTypes List of User Account Types 23858345856SAbhishek Patel * @param[in] asyncResp Async Response 23958345856SAbhishek Patel * @param[in] dbusObjectPath D-Bus Object Path 24058345856SAbhishek Patel * @param[in] userSelf true if User is updating OWN Account Types 24158345856SAbhishek Patel */ 24258345856SAbhishek Patel inline void 24358345856SAbhishek Patel patchAccountTypes(const std::vector<std::string>& accountTypes, 24458345856SAbhishek Patel const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 24558345856SAbhishek Patel const std::string& dbusObjectPath, bool userSelf) 24658345856SAbhishek Patel { 24758345856SAbhishek Patel // Check if User is disabling own Redfish Account Type 24858345856SAbhishek Patel if (userSelf && 24958345856SAbhishek Patel (accountTypes.cend() == 25058345856SAbhishek Patel std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish"))) 25158345856SAbhishek Patel { 25262598e31SEd Tanous BMCWEB_LOG_ERROR( 25362598e31SEd Tanous "User disabling OWN Redfish Account Type is not allowed"); 25458345856SAbhishek Patel messages::strictAccountTypes(asyncResp->res, "AccountTypes"); 25558345856SAbhishek Patel return; 25658345856SAbhishek Patel } 25758345856SAbhishek Patel 25858345856SAbhishek Patel std::vector<std::string> updatedUserGroups; 25958345856SAbhishek Patel if (!getUserGroupFromAccountType(asyncResp->res, accountTypes, 26058345856SAbhishek Patel updatedUserGroups)) 26158345856SAbhishek Patel { 26258345856SAbhishek Patel // Problem in mapping Account Types to User Groups, Error already 26358345856SAbhishek Patel // logged. 26458345856SAbhishek Patel return; 26558345856SAbhishek Patel } 266d02aad39SEd Tanous setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager", 267d02aad39SEd Tanous dbusObjectPath, "xyz.openbmc_project.User.Attributes", 268d02aad39SEd Tanous "UserGroups", "AccountTypes", updatedUserGroups); 26958345856SAbhishek Patel } 27058345856SAbhishek Patel 2718d1b46d7Szhanghch05 inline void userErrorMessageHandler( 2728d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2738d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 27466b5ca76Sjayaprakash Mutyala { 27566b5ca76Sjayaprakash Mutyala if (e == nullptr) 27666b5ca76Sjayaprakash Mutyala { 27766b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 27866b5ca76Sjayaprakash Mutyala return; 27966b5ca76Sjayaprakash Mutyala } 28066b5ca76Sjayaprakash Mutyala 281055806b3SManojkiran Eda const char* errorMessage = e->name; 28266b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 28366b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 28466b5ca76Sjayaprakash Mutyala { 285d8a5d5d8SJiaqing Zhao messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 28666b5ca76Sjayaprakash Mutyala "UserName", newUser); 28766b5ca76Sjayaprakash Mutyala } 28866b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 28966b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 29066b5ca76Sjayaprakash Mutyala { 291d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 29266b5ca76Sjayaprakash Mutyala } 293d4d25793SEd Tanous else if ((strcmp(errorMessage, 294d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 295d4d25793SEd Tanous 0) || 2960fda0f12SGeorge Liu (strcmp( 2970fda0f12SGeorge Liu errorMessage, 2980fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 2990fda0f12SGeorge Liu 0)) 30066b5ca76Sjayaprakash Mutyala { 30166b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 30266b5ca76Sjayaprakash Mutyala } 30366b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 30466b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 30566b5ca76Sjayaprakash Mutyala { 30666b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 30766b5ca76Sjayaprakash Mutyala } 30866b5ca76Sjayaprakash Mutyala else 30966b5ca76Sjayaprakash Mutyala { 310b8ad583fSGunnar Mills BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage); 31166b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 31266b5ca76Sjayaprakash Mutyala } 31366b5ca76Sjayaprakash Mutyala } 31466b5ca76Sjayaprakash Mutyala 31581ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 316ab828d7cSRatan Gupta const LDAPConfigData& confData, 317ab828d7cSRatan Gupta const std::string& ldapType) 3186973a582SRatan Gupta { 31949cc263fSEd Tanous nlohmann::json::object_t ldap; 3201476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 32149cc263fSEd Tanous nlohmann::json::array_t serviceAddresses; 32249cc263fSEd Tanous serviceAddresses.emplace_back(confData.uri); 32349cc263fSEd Tanous ldap["ServiceAddresses"] = std::move(serviceAddresses); 32449cc263fSEd Tanous 32549cc263fSEd Tanous nlohmann::json::object_t authentication; 32649cc263fSEd Tanous authentication["AuthenticationType"] = 3270ec8b83dSEd Tanous account_service::AuthenticationTypes::UsernameAndPassword; 32849cc263fSEd Tanous authentication["Username"] = confData.bindDN; 32949cc263fSEd Tanous authentication["Password"] = nullptr; 33049cc263fSEd Tanous ldap["Authentication"] = std::move(authentication); 3311476687dSEd Tanous 33249cc263fSEd Tanous nlohmann::json::object_t ldapService; 33349cc263fSEd Tanous nlohmann::json::object_t searchSettings; 33449cc263fSEd Tanous nlohmann::json::array_t baseDistinguishedNames; 33549cc263fSEd Tanous baseDistinguishedNames.emplace_back(confData.baseDN); 3361476687dSEd Tanous 33749cc263fSEd Tanous searchSettings["BaseDistinguishedNames"] = 33849cc263fSEd Tanous std::move(baseDistinguishedNames); 33949cc263fSEd Tanous searchSettings["UsernameAttribute"] = confData.userNameAttribute; 34049cc263fSEd Tanous searchSettings["GroupsAttribute"] = confData.groupAttribute; 34149cc263fSEd Tanous ldapService["SearchSettings"] = std::move(searchSettings); 34249cc263fSEd Tanous ldap["LDAPService"] = std::move(ldapService); 34349cc263fSEd Tanous 34449cc263fSEd Tanous nlohmann::json::array_t roleMapArray; 3459eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 34654fc587aSNagaraju Goruganti { 34762598e31SEd Tanous BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName); 348613dabeaSEd Tanous 349613dabeaSEd Tanous nlohmann::json::object_t remoteGroup; 350613dabeaSEd Tanous remoteGroup["RemoteGroup"] = obj.second.groupName; 351329f0348SJorge Cisneros remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 352329f0348SJorge Cisneros roleMapArray.emplace_back(std::move(remoteGroup)); 35354fc587aSNagaraju Goruganti } 35449cc263fSEd Tanous 35549cc263fSEd Tanous ldap["RemoteRoleMapping"] = std::move(roleMapArray); 35649cc263fSEd Tanous 35749cc263fSEd Tanous jsonResponse[ldapType].update(ldap); 3586973a582SRatan Gupta } 3596973a582SRatan Gupta 3606973a582SRatan Gupta /** 36106785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 36206785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 36306785244SRatan Gupta * 36406785244SRatan Gupta */ 36523a21a1cSEd Tanous inline void handleRoleMapPatch( 3668d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 36706785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 368c1019828SEd Tanous const std::string& serverType, 369c1019828SEd Tanous std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input) 37006785244SRatan Gupta { 37106785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 37206785244SRatan Gupta { 373c1019828SEd Tanous std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson = 374c1019828SEd Tanous input[index]; 375c1019828SEd Tanous nlohmann::json::object_t* obj = 376c1019828SEd Tanous std::get_if<nlohmann::json::object_t>(&thisJson); 377c1019828SEd Tanous if (obj == nullptr) 37806785244SRatan Gupta { 37906785244SRatan Gupta // delete the existing object 38006785244SRatan Gupta if (index < roleMapObjData.size()) 38106785244SRatan Gupta { 38206785244SRatan Gupta crow::connections::systemBus->async_method_call( 38306785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 3845e7e2dc5SEd Tanous index](const boost::system::error_code& ec) { 38506785244SRatan Gupta if (ec) 38606785244SRatan Gupta { 38762598e31SEd Tanous BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 38806785244SRatan Gupta messages::internalError(asyncResp->res); 38906785244SRatan Gupta return; 39006785244SRatan Gupta } 39189492a15SPatrick Williams asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"] 39289492a15SPatrick Williams [index] = nullptr; 39306785244SRatan Gupta }, 39406785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 39506785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 39606785244SRatan Gupta } 39706785244SRatan Gupta else 39806785244SRatan Gupta { 39962598e31SEd Tanous BMCWEB_LOG_ERROR("Can't delete the object"); 400c1019828SEd Tanous messages::propertyValueTypeError(asyncResp->res, "null", 4012e8c4bdaSEd Tanous "RemoteRoleMapping/" + 4022e8c4bdaSEd Tanous std::to_string(index)); 40306785244SRatan Gupta return; 40406785244SRatan Gupta } 40506785244SRatan Gupta } 406c1019828SEd Tanous else if (obj->empty()) 40706785244SRatan Gupta { 40806785244SRatan Gupta // Don't do anything for the empty objects,parse next json 40906785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 41006785244SRatan Gupta } 41106785244SRatan Gupta else 41206785244SRatan Gupta { 41306785244SRatan Gupta // update/create the object 41406785244SRatan Gupta std::optional<std::string> remoteGroup; 41506785244SRatan Gupta std::optional<std::string> localRole; 41606785244SRatan Gupta 417c1019828SEd Tanous if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup", 418c1019828SEd Tanous remoteGroup, "LocalRole", localRole)) 41906785244SRatan Gupta { 42006785244SRatan Gupta continue; 42106785244SRatan Gupta } 42206785244SRatan Gupta 42306785244SRatan Gupta // Update existing RoleMapping Object 42406785244SRatan Gupta if (index < roleMapObjData.size()) 42506785244SRatan Gupta { 42662598e31SEd Tanous BMCWEB_LOG_DEBUG("Update Role Map Object"); 42706785244SRatan Gupta // If "RemoteGroup" info is provided 42806785244SRatan Gupta if (remoteGroup) 42906785244SRatan Gupta { 430d02aad39SEd Tanous setDbusProperty( 431d02aad39SEd Tanous asyncResp, ldapDbusService, roleMapObjData[index].first, 4329ae226faSGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry", 433d02aad39SEd Tanous "GroupName", 434d02aad39SEd Tanous std::format("RemoteRoleMapping/{}/RemoteGroup", index), 43525e055a3SRavi Teja *remoteGroup); 43606785244SRatan Gupta } 43706785244SRatan Gupta 43806785244SRatan Gupta // If "LocalRole" info is provided 43906785244SRatan Gupta if (localRole) 44006785244SRatan Gupta { 441d02aad39SEd Tanous setDbusProperty( 442d02aad39SEd Tanous asyncResp, ldapDbusService, roleMapObjData[index].first, 4439ae226faSGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry", 444d02aad39SEd Tanous "Privilege", 445d02aad39SEd Tanous std::format("RemoteRoleMapping/{}/LocalRole", index), 446d02aad39SEd Tanous *localRole); 44706785244SRatan Gupta } 44806785244SRatan Gupta } 44906785244SRatan Gupta // Create a new RoleMapping Object. 45006785244SRatan Gupta else 45106785244SRatan Gupta { 45262598e31SEd Tanous BMCWEB_LOG_DEBUG( 45362598e31SEd Tanous "setRoleMappingProperties: Creating new Object"); 45489492a15SPatrick Williams std::string pathString = "RemoteRoleMapping/" + 45589492a15SPatrick Williams std::to_string(index); 45606785244SRatan Gupta 45706785244SRatan Gupta if (!localRole) 45806785244SRatan Gupta { 45906785244SRatan Gupta messages::propertyMissing(asyncResp->res, 46006785244SRatan Gupta pathString + "/LocalRole"); 46106785244SRatan Gupta continue; 46206785244SRatan Gupta } 46306785244SRatan Gupta if (!remoteGroup) 46406785244SRatan Gupta { 46506785244SRatan Gupta messages::propertyMissing(asyncResp->res, 46606785244SRatan Gupta pathString + "/RemoteGroup"); 46706785244SRatan Gupta continue; 46806785244SRatan Gupta } 46906785244SRatan Gupta 47006785244SRatan Gupta std::string dbusObjectPath; 47106785244SRatan Gupta if (serverType == "ActiveDirectory") 47206785244SRatan Gupta { 4732c70f800SEd Tanous dbusObjectPath = adConfigObject; 47406785244SRatan Gupta } 47506785244SRatan Gupta else if (serverType == "LDAP") 47606785244SRatan Gupta { 47723a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 47806785244SRatan Gupta } 47906785244SRatan Gupta 48062598e31SEd Tanous BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup, 48162598e31SEd Tanous *localRole); 48206785244SRatan Gupta 48306785244SRatan Gupta crow::connections::systemBus->async_method_call( 484271584abSEd Tanous [asyncResp, serverType, localRole, 4855e7e2dc5SEd Tanous remoteGroup](const boost::system::error_code& ec) { 48606785244SRatan Gupta if (ec) 48706785244SRatan Gupta { 48862598e31SEd Tanous BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 48906785244SRatan Gupta messages::internalError(asyncResp->res); 49006785244SRatan Gupta return; 49106785244SRatan Gupta } 49206785244SRatan Gupta nlohmann::json& remoteRoleJson = 49306785244SRatan Gupta asyncResp->res 49406785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 4951476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 4961476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 4971476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 498b2ba3072SPatrick Williams remoteRoleJson.emplace_back(std::move(roleMapEntry)); 49906785244SRatan Gupta }, 50006785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 5013174e4dfSEd Tanous "Create", *remoteGroup, 50206785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 50306785244SRatan Gupta } 50406785244SRatan Gupta } 50506785244SRatan Gupta } 50606785244SRatan Gupta } 50706785244SRatan Gupta 50806785244SRatan Gupta /** 5096973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 5106973a582SRatan Gupta * into JSON 5116973a582SRatan Gupta */ 5126973a582SRatan Gupta template <typename CallbackFunc> 5136973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 5146973a582SRatan Gupta CallbackFunc&& callback) 5156973a582SRatan Gupta { 5162b73119cSGeorge Liu constexpr std::array<std::string_view, 2> interfaces = { 5172b73119cSGeorge Liu ldapEnableInterface, ldapConfigInterface}; 51854fc587aSNagaraju Goruganti 5192b73119cSGeorge Liu dbus::utility::getDbusObject( 5202b73119cSGeorge Liu ldapConfigObjectName, interfaces, 5218cb2c024SEd Tanous [callback = std::forward<CallbackFunc>(callback), 522c1019828SEd Tanous ldapType](const boost::system::error_code& ec, 523c1019828SEd Tanous const dbus::utility::MapperGetObject& resp) mutable { 52454fc587aSNagaraju Goruganti if (ec || resp.empty()) 52554fc587aSNagaraju Goruganti { 526bf2ddedeSCarson Labrado BMCWEB_LOG_WARNING( 52762598e31SEd Tanous "DBUS response error during getting of service name: {}", ec); 52823a21a1cSEd Tanous LDAPConfigData empty{}; 52923a21a1cSEd Tanous callback(false, empty, ldapType); 53054fc587aSNagaraju Goruganti return; 53154fc587aSNagaraju Goruganti } 53254fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 5335eb468daSGeorge Liu sdbusplus::message::object_path path(ldapRootObject); 5345eb468daSGeorge Liu dbus::utility::getManagedObjects( 5355eb468daSGeorge Liu service, path, 536c1019828SEd Tanous [callback, ldapType]( 537c1019828SEd Tanous const boost::system::error_code& ec2, 538c1019828SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) mutable { 5396973a582SRatan Gupta LDAPConfigData confData{}; 5408b24275dSEd Tanous if (ec2) 5416973a582SRatan Gupta { 542ab828d7cSRatan Gupta callback(false, confData, ldapType); 543bf2ddedeSCarson Labrado BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2); 5446973a582SRatan Gupta return; 5456973a582SRatan Gupta } 546ab828d7cSRatan Gupta 547ab828d7cSRatan Gupta std::string ldapDbusType; 54854fc587aSNagaraju Goruganti std::string searchString; 54954fc587aSNagaraju Goruganti 550ab828d7cSRatan Gupta if (ldapType == "LDAP") 551ab828d7cSRatan Gupta { 5520fda0f12SGeorge Liu ldapDbusType = 5530fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 55454fc587aSNagaraju Goruganti searchString = "openldap"; 555ab828d7cSRatan Gupta } 556ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 557ab828d7cSRatan Gupta { 55854fc587aSNagaraju Goruganti ldapDbusType = 5590fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 56054fc587aSNagaraju Goruganti searchString = "active_directory"; 561ab828d7cSRatan Gupta } 562ab828d7cSRatan Gupta else 563ab828d7cSRatan Gupta { 56462598e31SEd Tanous BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}", 56562598e31SEd Tanous ldapType); 566ab828d7cSRatan Gupta callback(false, confData, ldapType); 567ab828d7cSRatan Gupta return; 568ab828d7cSRatan Gupta } 569ab828d7cSRatan Gupta 570ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 571ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 572ab828d7cSRatan Gupta 5736973a582SRatan Gupta for (const auto& object : ldapObjects) 5746973a582SRatan Gupta { 57554fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 57654fc587aSNagaraju Goruganti // given type 577002d39b4SEd Tanous if (object.first.str.find(searchString) == std::string::npos) 5786973a582SRatan Gupta { 579ab828d7cSRatan Gupta continue; 580ab828d7cSRatan Gupta } 581ab828d7cSRatan Gupta 5826973a582SRatan Gupta for (const auto& interface : object.second) 5836973a582SRatan Gupta { 5846973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 5856973a582SRatan Gupta { 5866973a582SRatan Gupta // rest of the properties are string. 5876973a582SRatan Gupta for (const auto& property : interface.second) 5886973a582SRatan Gupta { 5896973a582SRatan Gupta if (property.first == "Enabled") 5906973a582SRatan Gupta { 5916973a582SRatan Gupta const bool* value = 5926973a582SRatan Gupta std::get_if<bool>(&property.second); 5936973a582SRatan Gupta if (value == nullptr) 5946973a582SRatan Gupta { 5956973a582SRatan Gupta continue; 5966973a582SRatan Gupta } 5976973a582SRatan Gupta confData.serviceEnabled = *value; 5986973a582SRatan Gupta break; 5996973a582SRatan Gupta } 6006973a582SRatan Gupta } 6016973a582SRatan Gupta } 6026973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 6036973a582SRatan Gupta { 6046973a582SRatan Gupta for (const auto& property : interface.second) 6056973a582SRatan Gupta { 606271584abSEd Tanous const std::string* strValue = 607002d39b4SEd Tanous std::get_if<std::string>(&property.second); 608271584abSEd Tanous if (strValue == nullptr) 6096973a582SRatan Gupta { 6106973a582SRatan Gupta continue; 6116973a582SRatan Gupta } 6126973a582SRatan Gupta if (property.first == "LDAPServerURI") 6136973a582SRatan Gupta { 614271584abSEd Tanous confData.uri = *strValue; 6156973a582SRatan Gupta } 6166973a582SRatan Gupta else if (property.first == "LDAPBindDN") 6176973a582SRatan Gupta { 618271584abSEd Tanous confData.bindDN = *strValue; 6196973a582SRatan Gupta } 6206973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 6216973a582SRatan Gupta { 622271584abSEd Tanous confData.baseDN = *strValue; 6236973a582SRatan Gupta } 624002d39b4SEd Tanous else if (property.first == "LDAPSearchScope") 6256973a582SRatan Gupta { 626271584abSEd Tanous confData.searchScope = *strValue; 6276973a582SRatan Gupta } 628002d39b4SEd Tanous else if (property.first == "GroupNameAttribute") 6296973a582SRatan Gupta { 630271584abSEd Tanous confData.groupAttribute = *strValue; 6316973a582SRatan Gupta } 632002d39b4SEd Tanous else if (property.first == "UserNameAttribute") 6336973a582SRatan Gupta { 634271584abSEd Tanous confData.userNameAttribute = *strValue; 6356973a582SRatan Gupta } 63654fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 637ab828d7cSRatan Gupta { 638271584abSEd Tanous confData.serverType = *strValue; 63954fc587aSNagaraju Goruganti } 64054fc587aSNagaraju Goruganti } 64154fc587aSNagaraju Goruganti } 642002d39b4SEd Tanous else if (interface.first == 6430fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 64454fc587aSNagaraju Goruganti { 64554fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 64654fc587aSNagaraju Goruganti for (const auto& property : interface.second) 64754fc587aSNagaraju Goruganti { 648271584abSEd Tanous const std::string* strValue = 649002d39b4SEd Tanous std::get_if<std::string>(&property.second); 65054fc587aSNagaraju Goruganti 651271584abSEd Tanous if (strValue == nullptr) 65254fc587aSNagaraju Goruganti { 65354fc587aSNagaraju Goruganti continue; 65454fc587aSNagaraju Goruganti } 65554fc587aSNagaraju Goruganti 65654fc587aSNagaraju Goruganti if (property.first == "GroupName") 65754fc587aSNagaraju Goruganti { 658271584abSEd Tanous roleMapData.groupName = *strValue; 65954fc587aSNagaraju Goruganti } 66054fc587aSNagaraju Goruganti else if (property.first == "Privilege") 66154fc587aSNagaraju Goruganti { 662271584abSEd Tanous roleMapData.privilege = *strValue; 66354fc587aSNagaraju Goruganti } 66454fc587aSNagaraju Goruganti } 66554fc587aSNagaraju Goruganti 666002d39b4SEd Tanous confData.groupRoleList.emplace_back(object.first.str, 667002d39b4SEd Tanous roleMapData); 66854fc587aSNagaraju Goruganti } 66954fc587aSNagaraju Goruganti } 67054fc587aSNagaraju Goruganti } 671ab828d7cSRatan Gupta callback(true, confData, ldapType); 6725eb468daSGeorge Liu }); 6732b73119cSGeorge Liu }); 6746973a582SRatan Gupta } 6756973a582SRatan Gupta 6768a07d286SRatan Gupta /** 6778a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 6788a07d286SRatan Gupta json response with the new value. 6798a07d286SRatan Gupta * @param serviceAddressList address to be updated. 6808a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6818a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6828a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6838a07d286SRatan Gupta */ 6848a07d286SRatan Gupta 6854f48d5f6SEd Tanous inline void handleServiceAddressPatch( 6868a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 6878d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6888a07d286SRatan Gupta const std::string& ldapServerElementName, 6898a07d286SRatan Gupta const std::string& ldapConfigObject) 6908a07d286SRatan Gupta { 691d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 692d02aad39SEd Tanous ldapConfigInterface, "LDAPServerURI", 693d02aad39SEd Tanous ldapServerElementName + "/ServiceAddress", 69425e055a3SRavi Teja serviceAddressList.front()); 6958a07d286SRatan Gupta } 6968a07d286SRatan Gupta /** 6978a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 6988a07d286SRatan Gupta json response with the new value. 6998a07d286SRatan Gupta * @param username name of the user which needs to be updated. 7008a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7018a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7028a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7038a07d286SRatan Gupta */ 7048a07d286SRatan Gupta 7054f48d5f6SEd Tanous inline void 7064f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 7078d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7088a07d286SRatan Gupta const std::string& ldapServerElementName, 7098a07d286SRatan Gupta const std::string& ldapConfigObject) 7108a07d286SRatan Gupta { 711d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 712d02aad39SEd Tanous ldapConfigInterface, "LDAPBindDN", 713d02aad39SEd Tanous ldapServerElementName + "/Authentication/Username", 714d02aad39SEd Tanous username); 7158a07d286SRatan Gupta } 7168a07d286SRatan Gupta 7178a07d286SRatan Gupta /** 7188a07d286SRatan Gupta * @brief updates the LDAP password 7198a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 7208a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7218a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7228a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 7238a07d286SRatan Gupta */ 7248a07d286SRatan Gupta 7254f48d5f6SEd Tanous inline void 7264f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 7278d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7288a07d286SRatan Gupta const std::string& ldapServerElementName, 7298a07d286SRatan Gupta const std::string& ldapConfigObject) 7308a07d286SRatan Gupta { 731d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 732d02aad39SEd Tanous ldapConfigInterface, "LDAPBindDNPassword", 733d02aad39SEd Tanous ldapServerElementName + "/Authentication/Password", 734d02aad39SEd Tanous password); 7358a07d286SRatan Gupta } 7368a07d286SRatan Gupta 7378a07d286SRatan Gupta /** 7388a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7398a07d286SRatan Gupta json response with the new value. 7408a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7418a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7428a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7438a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7448a07d286SRatan Gupta */ 7458a07d286SRatan Gupta 7464f48d5f6SEd Tanous inline void 7474f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 7488d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7498a07d286SRatan Gupta const std::string& ldapServerElementName, 7508a07d286SRatan Gupta const std::string& ldapConfigObject) 7518a07d286SRatan Gupta { 752d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 753d02aad39SEd Tanous ldapConfigInterface, "LDAPBaseDN", 754d02aad39SEd Tanous ldapServerElementName + 755d02aad39SEd Tanous "/LDAPService/SearchSettings/BaseDistinguishedNames", 75625e055a3SRavi Teja baseDNList.front()); 7578a07d286SRatan Gupta } 7588a07d286SRatan Gupta /** 7598a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 7608a07d286SRatan Gupta json response with the new value. 7618a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 7628a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7638a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7648a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7658a07d286SRatan Gupta */ 7668a07d286SRatan Gupta 7674f48d5f6SEd Tanous inline void 7684f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 7698d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7708a07d286SRatan Gupta const std::string& ldapServerElementName, 7718a07d286SRatan Gupta const std::string& ldapConfigObject) 7728a07d286SRatan Gupta { 773d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 774d02aad39SEd Tanous ldapConfigInterface, "UserNameAttribute", 775d02aad39SEd Tanous ldapServerElementName + 776d02aad39SEd Tanous "LDAPService/SearchSettings/UsernameAttribute", 777d02aad39SEd Tanous userNameAttribute); 7788a07d286SRatan Gupta } 7798a07d286SRatan Gupta /** 7808a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 7818a07d286SRatan Gupta json response with the new value. 7828a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 7838a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7848a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7858a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7868a07d286SRatan Gupta */ 7878a07d286SRatan Gupta 7884f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 7898d1b46d7Szhanghch05 const std::string& groupsAttribute, 7908d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7918a07d286SRatan Gupta const std::string& ldapServerElementName, 7928a07d286SRatan Gupta const std::string& ldapConfigObject) 7938a07d286SRatan Gupta { 794d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 795d02aad39SEd Tanous ldapConfigInterface, "GroupNameAttribute", 796d02aad39SEd Tanous ldapServerElementName + 797d02aad39SEd Tanous "/LDAPService/SearchSettings/GroupsAttribute", 798d02aad39SEd Tanous groupsAttribute); 7998a07d286SRatan Gupta } 8008a07d286SRatan Gupta /** 8018a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8028a07d286SRatan Gupta json response with the new value. 8038a07d286SRatan Gupta * @param input JSON data. 8048a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8058a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8068a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8078a07d286SRatan Gupta */ 8088a07d286SRatan Gupta 8094f48d5f6SEd Tanous inline void handleServiceEnablePatch( 8106c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8118a07d286SRatan Gupta const std::string& ldapServerElementName, 8128a07d286SRatan Gupta const std::string& ldapConfigObject) 8138a07d286SRatan Gupta { 814d02aad39SEd Tanous setDbusProperty(asyncResp, ldapDbusService, ldapConfigObject, 815d02aad39SEd Tanous ldapEnableInterface, "Enabled", 816d02aad39SEd Tanous ldapServerElementName + "/ServiceEnabled", serviceEnabled); 8178a07d286SRatan Gupta } 8188a07d286SRatan Gupta 819c1019828SEd Tanous struct AuthMethods 82078158631SZbigniew Kurzynski { 82178158631SZbigniew Kurzynski std::optional<bool> basicAuth; 82278158631SZbigniew Kurzynski std::optional<bool> cookie; 82378158631SZbigniew Kurzynski std::optional<bool> sessionToken; 82478158631SZbigniew Kurzynski std::optional<bool> xToken; 825501f1e58SZbigniew Kurzynski std::optional<bool> tls; 826c1019828SEd Tanous }; 82778158631SZbigniew Kurzynski 828c1019828SEd Tanous inline void 829c1019828SEd Tanous handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 830c1019828SEd Tanous const AuthMethods& auth) 83178158631SZbigniew Kurzynski { 832c1019828SEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 83352cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 83478158631SZbigniew Kurzynski 835c1019828SEd Tanous if (auth.basicAuth) 83678158631SZbigniew Kurzynski { 83725b54dbaSEd Tanous if constexpr (!BMCWEB_BASIC_AUTH) 83825b54dbaSEd Tanous { 839f16f6263SAlan Kuo messages::actionNotSupported( 8400fda0f12SGeorge Liu asyncResp->res, 8410fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 842f16f6263SAlan Kuo return; 84325b54dbaSEd Tanous } 84425b54dbaSEd Tanous 845c1019828SEd Tanous authMethodsConfig.basic = *auth.basicAuth; 84678158631SZbigniew Kurzynski } 84778158631SZbigniew Kurzynski 848c1019828SEd Tanous if (auth.cookie) 84978158631SZbigniew Kurzynski { 85025b54dbaSEd Tanous if constexpr (!BMCWEB_COOKIE_AUTH) 85125b54dbaSEd Tanous { 8520fda0f12SGeorge Liu messages::actionNotSupported( 8530fda0f12SGeorge Liu asyncResp->res, 8540fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 855f16f6263SAlan Kuo return; 85625b54dbaSEd Tanous } 857c1019828SEd Tanous authMethodsConfig.cookie = *auth.cookie; 85878158631SZbigniew Kurzynski } 85978158631SZbigniew Kurzynski 860c1019828SEd Tanous if (auth.sessionToken) 86178158631SZbigniew Kurzynski { 86225b54dbaSEd Tanous if constexpr (!BMCWEB_SESSION_AUTH) 86325b54dbaSEd Tanous { 864f16f6263SAlan Kuo messages::actionNotSupported( 8650fda0f12SGeorge Liu asyncResp->res, 8660fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 867f16f6263SAlan Kuo return; 86825b54dbaSEd Tanous } 869c1019828SEd Tanous authMethodsConfig.sessionToken = *auth.sessionToken; 87078158631SZbigniew Kurzynski } 87178158631SZbigniew Kurzynski 872c1019828SEd Tanous if (auth.xToken) 87378158631SZbigniew Kurzynski { 87425b54dbaSEd Tanous if constexpr (!BMCWEB_XTOKEN_AUTH) 87525b54dbaSEd Tanous { 8760fda0f12SGeorge Liu messages::actionNotSupported( 8770fda0f12SGeorge Liu asyncResp->res, 8780fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 879f16f6263SAlan Kuo return; 88025b54dbaSEd Tanous } 881c1019828SEd Tanous authMethodsConfig.xtoken = *auth.xToken; 88278158631SZbigniew Kurzynski } 88378158631SZbigniew Kurzynski 884c1019828SEd Tanous if (auth.tls) 885501f1e58SZbigniew Kurzynski { 88625b54dbaSEd Tanous if constexpr (!BMCWEB_MUTUAL_TLS_AUTH) 88725b54dbaSEd Tanous { 8880fda0f12SGeorge Liu messages::actionNotSupported( 8890fda0f12SGeorge Liu asyncResp->res, 8900fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 891f16f6263SAlan Kuo return; 89225b54dbaSEd Tanous } 893c1019828SEd Tanous authMethodsConfig.tls = *auth.tls; 894501f1e58SZbigniew Kurzynski } 895501f1e58SZbigniew Kurzynski 89678158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 897501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 898501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 89978158631SZbigniew Kurzynski { 90078158631SZbigniew Kurzynski // Do not allow user to disable everything 90178158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 90278158631SZbigniew Kurzynski "of disabling all available methods"); 90378158631SZbigniew Kurzynski return; 90478158631SZbigniew Kurzynski } 90578158631SZbigniew Kurzynski 90652cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 90752cc112dSEd Tanous authMethodsConfig); 90878158631SZbigniew Kurzynski // Save configuration immediately 90952cc112dSEd Tanous persistent_data::getConfig().writeData(); 91078158631SZbigniew Kurzynski 91178158631SZbigniew Kurzynski messages::success(asyncResp->res); 91278158631SZbigniew Kurzynski } 91378158631SZbigniew Kurzynski 9148a07d286SRatan Gupta /** 9158a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 9168a07d286SRatan Gupta * value and create the LDAP config object. 9178a07d286SRatan Gupta * @param input JSON data 9188a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9198a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 9208a07d286SRatan Gupta */ 9218a07d286SRatan Gupta 92210cb44f3SEd Tanous struct LdapPatchParams 92310cb44f3SEd Tanous { 92410cb44f3SEd Tanous std::optional<std::string> authType; 92510cb44f3SEd Tanous std::optional<std::vector<std::string>> serviceAddressList; 92610cb44f3SEd Tanous std::optional<bool> serviceEnabled; 92710cb44f3SEd Tanous std::optional<std::vector<std::string>> baseDNList; 92810cb44f3SEd Tanous std::optional<std::string> userNameAttribute; 92910cb44f3SEd Tanous std::optional<std::string> groupsAttribute; 93010cb44f3SEd Tanous std::optional<std::string> userName; 93110cb44f3SEd Tanous std::optional<std::string> password; 93210cb44f3SEd Tanous std::optional< 93310cb44f3SEd Tanous std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>> 93410cb44f3SEd Tanous remoteRoleMapData; 93510cb44f3SEd Tanous }; 93610cb44f3SEd Tanous 93710cb44f3SEd Tanous inline void handleLDAPPatch(LdapPatchParams&& input, 9388d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9398a07d286SRatan Gupta const std::string& serverType) 9408a07d286SRatan Gupta { 941eb2bbe56SRatan Gupta std::string dbusObjectPath; 942eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 943eb2bbe56SRatan Gupta { 9442c70f800SEd Tanous dbusObjectPath = adConfigObject; 945eb2bbe56SRatan Gupta } 946eb2bbe56SRatan Gupta else if (serverType == "LDAP") 947eb2bbe56SRatan Gupta { 94823a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 949eb2bbe56SRatan Gupta } 950cb13a392SEd Tanous else 951cb13a392SEd Tanous { 95210cb44f3SEd Tanous BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????", 95310cb44f3SEd Tanous serverType); 954cb13a392SEd Tanous return; 955cb13a392SEd Tanous } 956eb2bbe56SRatan Gupta 95710cb44f3SEd Tanous if (input.authType && *input.authType != "UsernameAndPassword") 9588a07d286SRatan Gupta { 95910cb44f3SEd Tanous messages::propertyValueNotInList(asyncResp->res, *input.authType, 960c1019828SEd Tanous "AuthenticationType"); 961c1019828SEd Tanous return; 9628a07d286SRatan Gupta } 963c1019828SEd Tanous 96410cb44f3SEd Tanous if (input.serviceAddressList) 9658a07d286SRatan Gupta { 96610cb44f3SEd Tanous if (input.serviceAddressList->empty()) 9678a07d286SRatan Gupta { 968e2616cc5SEd Tanous messages::propertyValueNotInList( 96910cb44f3SEd Tanous asyncResp->res, *input.serviceAddressList, "ServiceAddress"); 9708a07d286SRatan Gupta return; 9718a07d286SRatan Gupta } 9728a07d286SRatan Gupta } 97310cb44f3SEd Tanous if (input.baseDNList) 9748a07d286SRatan Gupta { 97510cb44f3SEd Tanous if (input.baseDNList->empty()) 9768a07d286SRatan Gupta { 97710cb44f3SEd Tanous messages::propertyValueNotInList(asyncResp->res, *input.baseDNList, 9788a07d286SRatan Gupta "BaseDistinguishedNames"); 9798a07d286SRatan Gupta return; 9808a07d286SRatan Gupta } 9818a07d286SRatan Gupta } 9828a07d286SRatan Gupta 9838a07d286SRatan Gupta // nothing to update, then return 98410cb44f3SEd Tanous if (!input.userName && !input.password && !input.serviceAddressList && 98510cb44f3SEd Tanous !input.baseDNList && !input.userNameAttribute && 98610cb44f3SEd Tanous !input.groupsAttribute && !input.serviceEnabled && 98710cb44f3SEd Tanous !input.remoteRoleMapData) 9888a07d286SRatan Gupta { 9898a07d286SRatan Gupta return; 9908a07d286SRatan Gupta } 9918a07d286SRatan Gupta 9928a07d286SRatan Gupta // Get the existing resource first then keep modifying 9938a07d286SRatan Gupta // whenever any property gets updated. 99410cb44f3SEd Tanous getLDAPConfigData(serverType, 99510cb44f3SEd Tanous [asyncResp, input = std::move(input), 99610cb44f3SEd Tanous dbusObjectPath = std::move(dbusObjectPath)]( 99710cb44f3SEd Tanous bool success, const LDAPConfigData& confData, 998c1019828SEd Tanous const std::string& serverT) mutable { 9998a07d286SRatan Gupta if (!success) 10008a07d286SRatan Gupta { 10018a07d286SRatan Gupta messages::internalError(asyncResp->res); 10028a07d286SRatan Gupta return; 10038a07d286SRatan Gupta } 10046c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 10058a07d286SRatan Gupta if (confData.serviceEnabled) 10068a07d286SRatan Gupta { 10078a07d286SRatan Gupta // Disable the service first and update the rest of 10088a07d286SRatan Gupta // the properties. 10096c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 10108a07d286SRatan Gupta } 10118a07d286SRatan Gupta 101210cb44f3SEd Tanous if (input.serviceAddressList) 10138a07d286SRatan Gupta { 101410cb44f3SEd Tanous handleServiceAddressPatch(*input.serviceAddressList, asyncResp, 101510cb44f3SEd Tanous serverT, dbusObjectPath); 101610cb44f3SEd Tanous } 101710cb44f3SEd Tanous if (input.userName) 101810cb44f3SEd Tanous { 101910cb44f3SEd Tanous handleUserNamePatch(*input.userName, asyncResp, serverT, 10206c51eab1SEd Tanous dbusObjectPath); 10218a07d286SRatan Gupta } 102210cb44f3SEd Tanous if (input.password) 10238a07d286SRatan Gupta { 102410cb44f3SEd Tanous handlePasswordPatch(*input.password, asyncResp, serverT, 102510cb44f3SEd Tanous dbusObjectPath); 10268a07d286SRatan Gupta } 10278a07d286SRatan Gupta 102810cb44f3SEd Tanous if (input.baseDNList) 10298a07d286SRatan Gupta { 103010cb44f3SEd Tanous handleBaseDNPatch(*input.baseDNList, asyncResp, serverT, 10316c51eab1SEd Tanous dbusObjectPath); 10328a07d286SRatan Gupta } 103310cb44f3SEd Tanous if (input.userNameAttribute) 10348a07d286SRatan Gupta { 103510cb44f3SEd Tanous handleUserNameAttrPatch(*input.userNameAttribute, asyncResp, 103610cb44f3SEd Tanous serverT, dbusObjectPath); 103710cb44f3SEd Tanous } 103810cb44f3SEd Tanous if (input.groupsAttribute) 103910cb44f3SEd Tanous { 104010cb44f3SEd Tanous handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT, 10416c51eab1SEd Tanous dbusObjectPath); 10428a07d286SRatan Gupta } 104310cb44f3SEd Tanous if (input.serviceEnabled) 10448a07d286SRatan Gupta { 10458a07d286SRatan Gupta // if user has given the value as true then enable 10468a07d286SRatan Gupta // the service. if user has given false then no-op 10478a07d286SRatan Gupta // as service is already stopped. 104810cb44f3SEd Tanous if (*input.serviceEnabled) 10498a07d286SRatan Gupta { 105010cb44f3SEd Tanous handleServiceEnablePatch(*input.serviceEnabled, asyncResp, 105110cb44f3SEd Tanous serverT, dbusObjectPath); 10528a07d286SRatan Gupta } 10538a07d286SRatan Gupta } 10548a07d286SRatan Gupta else 10558a07d286SRatan Gupta { 10568a07d286SRatan Gupta // if user has not given the service enabled value 10578a07d286SRatan Gupta // then revert it to the same state as it was 10588a07d286SRatan Gupta // before. 10598a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 106023a21a1cSEd Tanous serverT, dbusObjectPath); 10618a07d286SRatan Gupta } 106206785244SRatan Gupta 106310cb44f3SEd Tanous if (input.remoteRoleMapData) 106406785244SRatan Gupta { 10656c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 106610cb44f3SEd Tanous *input.remoteRoleMapData); 106706785244SRatan Gupta } 10688a07d286SRatan Gupta }); 10698a07d286SRatan Gupta } 1070d4b5443fSEd Tanous 107158345856SAbhishek Patel inline void updateUserProperties( 107258345856SAbhishek Patel std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username, 1073618c14b4SEd Tanous const std::optional<std::string>& password, 1074618c14b4SEd Tanous const std::optional<bool>& enabled, 107558345856SAbhishek Patel const std::optional<std::string>& roleId, const std::optional<bool>& locked, 107658345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes, bool userSelf) 10771abe55efSEd Tanous { 1078b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1079b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1080b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 10816c51eab1SEd Tanous 10826c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 1083618c14b4SEd Tanous dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled, 108458345856SAbhishek Patel locked, accountTypes(std::move(accountTypes)), 108558345856SAbhishek Patel userSelf, asyncResp{std::move(asyncResp)}](int rc) { 1086e662eae8SEd Tanous if (rc <= 0) 10876c51eab1SEd Tanous { 1088d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 10896c51eab1SEd Tanous username); 10906c51eab1SEd Tanous return; 10916c51eab1SEd Tanous } 10926c51eab1SEd Tanous 10936c51eab1SEd Tanous if (password) 10946c51eab1SEd Tanous { 10956c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 10966c51eab1SEd Tanous 10976c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 10986c51eab1SEd Tanous { 1099d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 11006c51eab1SEd Tanous username); 11016c51eab1SEd Tanous } 11026c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 11036c51eab1SEd Tanous { 11046c51eab1SEd Tanous // If password is invalid 11059bd80831SJason M. Bills messages::propertyValueFormatError(asyncResp->res, nullptr, 11069bd80831SJason M. Bills "Password"); 110762598e31SEd Tanous BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 11086c51eab1SEd Tanous } 11096c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 11106c51eab1SEd Tanous { 11116c51eab1SEd Tanous messages::internalError(asyncResp->res); 11126c51eab1SEd Tanous return; 11136c51eab1SEd Tanous } 1114e7b1b62bSEd Tanous else 1115e7b1b62bSEd Tanous { 1116e7b1b62bSEd Tanous messages::success(asyncResp->res); 1117e7b1b62bSEd Tanous } 11186c51eab1SEd Tanous } 11196c51eab1SEd Tanous 11206c51eab1SEd Tanous if (enabled) 11216c51eab1SEd Tanous { 1122d02aad39SEd Tanous setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager", 1123d02aad39SEd Tanous dbusObjectPath, 1124d02aad39SEd Tanous "xyz.openbmc_project.User.Attributes", 1125d02aad39SEd Tanous "UserEnabled", "Enabled", *enabled); 11266c51eab1SEd Tanous } 11276c51eab1SEd Tanous 11286c51eab1SEd Tanous if (roleId) 11296c51eab1SEd Tanous { 11306c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 11316c51eab1SEd Tanous if (priv.empty()) 11326c51eab1SEd Tanous { 1133e2616cc5SEd Tanous messages::propertyValueNotInList(asyncResp->res, true, 1134e2616cc5SEd Tanous "Locked"); 11356c51eab1SEd Tanous return; 11366c51eab1SEd Tanous } 1137d02aad39SEd Tanous setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager", 1138d02aad39SEd Tanous dbusObjectPath, 1139d02aad39SEd Tanous "xyz.openbmc_project.User.Attributes", 1140d02aad39SEd Tanous "UserPrivilege", "RoleId", priv); 11416c51eab1SEd Tanous } 11426c51eab1SEd Tanous 11436c51eab1SEd Tanous if (locked) 11446c51eab1SEd Tanous { 11456c51eab1SEd Tanous // admin can unlock the account which is locked by 11466c51eab1SEd Tanous // successive authentication failures but admin should 11476c51eab1SEd Tanous // not be allowed to lock an account. 11486c51eab1SEd Tanous if (*locked) 11496c51eab1SEd Tanous { 11506c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 11516c51eab1SEd Tanous "Locked"); 11526c51eab1SEd Tanous return; 11536c51eab1SEd Tanous } 1154d02aad39SEd Tanous setDbusProperty(asyncResp, "xyz.openbmc_project.User.Manager", 1155d02aad39SEd Tanous dbusObjectPath, 11569ae226faSGeorge Liu "xyz.openbmc_project.User.Attributes", 1157d02aad39SEd Tanous "UserLockedForFailedAttempt", "Locked", *locked); 11586c51eab1SEd Tanous } 115958345856SAbhishek Patel 116058345856SAbhishek Patel if (accountTypes) 116158345856SAbhishek Patel { 116258345856SAbhishek Patel patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath, 116358345856SAbhishek Patel userSelf); 116458345856SAbhishek Patel } 11656c51eab1SEd Tanous }); 11666c51eab1SEd Tanous } 11676c51eab1SEd Tanous 11684c7d4d33SEd Tanous inline void handleAccountServiceHead( 11694c7d4d33SEd Tanous App& app, const crow::Request& req, 11701ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 11716c51eab1SEd Tanous { 11723ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 117345ca1b86SEd Tanous { 117445ca1b86SEd Tanous return; 117545ca1b86SEd Tanous } 11764c7d4d33SEd Tanous asyncResp->res.addHeader( 11774c7d4d33SEd Tanous boost::beast::http::field::link, 11784c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 11794c7d4d33SEd Tanous } 11804c7d4d33SEd Tanous 11814c7d4d33SEd Tanous inline void 1182*1aa375b8SEd Tanous getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1183*1aa375b8SEd Tanous const nlohmann::json::json_pointer& keyLocation) 1184*1aa375b8SEd Tanous { 1185*1aa375b8SEd Tanous boost::urls::url url( 1186*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"); 1187*1aa375b8SEd Tanous std::array<std::string_view, 1> interfaces = { 1188*1aa375b8SEd Tanous "xyz.openbmc_project.Certs.Certificate"}; 1189*1aa375b8SEd Tanous std::string path = "/xyz/openbmc_project/certs/authority/truststore"; 1190*1aa375b8SEd Tanous 1191*1aa375b8SEd Tanous collection_util::getCollectionToKey(asyncResp, url, interfaces, path, 1192*1aa375b8SEd Tanous keyLocation); 1193*1aa375b8SEd Tanous } 1194*1aa375b8SEd Tanous 1195*1aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesInstanceHead( 1196*1aa375b8SEd Tanous App& app, const crow::Request& req, 1197*1aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1198*1aa375b8SEd Tanous const std::string& /*id*/) 1199*1aa375b8SEd Tanous { 1200*1aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1201*1aa375b8SEd Tanous { 1202*1aa375b8SEd Tanous return; 1203*1aa375b8SEd Tanous } 1204*1aa375b8SEd Tanous 1205*1aa375b8SEd Tanous asyncResp->res.addHeader( 1206*1aa375b8SEd Tanous boost::beast::http::field::link, 1207*1aa375b8SEd Tanous "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby"); 1208*1aa375b8SEd Tanous } 1209*1aa375b8SEd Tanous 1210*1aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesInstanceGet( 1211*1aa375b8SEd Tanous App& app, const crow::Request& req, 1212*1aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id) 1213*1aa375b8SEd Tanous { 1214*1aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1215*1aa375b8SEd Tanous { 1216*1aa375b8SEd Tanous return; 1217*1aa375b8SEd Tanous } 1218*1aa375b8SEd Tanous BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id); 1219*1aa375b8SEd Tanous const boost::urls::url certURL = boost::urls::format( 1220*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}", 1221*1aa375b8SEd Tanous id); 1222*1aa375b8SEd Tanous std::string objPath = 1223*1aa375b8SEd Tanous sdbusplus::message::object_path(certs::authorityObjectPath) / id; 1224*1aa375b8SEd Tanous getCertificateProperties( 1225*1aa375b8SEd Tanous asyncResp, objPath, 1226*1aa375b8SEd Tanous "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL, 1227*1aa375b8SEd Tanous "Client Certificate"); 1228*1aa375b8SEd Tanous } 1229*1aa375b8SEd Tanous 1230*1aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesHead( 1231*1aa375b8SEd Tanous App& app, const crow::Request& req, 1232*1aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1233*1aa375b8SEd Tanous { 1234*1aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1235*1aa375b8SEd Tanous { 1236*1aa375b8SEd Tanous return; 1237*1aa375b8SEd Tanous } 1238*1aa375b8SEd Tanous 1239*1aa375b8SEd Tanous asyncResp->res.addHeader( 1240*1aa375b8SEd Tanous boost::beast::http::field::link, 1241*1aa375b8SEd Tanous "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby"); 1242*1aa375b8SEd Tanous } 1243*1aa375b8SEd Tanous 1244*1aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesGet( 1245*1aa375b8SEd Tanous App& app, const crow::Request& req, 1246*1aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1247*1aa375b8SEd Tanous { 1248*1aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1249*1aa375b8SEd Tanous { 1250*1aa375b8SEd Tanous return; 1251*1aa375b8SEd Tanous } 1252*1aa375b8SEd Tanous getClientCertificates(asyncResp, "/Members"_json_pointer); 1253*1aa375b8SEd Tanous } 1254*1aa375b8SEd Tanous 1255*1aa375b8SEd Tanous inline void 12564c7d4d33SEd Tanous handleAccountServiceGet(App& app, const crow::Request& req, 12574c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 12584c7d4d33SEd Tanous { 1259afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1260afd369c6SJiaqing Zhao { 1261afd369c6SJiaqing Zhao return; 1262afd369c6SJiaqing Zhao } 12633e72c202SNinad Palsule 12643e72c202SNinad Palsule if (req.session == nullptr) 12653e72c202SNinad Palsule { 12663e72c202SNinad Palsule messages::internalError(asyncResp->res); 12673e72c202SNinad Palsule return; 12683e72c202SNinad Palsule } 12693e72c202SNinad Palsule 1270c1019828SEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 1271c1019828SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 1272c1019828SEd Tanous 1273afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1274afd369c6SJiaqing Zhao boost::beast::http::field::link, 1275afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1276afd369c6SJiaqing Zhao 12771476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 12781476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 1279482a69e7SRavi Teja json["@odata.type"] = "#AccountService.v1_15_0.AccountService"; 12801476687dSEd Tanous json["Id"] = "AccountService"; 12811476687dSEd Tanous json["Name"] = "Account Service"; 12821476687dSEd Tanous json["Description"] = "Account Service"; 12831476687dSEd Tanous json["ServiceEnabled"] = true; 12841476687dSEd Tanous json["MaxPasswordLength"] = 20; 12851ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 12861476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 1287482a69e7SRavi Teja json["HTTPBasicAuth"] = authMethodsConfig.basic 1288482a69e7SRavi Teja ? account_service::BasicAuthState::Enabled 1289482a69e7SRavi Teja : account_service::BasicAuthState::Disabled; 1290482a69e7SRavi Teja 1291482a69e7SRavi Teja nlohmann::json::array_t allowed; 1292482a69e7SRavi Teja allowed.emplace_back(account_service::BasicAuthState::Enabled); 1293482a69e7SRavi Teja allowed.emplace_back(account_service::BasicAuthState::Disabled); 1294482a69e7SRavi Teja json["HTTPBasicAuth@AllowableValues"] = std::move(allowed); 1295482a69e7SRavi Teja 1296*1aa375b8SEd Tanous nlohmann::json::object_t clientCertificate; 1297*1aa375b8SEd Tanous clientCertificate["Enabled"] = authMethodsConfig.tls; 1298*1aa375b8SEd Tanous clientCertificate["RespondToUnauthenticatedClients"] = true; 1299*1aa375b8SEd Tanous clientCertificate["CertificateMappingAttribute"] = 1300*1aa375b8SEd Tanous account_service::CertificateMappingAttribute::CommonName; 1301*1aa375b8SEd Tanous nlohmann::json::object_t certificates; 1302*1aa375b8SEd Tanous certificates["@odata.id"] = 1303*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"; 1304*1aa375b8SEd Tanous certificates["@odata.type"] = 1305*1aa375b8SEd Tanous "#CertificateCollection.CertificateCollection"; 1306*1aa375b8SEd Tanous clientCertificate["Certificates"] = std::move(certificates); 1307*1aa375b8SEd Tanous json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate); 1308*1aa375b8SEd Tanous 1309*1aa375b8SEd Tanous getClientCertificates( 1310*1aa375b8SEd Tanous asyncResp, 1311*1aa375b8SEd Tanous "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer); 1312*1aa375b8SEd Tanous 13131476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 13145b5574acSEd Tanous "#OpenBMCAccountService.v1_0_0.AccountService"; 13151476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 13161476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 13171476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 13181476687dSEd Tanous authMethodsConfig.basic; 13191476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 13201476687dSEd Tanous authMethodsConfig.sessionToken; 13211ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 13221ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 13231ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 13241476687dSEd Tanous 13251ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 13261ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 13271ef4c342SEd Tanous // permissions ConfigureManager 132872048780SAbhishek Patel Privileges effectiveUserPrivileges = 13293e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 133072048780SAbhishek Patel 133172048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 133272048780SAbhishek Patel effectiveUserPrivileges)) 133372048780SAbhishek Patel { 13341ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 13351476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 133672048780SAbhishek Patel } 1337d1bde9e5SKrzysztof Grobelny sdbusplus::asio::getAllProperties( 1338d1bde9e5SKrzysztof Grobelny *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1339d1bde9e5SKrzysztof Grobelny "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy", 13405e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec, 13411ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 13423d958bbcSAppaRao Puli if (ec) 13433d958bbcSAppaRao Puli { 13443d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 13453d958bbcSAppaRao Puli return; 13463d958bbcSAppaRao Puli } 1347d1bde9e5SKrzysztof Grobelny 134862598e31SEd Tanous BMCWEB_LOG_DEBUG("Got {} properties for AccountService", 134962598e31SEd Tanous propertiesList.size()); 1350d1bde9e5SKrzysztof Grobelny 1351d1bde9e5SKrzysztof Grobelny const uint8_t* minPasswordLength = nullptr; 1352d1bde9e5SKrzysztof Grobelny const uint32_t* accountUnlockTimeout = nullptr; 1353d1bde9e5SKrzysztof Grobelny const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1354d1bde9e5SKrzysztof Grobelny 1355d1bde9e5SKrzysztof Grobelny const bool success = sdbusplus::unpackPropertiesNoThrow( 1356d1bde9e5SKrzysztof Grobelny dbus_utils::UnpackErrorPrinter(), propertiesList, 1357d1bde9e5SKrzysztof Grobelny "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1358d1bde9e5SKrzysztof Grobelny accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1359d1bde9e5SKrzysztof Grobelny maxLoginAttemptBeforeLockout); 1360d1bde9e5SKrzysztof Grobelny 1361d1bde9e5SKrzysztof Grobelny if (!success) 13623d958bbcSAppaRao Puli { 1363d1bde9e5SKrzysztof Grobelny messages::internalError(asyncResp->res); 1364d1bde9e5SKrzysztof Grobelny return; 13653d958bbcSAppaRao Puli } 1366d1bde9e5SKrzysztof Grobelny 1367d1bde9e5SKrzysztof Grobelny if (minPasswordLength != nullptr) 13683d958bbcSAppaRao Puli { 1369d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength; 13703d958bbcSAppaRao Puli } 1371d1bde9e5SKrzysztof Grobelny 1372d1bde9e5SKrzysztof Grobelny if (accountUnlockTimeout != nullptr) 13733d958bbcSAppaRao Puli { 1374d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["AccountLockoutDuration"] = 1375d1bde9e5SKrzysztof Grobelny *accountUnlockTimeout; 1376d1bde9e5SKrzysztof Grobelny } 1377d1bde9e5SKrzysztof Grobelny 1378d1bde9e5SKrzysztof Grobelny if (maxLoginAttemptBeforeLockout != nullptr) 13793d958bbcSAppaRao Puli { 1380002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1381d1bde9e5SKrzysztof Grobelny *maxLoginAttemptBeforeLockout; 13823d958bbcSAppaRao Puli } 1383d1bde9e5SKrzysztof Grobelny }); 13846973a582SRatan Gupta 138502cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1386ab828d7cSRatan Gupta const std::string& ldapType) { 1387cb13a392SEd Tanous if (!success) 1388cb13a392SEd Tanous { 1389cb13a392SEd Tanous return; 1390cb13a392SEd Tanous } 1391002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1392ab828d7cSRatan Gupta }; 1393ab828d7cSRatan Gupta 1394ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1395ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 13961ef4c342SEd Tanous } 13976973a582SRatan Gupta 13981ef4c342SEd Tanous inline void handleAccountServicePatch( 13991ef4c342SEd Tanous App& app, const crow::Request& req, 14001ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14011ef4c342SEd Tanous { 14023ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 140345ca1b86SEd Tanous { 140445ca1b86SEd Tanous return; 140545ca1b86SEd Tanous } 1406f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1407f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1408ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1409f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 141010cb44f3SEd Tanous LdapPatchParams ldapObject; 141110cb44f3SEd Tanous LdapPatchParams activeDirectoryObject; 1412c1019828SEd Tanous AuthMethods auth; 1413482a69e7SRavi Teja std::optional<std::string> httpBasicAuth; 1414c1019828SEd Tanous // clang-format off 141515ed6780SWilly Tu if (!json_util::readJsonPatch( 1416c1019828SEd Tanous req, asyncResp->res, 1417c1019828SEd Tanous "AccountLockoutDuration", unlockTimeout, 1418c1019828SEd Tanous "AccountLockoutThreshold", lockoutThreshold, 141910cb44f3SEd Tanous "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType, 142010cb44f3SEd Tanous "ActiveDirectory/Authentication/Password", activeDirectoryObject.password, 142110cb44f3SEd Tanous "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName, 142210cb44f3SEd Tanous "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList, 142310cb44f3SEd Tanous "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute, 142410cb44f3SEd Tanous "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute, 142510cb44f3SEd Tanous "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData, 142610cb44f3SEd Tanous "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList, 142710cb44f3SEd Tanous "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled, 142810cb44f3SEd Tanous "LDAP/Authentication/AuthenticationType", ldapObject.authType, 142910cb44f3SEd Tanous "LDAP/Authentication/Password", ldapObject.password, 143010cb44f3SEd Tanous "LDAP/Authentication/Username", ldapObject.userName, 143110cb44f3SEd Tanous "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList, 143210cb44f3SEd Tanous "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute, 143310cb44f3SEd Tanous "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute, 143410cb44f3SEd Tanous "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData, 143510cb44f3SEd Tanous "LDAP/ServiceAddresses", ldapObject.serviceAddressList, 143610cb44f3SEd Tanous "LDAP/ServiceEnabled", ldapObject.serviceEnabled, 1437c1019828SEd Tanous "MaxPasswordLength", maxPasswordLength, 1438c1019828SEd Tanous "MinPasswordLength", minPasswordLength, 1439c1019828SEd Tanous "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth, 1440c1019828SEd Tanous "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie, 1441c1019828SEd Tanous "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken, 144210cb44f3SEd Tanous "Oem/OpenBMC/AuthMethods/TLS", auth.tls, 1443482a69e7SRavi Teja "Oem/OpenBMC/AuthMethods/XToken", auth.xToken, 1444482a69e7SRavi Teja "HTTPBasicAuth", httpBasicAuth)) 1445f5ffd806SEd Tanous { 1446f5ffd806SEd Tanous return; 1447f5ffd806SEd Tanous } 1448c1019828SEd Tanous // clang-format on 1449f5ffd806SEd Tanous 1450482a69e7SRavi Teja if (httpBasicAuth) 1451482a69e7SRavi Teja { 1452482a69e7SRavi Teja if (*httpBasicAuth == "Enabled") 1453482a69e7SRavi Teja { 1454482a69e7SRavi Teja auth.basicAuth = true; 1455482a69e7SRavi Teja } 1456482a69e7SRavi Teja else if (*httpBasicAuth == "Disabled") 1457482a69e7SRavi Teja { 1458482a69e7SRavi Teja auth.basicAuth = false; 1459482a69e7SRavi Teja } 1460482a69e7SRavi Teja else 1461482a69e7SRavi Teja { 1462482a69e7SRavi Teja messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth", 1463482a69e7SRavi Teja *httpBasicAuth); 1464482a69e7SRavi Teja } 1465482a69e7SRavi Teja } 1466482a69e7SRavi Teja 1467f5ffd806SEd Tanous if (minPasswordLength) 1468f5ffd806SEd Tanous { 1469d02aad39SEd Tanous setDbusProperty( 1470d02aad39SEd Tanous asyncResp, "xyz.openbmc_project.User.Manager", 1471d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 14729ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1473d02aad39SEd Tanous "MinPasswordLength", *minPasswordLength); 1474f5ffd806SEd Tanous } 1475f5ffd806SEd Tanous 1476f5ffd806SEd Tanous if (maxPasswordLength) 1477f5ffd806SEd Tanous { 14781ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1479f5ffd806SEd Tanous } 1480f5ffd806SEd Tanous 148110cb44f3SEd Tanous handleLDAPPatch(std::move(activeDirectoryObject), asyncResp, 148210cb44f3SEd Tanous "ActiveDirectory"); 148310cb44f3SEd Tanous handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP"); 1484f5ffd806SEd Tanous 1485c1019828SEd Tanous handleAuthMethodsPatch(asyncResp, auth); 1486f5ffd806SEd Tanous 1487f5ffd806SEd Tanous if (unlockTimeout) 1488f5ffd806SEd Tanous { 1489d02aad39SEd Tanous setDbusProperty( 1490d02aad39SEd Tanous asyncResp, "xyz.openbmc_project.User.Manager", 1491d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 14929ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1493d02aad39SEd Tanous "AccountLockoutDuration", *unlockTimeout); 1494f5ffd806SEd Tanous } 1495f5ffd806SEd Tanous if (lockoutThreshold) 1496f5ffd806SEd Tanous { 1497d02aad39SEd Tanous setDbusProperty( 1498d02aad39SEd Tanous asyncResp, "xyz.openbmc_project.User.Manager", 1499d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 15009ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", 1501d02aad39SEd Tanous "MaxLoginAttemptBeforeLockout", "AccountLockoutThreshold", 1502d02aad39SEd Tanous *lockoutThreshold); 1503f5ffd806SEd Tanous } 15041ef4c342SEd Tanous } 1505f5ffd806SEd Tanous 15064c7d4d33SEd Tanous inline void handleAccountCollectionHead( 15071ef4c342SEd Tanous App& app, const crow::Request& req, 15081ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15091ef4c342SEd Tanous { 15103ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 151145ca1b86SEd Tanous { 151245ca1b86SEd Tanous return; 151345ca1b86SEd Tanous } 15144c7d4d33SEd Tanous asyncResp->res.addHeader( 15154c7d4d33SEd Tanous boost::beast::http::field::link, 15164c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 15174c7d4d33SEd Tanous } 15184c7d4d33SEd Tanous 15194c7d4d33SEd Tanous inline void handleAccountCollectionGet( 15204c7d4d33SEd Tanous App& app, const crow::Request& req, 15214c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15224c7d4d33SEd Tanous { 1523afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1524afd369c6SJiaqing Zhao { 1525afd369c6SJiaqing Zhao return; 1526afd369c6SJiaqing Zhao } 15273e72c202SNinad Palsule 15283e72c202SNinad Palsule if (req.session == nullptr) 15293e72c202SNinad Palsule { 15303e72c202SNinad Palsule messages::internalError(asyncResp->res); 15313e72c202SNinad Palsule return; 15323e72c202SNinad Palsule } 15333e72c202SNinad Palsule 1534afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1535afd369c6SJiaqing Zhao boost::beast::http::field::link, 1536afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 15371476687dSEd Tanous 15381476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 15391476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 15401ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 15411476687dSEd Tanous "ManagerAccountCollection"; 15421476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 15431476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 15440f74e643SEd Tanous 15456c51eab1SEd Tanous Privileges effectiveUserPrivileges = 15463e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 15476c51eab1SEd Tanous 1548f5e29f33SJunLin Chen std::string thisUser; 1549f5e29f33SJunLin Chen if (req.session) 1550f5e29f33SJunLin Chen { 1551f5e29f33SJunLin Chen thisUser = req.session->username; 1552f5e29f33SJunLin Chen } 15535eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 15545eb468daSGeorge Liu dbus::utility::getManagedObjects( 15555eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 1556cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 15575e7e2dc5SEd Tanous const boost::system::error_code& ec, 1558711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1559b9b2e0b2SEd Tanous if (ec) 1560b9b2e0b2SEd Tanous { 1561f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1562b9b2e0b2SEd Tanous return; 1563b9b2e0b2SEd Tanous } 1564b9b2e0b2SEd Tanous 1565cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1566002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1567cef1ddfbSEd Tanous 1568cef1ddfbSEd Tanous bool userCanSeeSelf = 1569002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1570cef1ddfbSEd Tanous 1571002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1572b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1573b9b2e0b2SEd Tanous 15749eb808c1SEd Tanous for (const auto& userpath : users) 1575b9b2e0b2SEd Tanous { 15762dfd18efSEd Tanous std::string user = userpath.first.filename(); 15772dfd18efSEd Tanous if (user.empty()) 1578b9b2e0b2SEd Tanous { 15792dfd18efSEd Tanous messages::internalError(asyncResp->res); 158062598e31SEd Tanous BMCWEB_LOG_ERROR("Invalid firmware ID"); 15812dfd18efSEd Tanous 15822dfd18efSEd Tanous return; 1583b9b2e0b2SEd Tanous } 1584f365910cSGunnar Mills 1585f365910cSGunnar Mills // As clarified by Redfish here: 1586f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 15876c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 15886c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 15896c51eab1SEd Tanous // accounts. 15901ef4c342SEd Tanous if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1591f365910cSGunnar Mills { 15921476687dSEd Tanous nlohmann::json::object_t member; 15933b32780dSEd Tanous member["@odata.id"] = boost::urls::format( 15943b32780dSEd Tanous "/redfish/v1/AccountService/Accounts/{}", user); 1595b2ba3072SPatrick Williams memberArray.emplace_back(std::move(member)); 1596b9b2e0b2SEd Tanous } 1597f365910cSGunnar Mills } 15981ef4c342SEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 15995eb468daSGeorge Liu }); 16001ef4c342SEd Tanous } 16016c51eab1SEd Tanous 160297e90da3SNinad Palsule inline void processAfterCreateUser( 160397e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 160497e90da3SNinad Palsule const std::string& username, const std::string& password, 160597e90da3SNinad Palsule const boost::system::error_code& ec, sdbusplus::message_t& m) 160697e90da3SNinad Palsule { 160797e90da3SNinad Palsule if (ec) 160897e90da3SNinad Palsule { 160997e90da3SNinad Palsule userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 161097e90da3SNinad Palsule return; 161197e90da3SNinad Palsule } 161297e90da3SNinad Palsule 161397e90da3SNinad Palsule if (pamUpdatePassword(username, password) != PAM_SUCCESS) 161497e90da3SNinad Palsule { 161597e90da3SNinad Palsule // At this point we have a user that's been 161697e90da3SNinad Palsule // created, but the password set 161797e90da3SNinad Palsule // failed.Something is wrong, so delete the user 161897e90da3SNinad Palsule // that we've already created 161997e90da3SNinad Palsule sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 162097e90da3SNinad Palsule tempObjPath /= username; 162197e90da3SNinad Palsule const std::string userPath(tempObjPath); 162297e90da3SNinad Palsule 162397e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 162497e90da3SNinad Palsule [asyncResp, password](const boost::system::error_code& ec3) { 162597e90da3SNinad Palsule if (ec3) 162697e90da3SNinad Palsule { 162797e90da3SNinad Palsule messages::internalError(asyncResp->res); 162897e90da3SNinad Palsule return; 162997e90da3SNinad Palsule } 163097e90da3SNinad Palsule 163197e90da3SNinad Palsule // If password is invalid 16329bd80831SJason M. Bills messages::propertyValueFormatError(asyncResp->res, nullptr, 163397e90da3SNinad Palsule "Password"); 163497e90da3SNinad Palsule }, 163597e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", userPath, 163697e90da3SNinad Palsule "xyz.openbmc_project.Object.Delete", "Delete"); 163797e90da3SNinad Palsule 163862598e31SEd Tanous BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 163997e90da3SNinad Palsule return; 164097e90da3SNinad Palsule } 164197e90da3SNinad Palsule 164297e90da3SNinad Palsule messages::created(asyncResp->res); 164397e90da3SNinad Palsule asyncResp->res.addHeader("Location", 164497e90da3SNinad Palsule "/redfish/v1/AccountService/Accounts/" + username); 164597e90da3SNinad Palsule } 164697e90da3SNinad Palsule 164797e90da3SNinad Palsule inline void processAfterGetAllGroups( 164897e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 164997e90da3SNinad Palsule const std::string& username, const std::string& password, 1650e01d0c36SEd Tanous const std::string& roleId, bool enabled, 16519ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes, 165297e90da3SNinad Palsule const std::vector<std::string>& allGroupsList) 165397e90da3SNinad Palsule { 16543e72c202SNinad Palsule std::vector<std::string> userGroups; 16559ba73934SNinad Palsule std::vector<std::string> accountTypeUserGroups; 16569ba73934SNinad Palsule 16579ba73934SNinad Palsule // If user specified account types then convert them to unix user groups 16589ba73934SNinad Palsule if (accountTypes) 16599ba73934SNinad Palsule { 16609ba73934SNinad Palsule if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes, 16619ba73934SNinad Palsule accountTypeUserGroups)) 16629ba73934SNinad Palsule { 16639ba73934SNinad Palsule // Problem in mapping Account Types to User Groups, Error already 16649ba73934SNinad Palsule // logged. 16659ba73934SNinad Palsule return; 16669ba73934SNinad Palsule } 16679ba73934SNinad Palsule } 16689ba73934SNinad Palsule 16693e72c202SNinad Palsule for (const auto& grp : allGroupsList) 16703e72c202SNinad Palsule { 16719ba73934SNinad Palsule // If user specified the account type then only accept groups which are 16729ba73934SNinad Palsule // in the account types group list. 16739ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 16749ba73934SNinad Palsule { 16759ba73934SNinad Palsule bool found = false; 16769ba73934SNinad Palsule for (const auto& grp1 : accountTypeUserGroups) 16779ba73934SNinad Palsule { 16789ba73934SNinad Palsule if (grp == grp1) 16799ba73934SNinad Palsule { 16809ba73934SNinad Palsule found = true; 16819ba73934SNinad Palsule break; 16829ba73934SNinad Palsule } 16839ba73934SNinad Palsule } 16849ba73934SNinad Palsule if (!found) 16859ba73934SNinad Palsule { 16869ba73934SNinad Palsule continue; 16879ba73934SNinad Palsule } 16889ba73934SNinad Palsule } 16899ba73934SNinad Palsule 16903e72c202SNinad Palsule // Console access is provided to the user who is a member of 16913e72c202SNinad Palsule // hostconsole group and has a administrator role. So, set 16923e72c202SNinad Palsule // hostconsole group only for the administrator. 16939ba73934SNinad Palsule if ((grp == "hostconsole") && (roleId != "priv-admin")) 16943e72c202SNinad Palsule { 16959ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 16969ba73934SNinad Palsule { 169762598e31SEd Tanous BMCWEB_LOG_ERROR( 169862598e31SEd Tanous "Only administrator can get HostConsole access"); 16999ba73934SNinad Palsule asyncResp->res.result(boost::beast::http::status::bad_request); 17009ba73934SNinad Palsule return; 17019ba73934SNinad Palsule } 17029ba73934SNinad Palsule continue; 17039ba73934SNinad Palsule } 17043e72c202SNinad Palsule userGroups.emplace_back(grp); 17053e72c202SNinad Palsule } 17069ba73934SNinad Palsule 17079ba73934SNinad Palsule // Make sure user specified groups are valid. This is internal error because 17089ba73934SNinad Palsule // it some inconsistencies between user manager and bmcweb. 17099ba73934SNinad Palsule if (!accountTypeUserGroups.empty() && 17109ba73934SNinad Palsule accountTypeUserGroups.size() != userGroups.size()) 17119ba73934SNinad Palsule { 17129ba73934SNinad Palsule messages::internalError(asyncResp->res); 17139ba73934SNinad Palsule return; 17143e72c202SNinad Palsule } 171597e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 171697e90da3SNinad Palsule [asyncResp, username, password](const boost::system::error_code& ec2, 171797e90da3SNinad Palsule sdbusplus::message_t& m) { 171897e90da3SNinad Palsule processAfterCreateUser(asyncResp, username, password, ec2, m); 171997e90da3SNinad Palsule }, 172097e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 17213e72c202SNinad Palsule "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups, 1722e01d0c36SEd Tanous roleId, enabled); 172397e90da3SNinad Palsule } 172497e90da3SNinad Palsule 17251ef4c342SEd Tanous inline void handleAccountCollectionPost( 17261ef4c342SEd Tanous App& app, const crow::Request& req, 17271ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 17281ef4c342SEd Tanous { 17293ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 173045ca1b86SEd Tanous { 173145ca1b86SEd Tanous return; 173245ca1b86SEd Tanous } 17339712f8acSEd Tanous std::string username; 17349712f8acSEd Tanous std::string password; 1735e01d0c36SEd Tanous std::optional<std::string> roleIdJson; 1736e01d0c36SEd Tanous std::optional<bool> enabledJson; 17379ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes; 1738e01d0c36SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 1739e01d0c36SEd Tanous "Password", password, "RoleId", roleIdJson, 1740e01d0c36SEd Tanous "Enabled", enabledJson, "AccountTypes", 1741e01d0c36SEd Tanous accountTypes)) 174204ae99ecSEd Tanous { 174304ae99ecSEd Tanous return; 174404ae99ecSEd Tanous } 174504ae99ecSEd Tanous 1746e01d0c36SEd Tanous std::string roleId = roleIdJson.value_or("User"); 1747e01d0c36SEd Tanous std::string priv = getPrivilegeFromRoleId(roleId); 174884e12cb7SAppaRao Puli if (priv.empty()) 174904ae99ecSEd Tanous { 1750e01d0c36SEd Tanous messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId"); 175104ae99ecSEd Tanous return; 175204ae99ecSEd Tanous } 17539712f8acSEd Tanous roleId = priv; 175404ae99ecSEd Tanous 1755e01d0c36SEd Tanous bool enabled = enabledJson.value_or(true); 1756e01d0c36SEd Tanous 1757599c71d8SAyushi Smriti // Reading AllGroups property 17581e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 17591ef4c342SEd Tanous *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 17601ef4c342SEd Tanous "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 17611ef4c342SEd Tanous "AllGroups", 17629ba73934SNinad Palsule [asyncResp, username, password{std::move(password)}, roleId, enabled, 17639ba73934SNinad Palsule accountTypes](const boost::system::error_code& ec, 17641e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1765599c71d8SAyushi Smriti if (ec) 1766599c71d8SAyushi Smriti { 176762598e31SEd Tanous BMCWEB_LOG_DEBUG("ERROR with async_method_call"); 1768599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1769599c71d8SAyushi Smriti return; 1770599c71d8SAyushi Smriti } 1771599c71d8SAyushi Smriti 17721e1e598dSJonathan Doman if (allGroupsList.empty()) 1773599c71d8SAyushi Smriti { 1774599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1775599c71d8SAyushi Smriti return; 1776599c71d8SAyushi Smriti } 1777599c71d8SAyushi Smriti 177897e90da3SNinad Palsule processAfterGetAllGroups(asyncResp, username, password, roleId, enabled, 17799ba73934SNinad Palsule accountTypes, allGroupsList); 17801e1e598dSJonathan Doman }); 17811ef4c342SEd Tanous } 1782b9b2e0b2SEd Tanous 17831ef4c342SEd Tanous inline void 17844c7d4d33SEd Tanous handleAccountHead(App& app, const crow::Request& req, 17856c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 17864c7d4d33SEd Tanous const std::string& /*accountName*/) 17871ef4c342SEd Tanous { 17883ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 178945ca1b86SEd Tanous { 179045ca1b86SEd Tanous return; 179145ca1b86SEd Tanous } 17924c7d4d33SEd Tanous asyncResp->res.addHeader( 17934c7d4d33SEd Tanous boost::beast::http::field::link, 17944c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 17954c7d4d33SEd Tanous } 1796afd369c6SJiaqing Zhao 17974c7d4d33SEd Tanous inline void 17984c7d4d33SEd Tanous handleAccountGet(App& app, const crow::Request& req, 17994c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 18004c7d4d33SEd Tanous const std::string& accountName) 18014c7d4d33SEd Tanous { 1802afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1803afd369c6SJiaqing Zhao { 1804afd369c6SJiaqing Zhao return; 1805afd369c6SJiaqing Zhao } 1806afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1807afd369c6SJiaqing Zhao boost::beast::http::field::link, 1808afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1809afd369c6SJiaqing Zhao 181025b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 181125b54dbaSEd Tanous { 1812031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 181325b54dbaSEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 181425b54dbaSEd Tanous accountName); 1815031514fbSJunLin Chen return; 181625b54dbaSEd Tanous } 1817afd369c6SJiaqing Zhao 1818031514fbSJunLin Chen if (req.session == nullptr) 1819031514fbSJunLin Chen { 1820031514fbSJunLin Chen messages::internalError(asyncResp->res); 1821031514fbSJunLin Chen return; 1822031514fbSJunLin Chen } 18236c51eab1SEd Tanous if (req.session->username != accountName) 1824b9b2e0b2SEd Tanous { 18256c51eab1SEd Tanous // At this point we've determined that the user is trying to 18261ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 18271ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 18281ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 18296c51eab1SEd Tanous Privileges effectiveUserPrivileges = 18303e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 18311ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 18321ef4c342SEd Tanous "ConfigureManager"}; 18336c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 18346c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1835900f9497SJoseph Reynolds { 183662598e31SEd Tanous BMCWEB_LOG_DEBUG("GET Account denied access"); 1837900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1838900f9497SJoseph Reynolds return; 1839900f9497SJoseph Reynolds } 1840900f9497SJoseph Reynolds } 1841900f9497SJoseph Reynolds 18425eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 18435eb468daSGeorge Liu dbus::utility::getManagedObjects( 18445eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 18451ef4c342SEd Tanous [asyncResp, 18465e7e2dc5SEd Tanous accountName](const boost::system::error_code& ec, 1847711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1848b9b2e0b2SEd Tanous if (ec) 1849b9b2e0b2SEd Tanous { 1850f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1851b9b2e0b2SEd Tanous return; 1852b9b2e0b2SEd Tanous } 18533544d2a7SEd Tanous const auto userIt = std::ranges::find_if( 185480f79a40SMichael Shen users, 185580f79a40SMichael Shen [accountName]( 1856b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 185780f79a40SMichael Shen dbus::utility::DBusInterfacesMap>& user) { 185855f79e6fSEd Tanous return accountName == user.first.filename(); 1859b477fd44SP Dheeraj Srujan Kumar }); 1860b9b2e0b2SEd Tanous 186184e12cb7SAppaRao Puli if (userIt == users.end()) 1862b9b2e0b2SEd Tanous { 1863002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1864002d39b4SEd Tanous accountName); 186584e12cb7SAppaRao Puli return; 186684e12cb7SAppaRao Puli } 18674e68c45bSAyushi Smriti 18681476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 186958345856SAbhishek Patel "#ManagerAccount.v1_7_0.ManagerAccount"; 18701476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 18711476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 18721476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 187358345856SAbhishek Patel asyncResp->res.jsonValue["StrictAccountTypes"] = true; 18744e68c45bSAyushi Smriti 187584e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 187665b0dc32SEd Tanous { 1877002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 187865b0dc32SEd Tanous { 187965b0dc32SEd Tanous for (const auto& property : interface.second) 188065b0dc32SEd Tanous { 188165b0dc32SEd Tanous if (property.first == "UserEnabled") 188265b0dc32SEd Tanous { 188365b0dc32SEd Tanous const bool* userEnabled = 1884abf2add6SEd Tanous std::get_if<bool>(&property.second); 188565b0dc32SEd Tanous if (userEnabled == nullptr) 188665b0dc32SEd Tanous { 188762598e31SEd Tanous BMCWEB_LOG_ERROR("UserEnabled wasn't a bool"); 188884e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 188984e12cb7SAppaRao Puli return; 189065b0dc32SEd Tanous } 1891002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 189265b0dc32SEd Tanous } 1893002d39b4SEd Tanous else if (property.first == "UserLockedForFailedAttempt") 189465b0dc32SEd Tanous { 189565b0dc32SEd Tanous const bool* userLocked = 1896abf2add6SEd Tanous std::get_if<bool>(&property.second); 189765b0dc32SEd Tanous if (userLocked == nullptr) 189865b0dc32SEd Tanous { 189962598e31SEd Tanous BMCWEB_LOG_ERROR("UserLockedForF" 190084e12cb7SAppaRao Puli "ailedAttempt " 190162598e31SEd Tanous "wasn't a bool"); 190284e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 190384e12cb7SAppaRao Puli return; 190465b0dc32SEd Tanous } 1905002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 1906002d39b4SEd Tanous asyncResp->res 1907002d39b4SEd Tanous .jsonValue["Locked@Redfish.AllowableValues"] = { 19083bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 190965b0dc32SEd Tanous } 191084e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 191184e12cb7SAppaRao Puli { 191254fc587aSNagaraju Goruganti const std::string* userPrivPtr = 1913002d39b4SEd Tanous std::get_if<std::string>(&property.second); 191454fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 191584e12cb7SAppaRao Puli { 191662598e31SEd Tanous BMCWEB_LOG_ERROR("UserPrivilege wasn't a " 191762598e31SEd Tanous "string"); 191884e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 191984e12cb7SAppaRao Puli return; 192084e12cb7SAppaRao Puli } 19211ef4c342SEd Tanous std::string role = getRoleIdFromPrivilege(*userPrivPtr); 192254fc587aSNagaraju Goruganti if (role.empty()) 192384e12cb7SAppaRao Puli { 192462598e31SEd Tanous BMCWEB_LOG_ERROR("Invalid user role"); 192584e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 192684e12cb7SAppaRao Puli return; 192784e12cb7SAppaRao Puli } 192854fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 192984e12cb7SAppaRao Puli 19301476687dSEd Tanous nlohmann::json& roleEntry = 1931002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 19323b32780dSEd Tanous roleEntry["@odata.id"] = boost::urls::format( 19333b32780dSEd Tanous "/redfish/v1/AccountService/Roles/{}", role); 193484e12cb7SAppaRao Puli } 1935002d39b4SEd Tanous else if (property.first == "UserPasswordExpired") 19363bf4e632SJoseph Reynolds { 19373bf4e632SJoseph Reynolds const bool* userPasswordExpired = 19383bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 19393bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 19403bf4e632SJoseph Reynolds { 194162598e31SEd Tanous BMCWEB_LOG_ERROR( 194262598e31SEd Tanous "UserPasswordExpired wasn't a bool"); 19433bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 19443bf4e632SJoseph Reynolds return; 19453bf4e632SJoseph Reynolds } 1946002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 19473bf4e632SJoseph Reynolds *userPasswordExpired; 19483bf4e632SJoseph Reynolds } 1949c7229815SAbhishek Patel else if (property.first == "UserGroups") 1950c7229815SAbhishek Patel { 1951c7229815SAbhishek Patel const std::vector<std::string>* userGroups = 1952c7229815SAbhishek Patel std::get_if<std::vector<std::string>>( 1953c7229815SAbhishek Patel &property.second); 1954c7229815SAbhishek Patel if (userGroups == nullptr) 1955c7229815SAbhishek Patel { 195662598e31SEd Tanous BMCWEB_LOG_ERROR( 195762598e31SEd Tanous "userGroups wasn't a string vector"); 1958c7229815SAbhishek Patel messages::internalError(asyncResp->res); 1959c7229815SAbhishek Patel return; 1960c7229815SAbhishek Patel } 1961c7229815SAbhishek Patel if (!translateUserGroup(*userGroups, asyncResp->res)) 1962c7229815SAbhishek Patel { 196362598e31SEd Tanous BMCWEB_LOG_ERROR("userGroups mapping failed"); 1964c7229815SAbhishek Patel messages::internalError(asyncResp->res); 1965c7229815SAbhishek Patel return; 1966c7229815SAbhishek Patel } 1967c7229815SAbhishek Patel } 196865b0dc32SEd Tanous } 196965b0dc32SEd Tanous } 197065b0dc32SEd Tanous } 197165b0dc32SEd Tanous 19723b32780dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = boost::urls::format( 19733b32780dSEd Tanous "/redfish/v1/AccountService/Accounts/{}", accountName); 1974b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 1975b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 19765eb468daSGeorge Liu }); 19771ef4c342SEd Tanous } 1978a840879dSEd Tanous 19791ef4c342SEd Tanous inline void 198020fc307fSGunnar Mills handleAccountDelete(App& app, const crow::Request& req, 19816c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19821ef4c342SEd Tanous const std::string& username) 19831ef4c342SEd Tanous { 19843ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 198545ca1b86SEd Tanous { 198645ca1b86SEd Tanous return; 198745ca1b86SEd Tanous } 19881ef4c342SEd Tanous 198925b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 199025b54dbaSEd Tanous { 1991031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1992d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 1993031514fbSJunLin Chen return; 199425b54dbaSEd Tanous } 19951ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 19961ef4c342SEd Tanous tempObjPath /= username; 19971ef4c342SEd Tanous const std::string userPath(tempObjPath); 19981ef4c342SEd Tanous 19991ef4c342SEd Tanous crow::connections::systemBus->async_method_call( 20005e7e2dc5SEd Tanous [asyncResp, username](const boost::system::error_code& ec) { 20011ef4c342SEd Tanous if (ec) 20021ef4c342SEd Tanous { 2003d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 20041ef4c342SEd Tanous username); 20051ef4c342SEd Tanous return; 20061ef4c342SEd Tanous } 20071ef4c342SEd Tanous 20081ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 20091ef4c342SEd Tanous }, 20101ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 20111ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 20121ef4c342SEd Tanous } 20131ef4c342SEd Tanous 20141ef4c342SEd Tanous inline void 20151ef4c342SEd Tanous handleAccountPatch(App& app, const crow::Request& req, 20161ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 20171ef4c342SEd Tanous const std::string& username) 20181ef4c342SEd Tanous { 20191ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 20201ef4c342SEd Tanous { 20211ef4c342SEd Tanous return; 20221ef4c342SEd Tanous } 202325b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 202425b54dbaSEd Tanous { 20251ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 2026d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 20271ef4c342SEd Tanous return; 202825b54dbaSEd Tanous } 2029a24526dcSEd Tanous std::optional<std::string> newUserName; 2030a24526dcSEd Tanous std::optional<std::string> password; 2031a24526dcSEd Tanous std::optional<bool> enabled; 2032a24526dcSEd Tanous std::optional<std::string> roleId; 203324c8542dSRatan Gupta std::optional<bool> locked; 203458345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes; 203558345856SAbhishek Patel 2036031514fbSJunLin Chen if (req.session == nullptr) 2037031514fbSJunLin Chen { 2038031514fbSJunLin Chen messages::internalError(asyncResp->res); 2039031514fbSJunLin Chen return; 2040031514fbSJunLin Chen } 2041031514fbSJunLin Chen 20422b9c1dfeSEd Tanous bool userSelf = (username == req.session->username); 20432b9c1dfeSEd Tanous 2044e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 20453e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 2046e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 2047e9cc5172SEd Tanous bool userHasConfigureUsers = 2048e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 2049e9cc5172SEd Tanous if (userHasConfigureUsers) 2050e9cc5172SEd Tanous { 2051e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 205258345856SAbhishek Patel if (!json_util::readJsonPatch( 205358345856SAbhishek Patel req, asyncResp->res, "UserName", newUserName, "Password", 205458345856SAbhishek Patel password, "RoleId", roleId, "Enabled", enabled, "Locked", 205558345856SAbhishek Patel locked, "AccountTypes", accountTypes)) 2056a840879dSEd Tanous { 2057a840879dSEd Tanous return; 2058a840879dSEd Tanous } 2059e9cc5172SEd Tanous } 2060e9cc5172SEd Tanous else 2061900f9497SJoseph Reynolds { 2062e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 206358345856SAbhishek Patel if (!userSelf) 2064900f9497SJoseph Reynolds { 2065900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2066900f9497SJoseph Reynolds return; 2067900f9497SJoseph Reynolds } 2068031514fbSJunLin Chen 2069e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 20701ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 20711ef4c342SEd Tanous password)) 2072e9cc5172SEd Tanous { 2073e9cc5172SEd Tanous return; 2074e9cc5172SEd Tanous } 2075900f9497SJoseph Reynolds } 2076900f9497SJoseph Reynolds 207766b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 20786c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 20796c51eab1SEd Tanous // updating user properties other then username. If username 20806c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 20816c51eab1SEd Tanous // user rename request. 208266b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 2083a840879dSEd Tanous { 20841ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 208558345856SAbhishek Patel locked, accountTypes, userSelf); 208684e12cb7SAppaRao Puli return; 208784e12cb7SAppaRao Puli } 208884e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 20896c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 20901ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 209158345856SAbhishek Patel locked, userSelf, accountTypes(std::move(accountTypes))]( 2092e81de512SEd Tanous const boost::system::error_code& ec, sdbusplus::message_t& m) { 209384e12cb7SAppaRao Puli if (ec) 209484e12cb7SAppaRao Puli { 2095002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2096002d39b4SEd Tanous username); 2097a840879dSEd Tanous return; 2098a840879dSEd Tanous } 2099a840879dSEd Tanous 2100002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 210158345856SAbhishek Patel locked, accountTypes, userSelf); 210284e12cb7SAppaRao Puli }, 21031ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 210484e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 210584e12cb7SAppaRao Puli *newUserName); 21061ef4c342SEd Tanous } 21071ef4c342SEd Tanous 21081ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 21091ef4c342SEd Tanous { 21101ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 21114c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 21124c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 21134c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 21144c7d4d33SEd Tanous 21154c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 21161ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 21171ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 21181ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 21191ef4c342SEd Tanous 21201ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 21211ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 21221ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 21231ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 21241ef4c342SEd Tanous 2125*1aa375b8SEd Tanous BMCWEB_ROUTE( 2126*1aa375b8SEd Tanous app, 2127*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates") 2128*1aa375b8SEd Tanous .privileges(redfish::privileges::headCertificateCollection) 2129*1aa375b8SEd Tanous .methods(boost::beast::http::verb::head)(std::bind_front( 2130*1aa375b8SEd Tanous handleAccountServiceClientCertificatesHead, std::ref(app))); 2131*1aa375b8SEd Tanous 2132*1aa375b8SEd Tanous BMCWEB_ROUTE( 2133*1aa375b8SEd Tanous app, 2134*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates") 2135*1aa375b8SEd Tanous .privileges(redfish::privileges::getCertificateCollection) 2136*1aa375b8SEd Tanous .methods(boost::beast::http::verb::get)(std::bind_front( 2137*1aa375b8SEd Tanous handleAccountServiceClientCertificatesGet, std::ref(app))); 2138*1aa375b8SEd Tanous 2139*1aa375b8SEd Tanous BMCWEB_ROUTE( 2140*1aa375b8SEd Tanous app, 2141*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>") 2142*1aa375b8SEd Tanous .privileges(redfish::privileges::headCertificate) 2143*1aa375b8SEd Tanous .methods(boost::beast::http::verb::head)(std::bind_front( 2144*1aa375b8SEd Tanous handleAccountServiceClientCertificatesInstanceHead, std::ref(app))); 2145*1aa375b8SEd Tanous 2146*1aa375b8SEd Tanous BMCWEB_ROUTE( 2147*1aa375b8SEd Tanous app, 2148*1aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/") 2149*1aa375b8SEd Tanous .privileges(redfish::privileges::getCertificate) 2150*1aa375b8SEd Tanous .methods(boost::beast::http::verb::get)(std::bind_front( 2151*1aa375b8SEd Tanous handleAccountServiceClientCertificatesInstanceGet, std::ref(app))); 2152*1aa375b8SEd Tanous 21531ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 21544c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 21554c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 21564c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 21574c7d4d33SEd Tanous 21584c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 21591ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 21601ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 21611ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 21621ef4c342SEd Tanous 21631ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 21641ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 21651ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 21661ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 21671ef4c342SEd Tanous 21681ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 21694c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 21704c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 21714c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 21724c7d4d33SEd Tanous 21734c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 21741ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 21751ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 21761ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 21771ef4c342SEd Tanous 21781ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 21791ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 21801ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 21811ef4c342SEd Tanous // yet 21821ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 21831ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 21841ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 218584e12cb7SAppaRao Puli 21866c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2187ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 21886c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 218920fc307fSGunnar Mills std::bind_front(handleAccountDelete, std::ref(app))); 219006e086d9SEd Tanous } 219188d16c9aSLewanczyk, Dawid 219288d16c9aSLewanczyk, Dawid } // namespace redfish 2193