188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 183ccb3adbSEd Tanous #include "app.hpp" 191aa375b8SEd Tanous #include "certificate_service.hpp" 203ccb3adbSEd Tanous #include "dbus_utility.hpp" 213ccb3adbSEd Tanous #include "error_messages.hpp" 220ec8b83dSEd Tanous #include "generated/enums/account_service.hpp" 233ccb3adbSEd Tanous #include "persistent_data.hpp" 243ccb3adbSEd Tanous #include "query.hpp" 250ec8b83dSEd Tanous #include "registries/privilege_registry.hpp" 26*3281bcf1SEd Tanous #include "sessions.hpp" 271aa375b8SEd Tanous #include "utils/collection.hpp" 283ccb3adbSEd Tanous #include "utils/dbus_utils.hpp" 293ccb3adbSEd Tanous #include "utils/json_utils.hpp" 300ec8b83dSEd Tanous 311aa375b8SEd Tanous #include <boost/url/format.hpp> 321aa375b8SEd Tanous #include <boost/url/url.hpp> 331e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 34d1bde9e5SKrzysztof Grobelny #include <sdbusplus/unpack_properties.hpp> 351214b7e7SGunnar Mills 362b73119cSGeorge Liu #include <array> 371aa375b8SEd Tanous #include <memory> 38c7229815SAbhishek Patel #include <optional> 393544d2a7SEd Tanous #include <ranges> 40c7229815SAbhishek Patel #include <string> 412b73119cSGeorge Liu #include <string_view> 4220fa6a2cSEd Tanous #include <utility> 43c7229815SAbhishek Patel #include <vector> 44c7229815SAbhishek Patel 451abe55efSEd Tanous namespace redfish 461abe55efSEd Tanous { 4788d16c9aSLewanczyk, Dawid 4823a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 496973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 502c70f800SEd Tanous constexpr const char* adConfigObject = 51ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 52ab828d7cSRatan Gupta 53b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 546973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 556973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 566973a582SRatan Gupta constexpr const char* ldapConfigInterface = 576973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 586973a582SRatan Gupta constexpr const char* ldapCreateInterface = 596973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 606973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 6106785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 6206785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 636973a582SRatan Gupta 6454fc587aSNagaraju Goruganti struct LDAPRoleMapData 6554fc587aSNagaraju Goruganti { 6654fc587aSNagaraju Goruganti std::string groupName; 6754fc587aSNagaraju Goruganti std::string privilege; 6854fc587aSNagaraju Goruganti }; 6954fc587aSNagaraju Goruganti 706973a582SRatan Gupta struct LDAPConfigData 716973a582SRatan Gupta { 7247f2934cSEd Tanous std::string uri; 7347f2934cSEd Tanous std::string bindDN; 7447f2934cSEd Tanous std::string baseDN; 7547f2934cSEd Tanous std::string searchScope; 7647f2934cSEd Tanous std::string serverType; 776973a582SRatan Gupta bool serviceEnabled = false; 7847f2934cSEd Tanous std::string userNameAttribute; 7947f2934cSEd Tanous std::string groupAttribute; 8054fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 816973a582SRatan Gupta }; 826973a582SRatan Gupta 8354fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 8484e12cb7SAppaRao Puli { 8584e12cb7SAppaRao Puli if (role == "priv-admin") 8684e12cb7SAppaRao Puli { 8784e12cb7SAppaRao Puli return "Administrator"; 8884e12cb7SAppaRao Puli } 893174e4dfSEd Tanous if (role == "priv-user") 9084e12cb7SAppaRao Puli { 91c80fee55SAppaRao Puli return "ReadOnly"; 9284e12cb7SAppaRao Puli } 933174e4dfSEd Tanous if (role == "priv-operator") 9484e12cb7SAppaRao Puli { 9584e12cb7SAppaRao Puli return "Operator"; 9684e12cb7SAppaRao Puli } 9784e12cb7SAppaRao Puli return ""; 9884e12cb7SAppaRao Puli } 9954fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 10084e12cb7SAppaRao Puli { 10184e12cb7SAppaRao Puli if (role == "Administrator") 10284e12cb7SAppaRao Puli { 10384e12cb7SAppaRao Puli return "priv-admin"; 10484e12cb7SAppaRao Puli } 1053174e4dfSEd Tanous if (role == "ReadOnly") 10684e12cb7SAppaRao Puli { 10784e12cb7SAppaRao Puli return "priv-user"; 10884e12cb7SAppaRao Puli } 1093174e4dfSEd Tanous if (role == "Operator") 11084e12cb7SAppaRao Puli { 11184e12cb7SAppaRao Puli return "priv-operator"; 11284e12cb7SAppaRao Puli } 11384e12cb7SAppaRao Puli return ""; 11484e12cb7SAppaRao Puli } 115b9b2e0b2SEd Tanous 116c7229815SAbhishek Patel /** 117c7229815SAbhishek Patel * @brief Maps user group names retrieved from D-Bus object to 118c7229815SAbhishek Patel * Account Types. 119c7229815SAbhishek Patel * 120c7229815SAbhishek Patel * @param[in] userGroups List of User groups 121c7229815SAbhishek Patel * @param[out] res AccountTypes populated 122c7229815SAbhishek Patel * 123c7229815SAbhishek Patel * @return true in case of success, false if UserGroups contains 124c7229815SAbhishek Patel * invalid group name(s). 125c7229815SAbhishek Patel */ 126c7229815SAbhishek Patel inline bool translateUserGroup(const std::vector<std::string>& userGroups, 127c7229815SAbhishek Patel crow::Response& res) 128c7229815SAbhishek Patel { 129c7229815SAbhishek Patel std::vector<std::string> accountTypes; 130c7229815SAbhishek Patel for (const auto& userGroup : userGroups) 131c7229815SAbhishek Patel { 132c7229815SAbhishek Patel if (userGroup == "redfish") 133c7229815SAbhishek Patel { 134c7229815SAbhishek Patel accountTypes.emplace_back("Redfish"); 135c7229815SAbhishek Patel accountTypes.emplace_back("WebUI"); 136c7229815SAbhishek Patel } 137c7229815SAbhishek Patel else if (userGroup == "ipmi") 138c7229815SAbhishek Patel { 139c7229815SAbhishek Patel accountTypes.emplace_back("IPMI"); 140c7229815SAbhishek Patel } 141c7229815SAbhishek Patel else if (userGroup == "ssh") 142c7229815SAbhishek Patel { 143c7229815SAbhishek Patel accountTypes.emplace_back("ManagerConsole"); 144c7229815SAbhishek Patel } 1453e72c202SNinad Palsule else if (userGroup == "hostconsole") 1463e72c202SNinad Palsule { 1473e72c202SNinad Palsule // The hostconsole group controls who can access the host console 1483e72c202SNinad Palsule // port via ssh and websocket. 1493e72c202SNinad Palsule accountTypes.emplace_back("HostConsole"); 1503e72c202SNinad Palsule } 151c7229815SAbhishek Patel else if (userGroup == "web") 152c7229815SAbhishek Patel { 153c7229815SAbhishek Patel // 'web' is one of the valid groups in the UserGroups property of 154c7229815SAbhishek Patel // the user account in the D-Bus object. This group is currently not 155c7229815SAbhishek Patel // doing anything, and is considered to be equivalent to 'redfish'. 156c7229815SAbhishek Patel // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 157c7229815SAbhishek Patel // AccountTypes, so do nothing here... 158c7229815SAbhishek Patel } 159c7229815SAbhishek Patel else 160c7229815SAbhishek Patel { 1618ece0e45SEd Tanous // Invalid user group name. Caller throws an exception. 162c7229815SAbhishek Patel return false; 163c7229815SAbhishek Patel } 164c7229815SAbhishek Patel } 165c7229815SAbhishek Patel 166c7229815SAbhishek Patel res.jsonValue["AccountTypes"] = std::move(accountTypes); 167c7229815SAbhishek Patel return true; 168c7229815SAbhishek Patel } 169c7229815SAbhishek Patel 17058345856SAbhishek Patel /** 17158345856SAbhishek Patel * @brief Builds User Groups from the Account Types 17258345856SAbhishek Patel * 17358345856SAbhishek Patel * @param[in] asyncResp Async Response 17458345856SAbhishek Patel * @param[in] accountTypes List of Account Types 17558345856SAbhishek Patel * @param[out] userGroups List of User Groups mapped from Account Types 17658345856SAbhishek Patel * 17758345856SAbhishek Patel * @return true if Account Types mapped to User Groups, false otherwise. 17858345856SAbhishek Patel */ 17958345856SAbhishek Patel inline bool 18058345856SAbhishek Patel getUserGroupFromAccountType(crow::Response& res, 18158345856SAbhishek Patel const std::vector<std::string>& accountTypes, 18258345856SAbhishek Patel std::vector<std::string>& userGroups) 18358345856SAbhishek Patel { 18458345856SAbhishek Patel // Need both Redfish and WebUI Account Types to map to 'redfish' User Group 18558345856SAbhishek Patel bool redfishType = false; 18658345856SAbhishek Patel bool webUIType = false; 18758345856SAbhishek Patel 18858345856SAbhishek Patel for (const auto& accountType : accountTypes) 18958345856SAbhishek Patel { 19058345856SAbhishek Patel if (accountType == "Redfish") 19158345856SAbhishek Patel { 19258345856SAbhishek Patel redfishType = true; 19358345856SAbhishek Patel } 19458345856SAbhishek Patel else if (accountType == "WebUI") 19558345856SAbhishek Patel { 19658345856SAbhishek Patel webUIType = true; 19758345856SAbhishek Patel } 19858345856SAbhishek Patel else if (accountType == "IPMI") 19958345856SAbhishek Patel { 20058345856SAbhishek Patel userGroups.emplace_back("ipmi"); 20158345856SAbhishek Patel } 20258345856SAbhishek Patel else if (accountType == "HostConsole") 20358345856SAbhishek Patel { 20458345856SAbhishek Patel userGroups.emplace_back("hostconsole"); 20558345856SAbhishek Patel } 20658345856SAbhishek Patel else if (accountType == "ManagerConsole") 20758345856SAbhishek Patel { 20858345856SAbhishek Patel userGroups.emplace_back("ssh"); 20958345856SAbhishek Patel } 21058345856SAbhishek Patel else 21158345856SAbhishek Patel { 21258345856SAbhishek Patel // Invalid Account Type 21358345856SAbhishek Patel messages::propertyValueNotInList(res, "AccountTypes", accountType); 21458345856SAbhishek Patel return false; 21558345856SAbhishek Patel } 21658345856SAbhishek Patel } 21758345856SAbhishek Patel 21858345856SAbhishek Patel // Both Redfish and WebUI Account Types are needed to PATCH 21958345856SAbhishek Patel if (redfishType ^ webUIType) 22058345856SAbhishek Patel { 22162598e31SEd Tanous BMCWEB_LOG_ERROR( 22262598e31SEd Tanous "Missing Redfish or WebUI Account Type to set redfish User Group"); 22358345856SAbhishek Patel messages::strictAccountTypes(res, "AccountTypes"); 22458345856SAbhishek Patel return false; 22558345856SAbhishek Patel } 22658345856SAbhishek Patel 22758345856SAbhishek Patel if (redfishType && webUIType) 22858345856SAbhishek Patel { 22958345856SAbhishek Patel userGroups.emplace_back("redfish"); 23058345856SAbhishek Patel } 23158345856SAbhishek Patel 23258345856SAbhishek Patel return true; 23358345856SAbhishek Patel } 23458345856SAbhishek Patel 23558345856SAbhishek Patel /** 23658345856SAbhishek Patel * @brief Sets UserGroups property of the user based on the Account Types 23758345856SAbhishek Patel * 23858345856SAbhishek Patel * @param[in] accountTypes List of User Account Types 23958345856SAbhishek Patel * @param[in] asyncResp Async Response 24058345856SAbhishek Patel * @param[in] dbusObjectPath D-Bus Object Path 24158345856SAbhishek Patel * @param[in] userSelf true if User is updating OWN Account Types 24258345856SAbhishek Patel */ 24358345856SAbhishek Patel inline void 24458345856SAbhishek Patel patchAccountTypes(const std::vector<std::string>& accountTypes, 24558345856SAbhishek Patel const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 24658345856SAbhishek Patel const std::string& dbusObjectPath, bool userSelf) 24758345856SAbhishek Patel { 24858345856SAbhishek Patel // Check if User is disabling own Redfish Account Type 24958345856SAbhishek Patel if (userSelf && 25058345856SAbhishek Patel (accountTypes.cend() == 25158345856SAbhishek Patel std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish"))) 25258345856SAbhishek Patel { 25362598e31SEd Tanous BMCWEB_LOG_ERROR( 25462598e31SEd Tanous "User disabling OWN Redfish Account Type is not allowed"); 25558345856SAbhishek Patel messages::strictAccountTypes(asyncResp->res, "AccountTypes"); 25658345856SAbhishek Patel return; 25758345856SAbhishek Patel } 25858345856SAbhishek Patel 25958345856SAbhishek Patel std::vector<std::string> updatedUserGroups; 26058345856SAbhishek Patel if (!getUserGroupFromAccountType(asyncResp->res, accountTypes, 26158345856SAbhishek Patel updatedUserGroups)) 26258345856SAbhishek Patel { 26358345856SAbhishek Patel // Problem in mapping Account Types to User Groups, Error already 26458345856SAbhishek Patel // logged. 26558345856SAbhishek Patel return; 26658345856SAbhishek Patel } 267e93abac6SGinu George setDbusProperty(asyncResp, "AccountTypes", 268e93abac6SGinu George "xyz.openbmc_project.User.Manager", dbusObjectPath, 269e93abac6SGinu George "xyz.openbmc_project.User.Attributes", "UserGroups", 270e93abac6SGinu George updatedUserGroups); 27158345856SAbhishek Patel } 27258345856SAbhishek Patel 2738d1b46d7Szhanghch05 inline void userErrorMessageHandler( 2748d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2758d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 27666b5ca76Sjayaprakash Mutyala { 27766b5ca76Sjayaprakash Mutyala if (e == nullptr) 27866b5ca76Sjayaprakash Mutyala { 27966b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 28066b5ca76Sjayaprakash Mutyala return; 28166b5ca76Sjayaprakash Mutyala } 28266b5ca76Sjayaprakash Mutyala 283055806b3SManojkiran Eda const char* errorMessage = e->name; 28466b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 28566b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 28666b5ca76Sjayaprakash Mutyala { 287d8a5d5d8SJiaqing Zhao messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 28866b5ca76Sjayaprakash Mutyala "UserName", newUser); 28966b5ca76Sjayaprakash Mutyala } 29066b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 29166b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 29266b5ca76Sjayaprakash Mutyala { 293d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 29466b5ca76Sjayaprakash Mutyala } 295d4d25793SEd Tanous else if ((strcmp(errorMessage, 296d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 297d4d25793SEd Tanous 0) || 2980fda0f12SGeorge Liu (strcmp( 2990fda0f12SGeorge Liu errorMessage, 3000fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 3010fda0f12SGeorge Liu 0)) 30266b5ca76Sjayaprakash Mutyala { 30366b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 30466b5ca76Sjayaprakash Mutyala } 30566b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 30666b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 30766b5ca76Sjayaprakash Mutyala { 30866b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 30966b5ca76Sjayaprakash Mutyala } 31066b5ca76Sjayaprakash Mutyala else 31166b5ca76Sjayaprakash Mutyala { 312b8ad583fSGunnar Mills BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage); 31366b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 31466b5ca76Sjayaprakash Mutyala } 31566b5ca76Sjayaprakash Mutyala } 31666b5ca76Sjayaprakash Mutyala 31781ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 318ab828d7cSRatan Gupta const LDAPConfigData& confData, 319ab828d7cSRatan Gupta const std::string& ldapType) 3206973a582SRatan Gupta { 32149cc263fSEd Tanous nlohmann::json::object_t ldap; 3221476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 32349cc263fSEd Tanous nlohmann::json::array_t serviceAddresses; 32449cc263fSEd Tanous serviceAddresses.emplace_back(confData.uri); 32549cc263fSEd Tanous ldap["ServiceAddresses"] = std::move(serviceAddresses); 32649cc263fSEd Tanous 32749cc263fSEd Tanous nlohmann::json::object_t authentication; 32849cc263fSEd Tanous authentication["AuthenticationType"] = 3290ec8b83dSEd Tanous account_service::AuthenticationTypes::UsernameAndPassword; 33049cc263fSEd Tanous authentication["Username"] = confData.bindDN; 33149cc263fSEd Tanous authentication["Password"] = nullptr; 33249cc263fSEd Tanous ldap["Authentication"] = std::move(authentication); 3331476687dSEd Tanous 33449cc263fSEd Tanous nlohmann::json::object_t ldapService; 33549cc263fSEd Tanous nlohmann::json::object_t searchSettings; 33649cc263fSEd Tanous nlohmann::json::array_t baseDistinguishedNames; 33749cc263fSEd Tanous baseDistinguishedNames.emplace_back(confData.baseDN); 3381476687dSEd Tanous 33949cc263fSEd Tanous searchSettings["BaseDistinguishedNames"] = 34049cc263fSEd Tanous std::move(baseDistinguishedNames); 34149cc263fSEd Tanous searchSettings["UsernameAttribute"] = confData.userNameAttribute; 34249cc263fSEd Tanous searchSettings["GroupsAttribute"] = confData.groupAttribute; 34349cc263fSEd Tanous ldapService["SearchSettings"] = std::move(searchSettings); 34449cc263fSEd Tanous ldap["LDAPService"] = std::move(ldapService); 34549cc263fSEd Tanous 34649cc263fSEd Tanous nlohmann::json::array_t roleMapArray; 3479eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 34854fc587aSNagaraju Goruganti { 34962598e31SEd Tanous BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName); 350613dabeaSEd Tanous 351613dabeaSEd Tanous nlohmann::json::object_t remoteGroup; 352613dabeaSEd Tanous remoteGroup["RemoteGroup"] = obj.second.groupName; 353329f0348SJorge Cisneros remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 354329f0348SJorge Cisneros roleMapArray.emplace_back(std::move(remoteGroup)); 35554fc587aSNagaraju Goruganti } 35649cc263fSEd Tanous 35749cc263fSEd Tanous ldap["RemoteRoleMapping"] = std::move(roleMapArray); 35849cc263fSEd Tanous 35949cc263fSEd Tanous jsonResponse[ldapType].update(ldap); 3606973a582SRatan Gupta } 3616973a582SRatan Gupta 3626973a582SRatan Gupta /** 36306785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 36406785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 36506785244SRatan Gupta * 36606785244SRatan Gupta */ 36723a21a1cSEd Tanous inline void handleRoleMapPatch( 3688d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 36906785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 370c1019828SEd Tanous const std::string& serverType, 371c1019828SEd Tanous std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input) 37206785244SRatan Gupta { 37306785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 37406785244SRatan Gupta { 375c1019828SEd Tanous std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson = 376c1019828SEd Tanous input[index]; 377c1019828SEd Tanous nlohmann::json::object_t* obj = 378c1019828SEd Tanous std::get_if<nlohmann::json::object_t>(&thisJson); 379c1019828SEd Tanous if (obj == nullptr) 38006785244SRatan Gupta { 38106785244SRatan Gupta // delete the existing object 38206785244SRatan Gupta if (index < roleMapObjData.size()) 38306785244SRatan Gupta { 38406785244SRatan Gupta crow::connections::systemBus->async_method_call( 38506785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 3865e7e2dc5SEd Tanous index](const boost::system::error_code& ec) { 38706785244SRatan Gupta if (ec) 38806785244SRatan Gupta { 38962598e31SEd Tanous BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 39006785244SRatan Gupta messages::internalError(asyncResp->res); 39106785244SRatan Gupta return; 39206785244SRatan Gupta } 39389492a15SPatrick Williams asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"] 39489492a15SPatrick Williams [index] = nullptr; 39506785244SRatan Gupta }, 39606785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 39706785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 39806785244SRatan Gupta } 39906785244SRatan Gupta else 40006785244SRatan Gupta { 40162598e31SEd Tanous BMCWEB_LOG_ERROR("Can't delete the object"); 402c1019828SEd Tanous messages::propertyValueTypeError(asyncResp->res, "null", 4032e8c4bdaSEd Tanous "RemoteRoleMapping/" + 4042e8c4bdaSEd Tanous std::to_string(index)); 40506785244SRatan Gupta return; 40606785244SRatan Gupta } 40706785244SRatan Gupta } 408c1019828SEd Tanous else if (obj->empty()) 40906785244SRatan Gupta { 41006785244SRatan Gupta // Don't do anything for the empty objects,parse next json 41106785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 41206785244SRatan Gupta } 41306785244SRatan Gupta else 41406785244SRatan Gupta { 41506785244SRatan Gupta // update/create the object 41606785244SRatan Gupta std::optional<std::string> remoteGroup; 41706785244SRatan Gupta std::optional<std::string> localRole; 41806785244SRatan Gupta 419c1019828SEd Tanous if (!json_util::readJsonObject(*obj, asyncResp->res, "RemoteGroup", 420c1019828SEd Tanous remoteGroup, "LocalRole", localRole)) 42106785244SRatan Gupta { 42206785244SRatan Gupta continue; 42306785244SRatan Gupta } 42406785244SRatan Gupta 42506785244SRatan Gupta // Update existing RoleMapping Object 42606785244SRatan Gupta if (index < roleMapObjData.size()) 42706785244SRatan Gupta { 42862598e31SEd Tanous BMCWEB_LOG_DEBUG("Update Role Map Object"); 42906785244SRatan Gupta // If "RemoteGroup" info is provided 43006785244SRatan Gupta if (remoteGroup) 43106785244SRatan Gupta { 432d02aad39SEd Tanous setDbusProperty( 433e93abac6SGinu George asyncResp, 434d02aad39SEd Tanous std::format("RemoteRoleMapping/{}/RemoteGroup", index), 435e93abac6SGinu George ldapDbusService, roleMapObjData[index].first, 436e93abac6SGinu George "xyz.openbmc_project.User.PrivilegeMapperEntry", 437e93abac6SGinu George "GroupName", *remoteGroup); 43806785244SRatan Gupta } 43906785244SRatan Gupta 44006785244SRatan Gupta // If "LocalRole" info is provided 44106785244SRatan Gupta if (localRole) 44206785244SRatan Gupta { 443d02aad39SEd Tanous setDbusProperty( 444e93abac6SGinu George asyncResp, 445d02aad39SEd Tanous std::format("RemoteRoleMapping/{}/LocalRole", index), 446e93abac6SGinu George ldapDbusService, roleMapObjData[index].first, 447e93abac6SGinu George "xyz.openbmc_project.User.PrivilegeMapperEntry", 448e93abac6SGinu George "Privilege", *localRole); 44906785244SRatan Gupta } 45006785244SRatan Gupta } 45106785244SRatan Gupta // Create a new RoleMapping Object. 45206785244SRatan Gupta else 45306785244SRatan Gupta { 45462598e31SEd Tanous BMCWEB_LOG_DEBUG( 45562598e31SEd Tanous "setRoleMappingProperties: Creating new Object"); 45689492a15SPatrick Williams std::string pathString = "RemoteRoleMapping/" + 45789492a15SPatrick Williams std::to_string(index); 45806785244SRatan Gupta 45906785244SRatan Gupta if (!localRole) 46006785244SRatan Gupta { 46106785244SRatan Gupta messages::propertyMissing(asyncResp->res, 46206785244SRatan Gupta pathString + "/LocalRole"); 46306785244SRatan Gupta continue; 46406785244SRatan Gupta } 46506785244SRatan Gupta if (!remoteGroup) 46606785244SRatan Gupta { 46706785244SRatan Gupta messages::propertyMissing(asyncResp->res, 46806785244SRatan Gupta pathString + "/RemoteGroup"); 46906785244SRatan Gupta continue; 47006785244SRatan Gupta } 47106785244SRatan Gupta 47206785244SRatan Gupta std::string dbusObjectPath; 47306785244SRatan Gupta if (serverType == "ActiveDirectory") 47406785244SRatan Gupta { 4752c70f800SEd Tanous dbusObjectPath = adConfigObject; 47606785244SRatan Gupta } 47706785244SRatan Gupta else if (serverType == "LDAP") 47806785244SRatan Gupta { 47923a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 48006785244SRatan Gupta } 48106785244SRatan Gupta 48262598e31SEd Tanous BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup, 48362598e31SEd Tanous *localRole); 48406785244SRatan Gupta 48506785244SRatan Gupta crow::connections::systemBus->async_method_call( 486271584abSEd Tanous [asyncResp, serverType, localRole, 4875e7e2dc5SEd Tanous remoteGroup](const boost::system::error_code& ec) { 48806785244SRatan Gupta if (ec) 48906785244SRatan Gupta { 49062598e31SEd Tanous BMCWEB_LOG_ERROR("DBUS response error: {}", ec); 49106785244SRatan Gupta messages::internalError(asyncResp->res); 49206785244SRatan Gupta return; 49306785244SRatan Gupta } 49406785244SRatan Gupta nlohmann::json& remoteRoleJson = 49506785244SRatan Gupta asyncResp->res 49606785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 4971476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 4981476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 4991476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 500b2ba3072SPatrick Williams remoteRoleJson.emplace_back(std::move(roleMapEntry)); 50106785244SRatan Gupta }, 50206785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 5033174e4dfSEd Tanous "Create", *remoteGroup, 50406785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 50506785244SRatan Gupta } 50606785244SRatan Gupta } 50706785244SRatan Gupta } 50806785244SRatan Gupta } 50906785244SRatan Gupta 51006785244SRatan Gupta /** 5116973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 5126973a582SRatan Gupta * into JSON 5136973a582SRatan Gupta */ 5146973a582SRatan Gupta template <typename CallbackFunc> 5156973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 5166973a582SRatan Gupta CallbackFunc&& callback) 5176973a582SRatan Gupta { 5182b73119cSGeorge Liu constexpr std::array<std::string_view, 2> interfaces = { 5192b73119cSGeorge Liu ldapEnableInterface, ldapConfigInterface}; 52054fc587aSNagaraju Goruganti 5212b73119cSGeorge Liu dbus::utility::getDbusObject( 5222b73119cSGeorge Liu ldapConfigObjectName, interfaces, 5238cb2c024SEd Tanous [callback = std::forward<CallbackFunc>(callback), 524c1019828SEd Tanous ldapType](const boost::system::error_code& ec, 525c1019828SEd Tanous const dbus::utility::MapperGetObject& resp) mutable { 52654fc587aSNagaraju Goruganti if (ec || resp.empty()) 52754fc587aSNagaraju Goruganti { 528bf2ddedeSCarson Labrado BMCWEB_LOG_WARNING( 52962598e31SEd Tanous "DBUS response error during getting of service name: {}", ec); 53023a21a1cSEd Tanous LDAPConfigData empty{}; 53123a21a1cSEd Tanous callback(false, empty, ldapType); 53254fc587aSNagaraju Goruganti return; 53354fc587aSNagaraju Goruganti } 53454fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 5355eb468daSGeorge Liu sdbusplus::message::object_path path(ldapRootObject); 5365eb468daSGeorge Liu dbus::utility::getManagedObjects( 5375eb468daSGeorge Liu service, path, 538c1019828SEd Tanous [callback, ldapType]( 539c1019828SEd Tanous const boost::system::error_code& ec2, 540c1019828SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) mutable { 5416973a582SRatan Gupta LDAPConfigData confData{}; 5428b24275dSEd Tanous if (ec2) 5436973a582SRatan Gupta { 544ab828d7cSRatan Gupta callback(false, confData, ldapType); 545bf2ddedeSCarson Labrado BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2); 5466973a582SRatan Gupta return; 5476973a582SRatan Gupta } 548ab828d7cSRatan Gupta 549ab828d7cSRatan Gupta std::string ldapDbusType; 55054fc587aSNagaraju Goruganti std::string searchString; 55154fc587aSNagaraju Goruganti 552ab828d7cSRatan Gupta if (ldapType == "LDAP") 553ab828d7cSRatan Gupta { 5540fda0f12SGeorge Liu ldapDbusType = 5550fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 55654fc587aSNagaraju Goruganti searchString = "openldap"; 557ab828d7cSRatan Gupta } 558ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 559ab828d7cSRatan Gupta { 56054fc587aSNagaraju Goruganti ldapDbusType = 5610fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 56254fc587aSNagaraju Goruganti searchString = "active_directory"; 563ab828d7cSRatan Gupta } 564ab828d7cSRatan Gupta else 565ab828d7cSRatan Gupta { 56662598e31SEd Tanous BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}", 56762598e31SEd Tanous ldapType); 568ab828d7cSRatan Gupta callback(false, confData, ldapType); 569ab828d7cSRatan Gupta return; 570ab828d7cSRatan Gupta } 571ab828d7cSRatan Gupta 572ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 573ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 574ab828d7cSRatan Gupta 5756973a582SRatan Gupta for (const auto& object : ldapObjects) 5766973a582SRatan Gupta { 57754fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 57854fc587aSNagaraju Goruganti // given type 579002d39b4SEd Tanous if (object.first.str.find(searchString) == std::string::npos) 5806973a582SRatan Gupta { 581ab828d7cSRatan Gupta continue; 582ab828d7cSRatan Gupta } 583ab828d7cSRatan Gupta 5846973a582SRatan Gupta for (const auto& interface : object.second) 5856973a582SRatan Gupta { 5866973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 5876973a582SRatan Gupta { 5886973a582SRatan Gupta // rest of the properties are string. 5896973a582SRatan Gupta for (const auto& property : interface.second) 5906973a582SRatan Gupta { 5916973a582SRatan Gupta if (property.first == "Enabled") 5926973a582SRatan Gupta { 5936973a582SRatan Gupta const bool* value = 5946973a582SRatan Gupta std::get_if<bool>(&property.second); 5956973a582SRatan Gupta if (value == nullptr) 5966973a582SRatan Gupta { 5976973a582SRatan Gupta continue; 5986973a582SRatan Gupta } 5996973a582SRatan Gupta confData.serviceEnabled = *value; 6006973a582SRatan Gupta break; 6016973a582SRatan Gupta } 6026973a582SRatan Gupta } 6036973a582SRatan Gupta } 6046973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 6056973a582SRatan Gupta { 6066973a582SRatan Gupta for (const auto& property : interface.second) 6076973a582SRatan Gupta { 608271584abSEd Tanous const std::string* strValue = 609002d39b4SEd Tanous std::get_if<std::string>(&property.second); 610271584abSEd Tanous if (strValue == nullptr) 6116973a582SRatan Gupta { 6126973a582SRatan Gupta continue; 6136973a582SRatan Gupta } 6146973a582SRatan Gupta if (property.first == "LDAPServerURI") 6156973a582SRatan Gupta { 616271584abSEd Tanous confData.uri = *strValue; 6176973a582SRatan Gupta } 6186973a582SRatan Gupta else if (property.first == "LDAPBindDN") 6196973a582SRatan Gupta { 620271584abSEd Tanous confData.bindDN = *strValue; 6216973a582SRatan Gupta } 6226973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 6236973a582SRatan Gupta { 624271584abSEd Tanous confData.baseDN = *strValue; 6256973a582SRatan Gupta } 626002d39b4SEd Tanous else if (property.first == "LDAPSearchScope") 6276973a582SRatan Gupta { 628271584abSEd Tanous confData.searchScope = *strValue; 6296973a582SRatan Gupta } 630002d39b4SEd Tanous else if (property.first == "GroupNameAttribute") 6316973a582SRatan Gupta { 632271584abSEd Tanous confData.groupAttribute = *strValue; 6336973a582SRatan Gupta } 634002d39b4SEd Tanous else if (property.first == "UserNameAttribute") 6356973a582SRatan Gupta { 636271584abSEd Tanous confData.userNameAttribute = *strValue; 6376973a582SRatan Gupta } 63854fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 639ab828d7cSRatan Gupta { 640271584abSEd Tanous confData.serverType = *strValue; 64154fc587aSNagaraju Goruganti } 64254fc587aSNagaraju Goruganti } 64354fc587aSNagaraju Goruganti } 644002d39b4SEd Tanous else if (interface.first == 6450fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 64654fc587aSNagaraju Goruganti { 64754fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 64854fc587aSNagaraju Goruganti for (const auto& property : interface.second) 64954fc587aSNagaraju Goruganti { 650271584abSEd Tanous const std::string* strValue = 651002d39b4SEd Tanous std::get_if<std::string>(&property.second); 65254fc587aSNagaraju Goruganti 653271584abSEd Tanous if (strValue == nullptr) 65454fc587aSNagaraju Goruganti { 65554fc587aSNagaraju Goruganti continue; 65654fc587aSNagaraju Goruganti } 65754fc587aSNagaraju Goruganti 65854fc587aSNagaraju Goruganti if (property.first == "GroupName") 65954fc587aSNagaraju Goruganti { 660271584abSEd Tanous roleMapData.groupName = *strValue; 66154fc587aSNagaraju Goruganti } 66254fc587aSNagaraju Goruganti else if (property.first == "Privilege") 66354fc587aSNagaraju Goruganti { 664271584abSEd Tanous roleMapData.privilege = *strValue; 66554fc587aSNagaraju Goruganti } 66654fc587aSNagaraju Goruganti } 66754fc587aSNagaraju Goruganti 668002d39b4SEd Tanous confData.groupRoleList.emplace_back(object.first.str, 669002d39b4SEd Tanous roleMapData); 67054fc587aSNagaraju Goruganti } 67154fc587aSNagaraju Goruganti } 67254fc587aSNagaraju Goruganti } 673ab828d7cSRatan Gupta callback(true, confData, ldapType); 6745eb468daSGeorge Liu }); 6752b73119cSGeorge Liu }); 6766973a582SRatan Gupta } 6776973a582SRatan Gupta 6788a07d286SRatan Gupta /** 6798a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 6808a07d286SRatan Gupta json response with the new value. 6818a07d286SRatan Gupta * @param serviceAddressList address to be updated. 6828a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6838a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6848a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6858a07d286SRatan Gupta */ 6868a07d286SRatan Gupta 6874f48d5f6SEd Tanous inline void handleServiceAddressPatch( 6888a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 6898d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6908a07d286SRatan Gupta const std::string& ldapServerElementName, 6918a07d286SRatan Gupta const std::string& ldapConfigObject) 6928a07d286SRatan Gupta { 693e93abac6SGinu George setDbusProperty(asyncResp, ldapServerElementName + "/ServiceAddress", 694e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 695e93abac6SGinu George "LDAPServerURI", serviceAddressList.front()); 6968a07d286SRatan Gupta } 6978a07d286SRatan Gupta /** 6988a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 6998a07d286SRatan Gupta json response with the new value. 7008a07d286SRatan Gupta * @param username name of the user which needs to be updated. 7018a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7028a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7038a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7048a07d286SRatan Gupta */ 7058a07d286SRatan Gupta 7064f48d5f6SEd Tanous inline void 7074f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 7088d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7098a07d286SRatan Gupta const std::string& ldapServerElementName, 7108a07d286SRatan Gupta const std::string& ldapConfigObject) 7118a07d286SRatan Gupta { 712e93abac6SGinu George setDbusProperty(asyncResp, 713d02aad39SEd Tanous ldapServerElementName + "/Authentication/Username", 714e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 715e93abac6SGinu George "LDAPBindDN", username); 7168a07d286SRatan Gupta } 7178a07d286SRatan Gupta 7188a07d286SRatan Gupta /** 7198a07d286SRatan Gupta * @brief updates the LDAP password 7208a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 7218a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7228a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7238a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 7248a07d286SRatan Gupta */ 7258a07d286SRatan Gupta 7264f48d5f6SEd Tanous inline void 7274f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 7288d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7298a07d286SRatan Gupta const std::string& ldapServerElementName, 7308a07d286SRatan Gupta const std::string& ldapConfigObject) 7318a07d286SRatan Gupta { 732e93abac6SGinu George setDbusProperty(asyncResp, 733d02aad39SEd Tanous ldapServerElementName + "/Authentication/Password", 734e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 735e93abac6SGinu George "LDAPBindDNPassword", password); 7368a07d286SRatan Gupta } 7378a07d286SRatan Gupta 7388a07d286SRatan Gupta /** 7398a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7408a07d286SRatan Gupta json response with the new value. 7418a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7428a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7438a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7448a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7458a07d286SRatan Gupta */ 7468a07d286SRatan Gupta 7474f48d5f6SEd Tanous inline void 7484f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 7498d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7508a07d286SRatan Gupta const std::string& ldapServerElementName, 7518a07d286SRatan Gupta const std::string& ldapConfigObject) 7528a07d286SRatan Gupta { 753e93abac6SGinu George setDbusProperty(asyncResp, 754d02aad39SEd Tanous ldapServerElementName + 755d02aad39SEd Tanous "/LDAPService/SearchSettings/BaseDistinguishedNames", 756e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 757e93abac6SGinu George "LDAPBaseDN", baseDNList.front()); 7588a07d286SRatan Gupta } 7598a07d286SRatan Gupta /** 7608a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 7618a07d286SRatan Gupta json response with the new value. 7628a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 7638a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7648a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7658a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7668a07d286SRatan Gupta */ 7678a07d286SRatan Gupta 7684f48d5f6SEd Tanous inline void 7694f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 7708d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7718a07d286SRatan Gupta const std::string& ldapServerElementName, 7728a07d286SRatan Gupta const std::string& ldapConfigObject) 7738a07d286SRatan Gupta { 774e93abac6SGinu George setDbusProperty(asyncResp, 775d02aad39SEd Tanous ldapServerElementName + 776d02aad39SEd Tanous "LDAPService/SearchSettings/UsernameAttribute", 777e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 778e93abac6SGinu George "UserNameAttribute", userNameAttribute); 7798a07d286SRatan Gupta } 7808a07d286SRatan Gupta /** 7818a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 7828a07d286SRatan Gupta json response with the new value. 7838a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 7848a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7858a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7868a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7878a07d286SRatan Gupta */ 7888a07d286SRatan Gupta 7894f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 7908d1b46d7Szhanghch05 const std::string& groupsAttribute, 7918d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7928a07d286SRatan Gupta const std::string& ldapServerElementName, 7938a07d286SRatan Gupta const std::string& ldapConfigObject) 7948a07d286SRatan Gupta { 795e93abac6SGinu George setDbusProperty(asyncResp, 796d02aad39SEd Tanous ldapServerElementName + 797d02aad39SEd Tanous "/LDAPService/SearchSettings/GroupsAttribute", 798e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapConfigInterface, 799e93abac6SGinu George "GroupNameAttribute", groupsAttribute); 8008a07d286SRatan Gupta } 8018a07d286SRatan Gupta /** 8028a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8038a07d286SRatan Gupta json response with the new value. 8048a07d286SRatan Gupta * @param input JSON data. 8058a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8068a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8078a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8088a07d286SRatan Gupta */ 8098a07d286SRatan Gupta 8104f48d5f6SEd Tanous inline void handleServiceEnablePatch( 8116c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8128a07d286SRatan Gupta const std::string& ldapServerElementName, 8138a07d286SRatan Gupta const std::string& ldapConfigObject) 8148a07d286SRatan Gupta { 815e93abac6SGinu George setDbusProperty(asyncResp, ldapServerElementName + "/ServiceEnabled", 816e93abac6SGinu George ldapDbusService, ldapConfigObject, ldapEnableInterface, 817e93abac6SGinu George "Enabled", serviceEnabled); 8188a07d286SRatan Gupta } 8198a07d286SRatan Gupta 820c1019828SEd Tanous struct AuthMethods 82178158631SZbigniew Kurzynski { 82278158631SZbigniew Kurzynski std::optional<bool> basicAuth; 82378158631SZbigniew Kurzynski std::optional<bool> cookie; 82478158631SZbigniew Kurzynski std::optional<bool> sessionToken; 82578158631SZbigniew Kurzynski std::optional<bool> xToken; 826501f1e58SZbigniew Kurzynski std::optional<bool> tls; 827c1019828SEd Tanous }; 82878158631SZbigniew Kurzynski 829c1019828SEd Tanous inline void 830c1019828SEd Tanous handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 831c1019828SEd Tanous const AuthMethods& auth) 83278158631SZbigniew Kurzynski { 833c1019828SEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 83452cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 83578158631SZbigniew Kurzynski 836c1019828SEd Tanous if (auth.basicAuth) 83778158631SZbigniew Kurzynski { 83825b54dbaSEd Tanous if constexpr (!BMCWEB_BASIC_AUTH) 83925b54dbaSEd Tanous { 840f16f6263SAlan Kuo messages::actionNotSupported( 8410fda0f12SGeorge Liu asyncResp->res, 8420fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 843f16f6263SAlan Kuo return; 84425b54dbaSEd Tanous } 84525b54dbaSEd Tanous 846c1019828SEd Tanous authMethodsConfig.basic = *auth.basicAuth; 84778158631SZbigniew Kurzynski } 84878158631SZbigniew Kurzynski 849c1019828SEd Tanous if (auth.cookie) 85078158631SZbigniew Kurzynski { 85125b54dbaSEd Tanous if constexpr (!BMCWEB_COOKIE_AUTH) 85225b54dbaSEd Tanous { 8530fda0f12SGeorge Liu messages::actionNotSupported( 8540fda0f12SGeorge Liu asyncResp->res, 8550fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 856f16f6263SAlan Kuo return; 85725b54dbaSEd Tanous } 858c1019828SEd Tanous authMethodsConfig.cookie = *auth.cookie; 85978158631SZbigniew Kurzynski } 86078158631SZbigniew Kurzynski 861c1019828SEd Tanous if (auth.sessionToken) 86278158631SZbigniew Kurzynski { 86325b54dbaSEd Tanous if constexpr (!BMCWEB_SESSION_AUTH) 86425b54dbaSEd Tanous { 865f16f6263SAlan Kuo messages::actionNotSupported( 8660fda0f12SGeorge Liu asyncResp->res, 8670fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 868f16f6263SAlan Kuo return; 86925b54dbaSEd Tanous } 870c1019828SEd Tanous authMethodsConfig.sessionToken = *auth.sessionToken; 87178158631SZbigniew Kurzynski } 87278158631SZbigniew Kurzynski 873c1019828SEd Tanous if (auth.xToken) 87478158631SZbigniew Kurzynski { 87525b54dbaSEd Tanous if constexpr (!BMCWEB_XTOKEN_AUTH) 87625b54dbaSEd Tanous { 8770fda0f12SGeorge Liu messages::actionNotSupported( 8780fda0f12SGeorge Liu asyncResp->res, 8790fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 880f16f6263SAlan Kuo return; 88125b54dbaSEd Tanous } 882c1019828SEd Tanous authMethodsConfig.xtoken = *auth.xToken; 88378158631SZbigniew Kurzynski } 88478158631SZbigniew Kurzynski 885c1019828SEd Tanous if (auth.tls) 886501f1e58SZbigniew Kurzynski { 88725b54dbaSEd Tanous if constexpr (!BMCWEB_MUTUAL_TLS_AUTH) 88825b54dbaSEd Tanous { 8890fda0f12SGeorge Liu messages::actionNotSupported( 8900fda0f12SGeorge Liu asyncResp->res, 8910fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 892f16f6263SAlan Kuo return; 89325b54dbaSEd Tanous } 894c1019828SEd Tanous authMethodsConfig.tls = *auth.tls; 895501f1e58SZbigniew Kurzynski } 896501f1e58SZbigniew Kurzynski 89778158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 898501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 899501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 90078158631SZbigniew Kurzynski { 90178158631SZbigniew Kurzynski // Do not allow user to disable everything 90278158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 90378158631SZbigniew Kurzynski "of disabling all available methods"); 90478158631SZbigniew Kurzynski return; 90578158631SZbigniew Kurzynski } 90678158631SZbigniew Kurzynski 90752cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 90852cc112dSEd Tanous authMethodsConfig); 90978158631SZbigniew Kurzynski // Save configuration immediately 91052cc112dSEd Tanous persistent_data::getConfig().writeData(); 91178158631SZbigniew Kurzynski 91278158631SZbigniew Kurzynski messages::success(asyncResp->res); 91378158631SZbigniew Kurzynski } 91478158631SZbigniew Kurzynski 9158a07d286SRatan Gupta /** 9168a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 9178a07d286SRatan Gupta * value and create the LDAP config object. 9188a07d286SRatan Gupta * @param input JSON data 9198a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9208a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 9218a07d286SRatan Gupta */ 9228a07d286SRatan Gupta 92310cb44f3SEd Tanous struct LdapPatchParams 92410cb44f3SEd Tanous { 92510cb44f3SEd Tanous std::optional<std::string> authType; 92610cb44f3SEd Tanous std::optional<std::vector<std::string>> serviceAddressList; 92710cb44f3SEd Tanous std::optional<bool> serviceEnabled; 92810cb44f3SEd Tanous std::optional<std::vector<std::string>> baseDNList; 92910cb44f3SEd Tanous std::optional<std::string> userNameAttribute; 93010cb44f3SEd Tanous std::optional<std::string> groupsAttribute; 93110cb44f3SEd Tanous std::optional<std::string> userName; 93210cb44f3SEd Tanous std::optional<std::string> password; 93310cb44f3SEd Tanous std::optional< 93410cb44f3SEd Tanous std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>> 93510cb44f3SEd Tanous remoteRoleMapData; 93610cb44f3SEd Tanous }; 93710cb44f3SEd Tanous 93810cb44f3SEd Tanous inline void handleLDAPPatch(LdapPatchParams&& input, 9398d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9408a07d286SRatan Gupta const std::string& serverType) 9418a07d286SRatan Gupta { 942eb2bbe56SRatan Gupta std::string dbusObjectPath; 943eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 944eb2bbe56SRatan Gupta { 9452c70f800SEd Tanous dbusObjectPath = adConfigObject; 946eb2bbe56SRatan Gupta } 947eb2bbe56SRatan Gupta else if (serverType == "LDAP") 948eb2bbe56SRatan Gupta { 94923a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 950eb2bbe56SRatan Gupta } 951cb13a392SEd Tanous else 952cb13a392SEd Tanous { 95310cb44f3SEd Tanous BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????", 95410cb44f3SEd Tanous serverType); 955cb13a392SEd Tanous return; 956cb13a392SEd Tanous } 957eb2bbe56SRatan Gupta 95810cb44f3SEd Tanous if (input.authType && *input.authType != "UsernameAndPassword") 9598a07d286SRatan Gupta { 96010cb44f3SEd Tanous messages::propertyValueNotInList(asyncResp->res, *input.authType, 961c1019828SEd Tanous "AuthenticationType"); 962c1019828SEd Tanous return; 9638a07d286SRatan Gupta } 964c1019828SEd Tanous 96510cb44f3SEd Tanous if (input.serviceAddressList) 9668a07d286SRatan Gupta { 96710cb44f3SEd Tanous if (input.serviceAddressList->empty()) 9688a07d286SRatan Gupta { 969e2616cc5SEd Tanous messages::propertyValueNotInList( 97010cb44f3SEd Tanous asyncResp->res, *input.serviceAddressList, "ServiceAddress"); 9718a07d286SRatan Gupta return; 9728a07d286SRatan Gupta } 9738a07d286SRatan Gupta } 97410cb44f3SEd Tanous if (input.baseDNList) 9758a07d286SRatan Gupta { 97610cb44f3SEd Tanous if (input.baseDNList->empty()) 9778a07d286SRatan Gupta { 97810cb44f3SEd Tanous messages::propertyValueNotInList(asyncResp->res, *input.baseDNList, 9798a07d286SRatan Gupta "BaseDistinguishedNames"); 9808a07d286SRatan Gupta return; 9818a07d286SRatan Gupta } 9828a07d286SRatan Gupta } 9838a07d286SRatan Gupta 9848a07d286SRatan Gupta // nothing to update, then return 98510cb44f3SEd Tanous if (!input.userName && !input.password && !input.serviceAddressList && 98610cb44f3SEd Tanous !input.baseDNList && !input.userNameAttribute && 98710cb44f3SEd Tanous !input.groupsAttribute && !input.serviceEnabled && 98810cb44f3SEd Tanous !input.remoteRoleMapData) 9898a07d286SRatan Gupta { 9908a07d286SRatan Gupta return; 9918a07d286SRatan Gupta } 9928a07d286SRatan Gupta 9938a07d286SRatan Gupta // Get the existing resource first then keep modifying 9948a07d286SRatan Gupta // whenever any property gets updated. 99510cb44f3SEd Tanous getLDAPConfigData(serverType, 99610cb44f3SEd Tanous [asyncResp, input = std::move(input), 99710cb44f3SEd Tanous dbusObjectPath = std::move(dbusObjectPath)]( 99810cb44f3SEd Tanous bool success, const LDAPConfigData& confData, 999c1019828SEd Tanous const std::string& serverT) mutable { 10008a07d286SRatan Gupta if (!success) 10018a07d286SRatan Gupta { 10028a07d286SRatan Gupta messages::internalError(asyncResp->res); 10038a07d286SRatan Gupta return; 10048a07d286SRatan Gupta } 10056c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 10068a07d286SRatan Gupta if (confData.serviceEnabled) 10078a07d286SRatan Gupta { 10088a07d286SRatan Gupta // Disable the service first and update the rest of 10098a07d286SRatan Gupta // the properties. 10106c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 10118a07d286SRatan Gupta } 10128a07d286SRatan Gupta 101310cb44f3SEd Tanous if (input.serviceAddressList) 10148a07d286SRatan Gupta { 101510cb44f3SEd Tanous handleServiceAddressPatch(*input.serviceAddressList, asyncResp, 101610cb44f3SEd Tanous serverT, dbusObjectPath); 101710cb44f3SEd Tanous } 101810cb44f3SEd Tanous if (input.userName) 101910cb44f3SEd Tanous { 102010cb44f3SEd Tanous handleUserNamePatch(*input.userName, asyncResp, serverT, 10216c51eab1SEd Tanous dbusObjectPath); 10228a07d286SRatan Gupta } 102310cb44f3SEd Tanous if (input.password) 10248a07d286SRatan Gupta { 102510cb44f3SEd Tanous handlePasswordPatch(*input.password, asyncResp, serverT, 102610cb44f3SEd Tanous dbusObjectPath); 10278a07d286SRatan Gupta } 10288a07d286SRatan Gupta 102910cb44f3SEd Tanous if (input.baseDNList) 10308a07d286SRatan Gupta { 103110cb44f3SEd Tanous handleBaseDNPatch(*input.baseDNList, asyncResp, serverT, 10326c51eab1SEd Tanous dbusObjectPath); 10338a07d286SRatan Gupta } 103410cb44f3SEd Tanous if (input.userNameAttribute) 10358a07d286SRatan Gupta { 103610cb44f3SEd Tanous handleUserNameAttrPatch(*input.userNameAttribute, asyncResp, 103710cb44f3SEd Tanous serverT, dbusObjectPath); 103810cb44f3SEd Tanous } 103910cb44f3SEd Tanous if (input.groupsAttribute) 104010cb44f3SEd Tanous { 104110cb44f3SEd Tanous handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT, 10426c51eab1SEd Tanous dbusObjectPath); 10438a07d286SRatan Gupta } 104410cb44f3SEd Tanous if (input.serviceEnabled) 10458a07d286SRatan Gupta { 10468a07d286SRatan Gupta // if user has given the value as true then enable 10478a07d286SRatan Gupta // the service. if user has given false then no-op 10488a07d286SRatan Gupta // as service is already stopped. 104910cb44f3SEd Tanous if (*input.serviceEnabled) 10508a07d286SRatan Gupta { 105110cb44f3SEd Tanous handleServiceEnablePatch(*input.serviceEnabled, asyncResp, 105210cb44f3SEd Tanous serverT, dbusObjectPath); 10538a07d286SRatan Gupta } 10548a07d286SRatan Gupta } 10558a07d286SRatan Gupta else 10568a07d286SRatan Gupta { 10578a07d286SRatan Gupta // if user has not given the service enabled value 10588a07d286SRatan Gupta // then revert it to the same state as it was 10598a07d286SRatan Gupta // before. 10608a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 106123a21a1cSEd Tanous serverT, dbusObjectPath); 10628a07d286SRatan Gupta } 106306785244SRatan Gupta 106410cb44f3SEd Tanous if (input.remoteRoleMapData) 106506785244SRatan Gupta { 10666c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 106710cb44f3SEd Tanous *input.remoteRoleMapData); 106806785244SRatan Gupta } 10698a07d286SRatan Gupta }); 10708a07d286SRatan Gupta } 1071d4b5443fSEd Tanous 107258345856SAbhishek Patel inline void updateUserProperties( 107358345856SAbhishek Patel std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username, 1074618c14b4SEd Tanous const std::optional<std::string>& password, 1075618c14b4SEd Tanous const std::optional<bool>& enabled, 107658345856SAbhishek Patel const std::optional<std::string>& roleId, const std::optional<bool>& locked, 1077e518ef32SRavi Teja std::optional<std::vector<std::string>> accountTypes, bool userSelf, 1078e518ef32SRavi Teja const std::shared_ptr<persistent_data::UserSession>& session) 10791abe55efSEd Tanous { 1080b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1081b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1082b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 10836c51eab1SEd Tanous 10846c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 1085e518ef32SRavi Teja dbusObjectPath, 1086e518ef32SRavi Teja [dbusObjectPath, username, password, roleId, enabled, locked, 1087e518ef32SRavi Teja accountTypes(std::move(accountTypes)), userSelf, session, 1088e518ef32SRavi Teja asyncResp{std::move(asyncResp)}](int rc) { 1089e662eae8SEd Tanous if (rc <= 0) 10906c51eab1SEd Tanous { 1091d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 10926c51eab1SEd Tanous username); 10936c51eab1SEd Tanous return; 10946c51eab1SEd Tanous } 10956c51eab1SEd Tanous 10966c51eab1SEd Tanous if (password) 10976c51eab1SEd Tanous { 10986c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 10996c51eab1SEd Tanous 11006c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 11016c51eab1SEd Tanous { 1102d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 11036c51eab1SEd Tanous username); 11046c51eab1SEd Tanous } 11056c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 11066c51eab1SEd Tanous { 11076c51eab1SEd Tanous // If password is invalid 11089bd80831SJason M. Bills messages::propertyValueFormatError(asyncResp->res, nullptr, 11099bd80831SJason M. Bills "Password"); 111062598e31SEd Tanous BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 11116c51eab1SEd Tanous } 11126c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 11136c51eab1SEd Tanous { 11146c51eab1SEd Tanous messages::internalError(asyncResp->res); 11156c51eab1SEd Tanous return; 11166c51eab1SEd Tanous } 1117e7b1b62bSEd Tanous else 1118e7b1b62bSEd Tanous { 1119e518ef32SRavi Teja // Remove existing sessions of the user when password changed 1120e518ef32SRavi Teja persistent_data::SessionStore::getInstance() 1121e518ef32SRavi Teja .removeSessionsByUsernameExceptSession(username, session); 1122e7b1b62bSEd Tanous messages::success(asyncResp->res); 1123e7b1b62bSEd Tanous } 11246c51eab1SEd Tanous } 11256c51eab1SEd Tanous 11266c51eab1SEd Tanous if (enabled) 11276c51eab1SEd Tanous { 1128e93abac6SGinu George setDbusProperty(asyncResp, "Enabled", 1129e93abac6SGinu George "xyz.openbmc_project.User.Manager", dbusObjectPath, 1130d02aad39SEd Tanous "xyz.openbmc_project.User.Attributes", 1131e93abac6SGinu George "UserEnabled", *enabled); 11326c51eab1SEd Tanous } 11336c51eab1SEd Tanous 11346c51eab1SEd Tanous if (roleId) 11356c51eab1SEd Tanous { 11366c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 11376c51eab1SEd Tanous if (priv.empty()) 11386c51eab1SEd Tanous { 1139e2616cc5SEd Tanous messages::propertyValueNotInList(asyncResp->res, true, 1140e2616cc5SEd Tanous "Locked"); 11416c51eab1SEd Tanous return; 11426c51eab1SEd Tanous } 1143e93abac6SGinu George setDbusProperty(asyncResp, "RoleId", 1144e93abac6SGinu George "xyz.openbmc_project.User.Manager", dbusObjectPath, 1145d02aad39SEd Tanous "xyz.openbmc_project.User.Attributes", 1146e93abac6SGinu George "UserPrivilege", priv); 11476c51eab1SEd Tanous } 11486c51eab1SEd Tanous 11496c51eab1SEd Tanous if (locked) 11506c51eab1SEd Tanous { 11516c51eab1SEd Tanous // admin can unlock the account which is locked by 11526c51eab1SEd Tanous // successive authentication failures but admin should 11536c51eab1SEd Tanous // not be allowed to lock an account. 11546c51eab1SEd Tanous if (*locked) 11556c51eab1SEd Tanous { 11566c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 11576c51eab1SEd Tanous "Locked"); 11586c51eab1SEd Tanous return; 11596c51eab1SEd Tanous } 1160e93abac6SGinu George setDbusProperty(asyncResp, "Locked", 1161e93abac6SGinu George "xyz.openbmc_project.User.Manager", dbusObjectPath, 11629ae226faSGeorge Liu "xyz.openbmc_project.User.Attributes", 1163e93abac6SGinu George "UserLockedForFailedAttempt", *locked); 11646c51eab1SEd Tanous } 116558345856SAbhishek Patel 116658345856SAbhishek Patel if (accountTypes) 116758345856SAbhishek Patel { 116858345856SAbhishek Patel patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath, 116958345856SAbhishek Patel userSelf); 117058345856SAbhishek Patel } 11716c51eab1SEd Tanous }); 11726c51eab1SEd Tanous } 11736c51eab1SEd Tanous 11744c7d4d33SEd Tanous inline void handleAccountServiceHead( 11754c7d4d33SEd Tanous App& app, const crow::Request& req, 11761ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 11776c51eab1SEd Tanous { 11783ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 117945ca1b86SEd Tanous { 118045ca1b86SEd Tanous return; 118145ca1b86SEd Tanous } 11824c7d4d33SEd Tanous asyncResp->res.addHeader( 11834c7d4d33SEd Tanous boost::beast::http::field::link, 11844c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 11854c7d4d33SEd Tanous } 11864c7d4d33SEd Tanous 11874c7d4d33SEd Tanous inline void 11881aa375b8SEd Tanous getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 11891aa375b8SEd Tanous const nlohmann::json::json_pointer& keyLocation) 11901aa375b8SEd Tanous { 11911aa375b8SEd Tanous boost::urls::url url( 11921aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"); 11931aa375b8SEd Tanous std::array<std::string_view, 1> interfaces = { 11941aa375b8SEd Tanous "xyz.openbmc_project.Certs.Certificate"}; 11951aa375b8SEd Tanous std::string path = "/xyz/openbmc_project/certs/authority/truststore"; 11961aa375b8SEd Tanous 11971aa375b8SEd Tanous collection_util::getCollectionToKey(asyncResp, url, interfaces, path, 11981aa375b8SEd Tanous keyLocation); 11991aa375b8SEd Tanous } 12001aa375b8SEd Tanous 12011aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesInstanceHead( 12021aa375b8SEd Tanous App& app, const crow::Request& req, 12031aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 12041aa375b8SEd Tanous const std::string& /*id*/) 12051aa375b8SEd Tanous { 12061aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12071aa375b8SEd Tanous { 12081aa375b8SEd Tanous return; 12091aa375b8SEd Tanous } 12101aa375b8SEd Tanous 12111aa375b8SEd Tanous asyncResp->res.addHeader( 12121aa375b8SEd Tanous boost::beast::http::field::link, 12131aa375b8SEd Tanous "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby"); 12141aa375b8SEd Tanous } 12151aa375b8SEd Tanous 12161aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesInstanceGet( 12171aa375b8SEd Tanous App& app, const crow::Request& req, 12181aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id) 12191aa375b8SEd Tanous { 12201aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12211aa375b8SEd Tanous { 12221aa375b8SEd Tanous return; 12231aa375b8SEd Tanous } 12241aa375b8SEd Tanous BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id); 12251aa375b8SEd Tanous const boost::urls::url certURL = boost::urls::format( 12261aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}", 12271aa375b8SEd Tanous id); 12281aa375b8SEd Tanous std::string objPath = 12291aa375b8SEd Tanous sdbusplus::message::object_path(certs::authorityObjectPath) / id; 12301aa375b8SEd Tanous getCertificateProperties( 12311aa375b8SEd Tanous asyncResp, objPath, 12321aa375b8SEd Tanous "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL, 12331aa375b8SEd Tanous "Client Certificate"); 12341aa375b8SEd Tanous } 12351aa375b8SEd Tanous 12361aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesHead( 12371aa375b8SEd Tanous App& app, const crow::Request& req, 12381aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 12391aa375b8SEd Tanous { 12401aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12411aa375b8SEd Tanous { 12421aa375b8SEd Tanous return; 12431aa375b8SEd Tanous } 12441aa375b8SEd Tanous 12451aa375b8SEd Tanous asyncResp->res.addHeader( 12461aa375b8SEd Tanous boost::beast::http::field::link, 12471aa375b8SEd Tanous "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby"); 12481aa375b8SEd Tanous } 12491aa375b8SEd Tanous 12501aa375b8SEd Tanous inline void handleAccountServiceClientCertificatesGet( 12511aa375b8SEd Tanous App& app, const crow::Request& req, 12521aa375b8SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 12531aa375b8SEd Tanous { 12541aa375b8SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 12551aa375b8SEd Tanous { 12561aa375b8SEd Tanous return; 12571aa375b8SEd Tanous } 12581aa375b8SEd Tanous getClientCertificates(asyncResp, "/Members"_json_pointer); 12591aa375b8SEd Tanous } 12601aa375b8SEd Tanous 12613ce3688aSEd Tanous using account_service::CertificateMappingAttribute; 12623ce3688aSEd Tanous using persistent_data::MTLSCommonNameParseMode; 12633ce3688aSEd Tanous inline CertificateMappingAttribute 12643ce3688aSEd Tanous getCertificateMapping(MTLSCommonNameParseMode parse) 12653ce3688aSEd Tanous { 12663ce3688aSEd Tanous switch (parse) 12673ce3688aSEd Tanous { 12683ce3688aSEd Tanous case MTLSCommonNameParseMode::CommonName: 12693ce3688aSEd Tanous { 12703ce3688aSEd Tanous return CertificateMappingAttribute::CommonName; 12713ce3688aSEd Tanous } 12723ce3688aSEd Tanous break; 12733ce3688aSEd Tanous case MTLSCommonNameParseMode::Whole: 12743ce3688aSEd Tanous { 12753ce3688aSEd Tanous return CertificateMappingAttribute::Whole; 12763ce3688aSEd Tanous } 12773ce3688aSEd Tanous break; 12783ce3688aSEd Tanous case MTLSCommonNameParseMode::UserPrincipalName: 12793ce3688aSEd Tanous { 12803ce3688aSEd Tanous return CertificateMappingAttribute::UserPrincipalName; 12813ce3688aSEd Tanous } 12823ce3688aSEd Tanous break; 12833ce3688aSEd Tanous 12843ce3688aSEd Tanous case MTLSCommonNameParseMode::Meta: 12853ce3688aSEd Tanous { 12863ce3688aSEd Tanous if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING) 12873ce3688aSEd Tanous { 12883ce3688aSEd Tanous return CertificateMappingAttribute::CommonName; 12893ce3688aSEd Tanous } 12903ce3688aSEd Tanous } 12913ce3688aSEd Tanous break; 12923ce3688aSEd Tanous default: 12933ce3688aSEd Tanous { 12943ce3688aSEd Tanous return CertificateMappingAttribute::Invalid; 12953ce3688aSEd Tanous } 12963ce3688aSEd Tanous break; 12973ce3688aSEd Tanous } 12983ce3688aSEd Tanous } 12993ce3688aSEd Tanous 13001aa375b8SEd Tanous inline void 13014c7d4d33SEd Tanous handleAccountServiceGet(App& app, const crow::Request& req, 13024c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 13034c7d4d33SEd Tanous { 1304afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1305afd369c6SJiaqing Zhao { 1306afd369c6SJiaqing Zhao return; 1307afd369c6SJiaqing Zhao } 13083e72c202SNinad Palsule 13093e72c202SNinad Palsule if (req.session == nullptr) 13103e72c202SNinad Palsule { 13113e72c202SNinad Palsule messages::internalError(asyncResp->res); 13123e72c202SNinad Palsule return; 13133e72c202SNinad Palsule } 13143e72c202SNinad Palsule 1315c1019828SEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 1316c1019828SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 1317c1019828SEd Tanous 1318afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1319afd369c6SJiaqing Zhao boost::beast::http::field::link, 1320afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1321afd369c6SJiaqing Zhao 13221476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 13231476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 1324482a69e7SRavi Teja json["@odata.type"] = "#AccountService.v1_15_0.AccountService"; 13251476687dSEd Tanous json["Id"] = "AccountService"; 13261476687dSEd Tanous json["Name"] = "Account Service"; 13271476687dSEd Tanous json["Description"] = "Account Service"; 13281476687dSEd Tanous json["ServiceEnabled"] = true; 13291476687dSEd Tanous json["MaxPasswordLength"] = 20; 13301ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 13311476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 1332482a69e7SRavi Teja json["HTTPBasicAuth"] = authMethodsConfig.basic 1333482a69e7SRavi Teja ? account_service::BasicAuthState::Enabled 1334482a69e7SRavi Teja : account_service::BasicAuthState::Disabled; 1335482a69e7SRavi Teja 1336482a69e7SRavi Teja nlohmann::json::array_t allowed; 1337482a69e7SRavi Teja allowed.emplace_back(account_service::BasicAuthState::Enabled); 1338482a69e7SRavi Teja allowed.emplace_back(account_service::BasicAuthState::Disabled); 1339482a69e7SRavi Teja json["HTTPBasicAuth@AllowableValues"] = std::move(allowed); 1340482a69e7SRavi Teja 13411aa375b8SEd Tanous nlohmann::json::object_t clientCertificate; 13421aa375b8SEd Tanous clientCertificate["Enabled"] = authMethodsConfig.tls; 1343*3281bcf1SEd Tanous clientCertificate["RespondToUnauthenticatedClients"] = 1344*3281bcf1SEd Tanous !authMethodsConfig.tlsStrict; 13453ce3688aSEd Tanous 13463ce3688aSEd Tanous using account_service::CertificateMappingAttribute; 13473ce3688aSEd Tanous 13483ce3688aSEd Tanous CertificateMappingAttribute mapping = 13493ce3688aSEd Tanous getCertificateMapping(authMethodsConfig.mTLSCommonNameParsingMode); 13503ce3688aSEd Tanous if (mapping == CertificateMappingAttribute::Invalid) 13513ce3688aSEd Tanous { 13523ce3688aSEd Tanous messages::internalError(asyncResp->res); 13533ce3688aSEd Tanous } 13543ce3688aSEd Tanous else 13553ce3688aSEd Tanous { 13563ce3688aSEd Tanous clientCertificate["CertificateMappingAttribute"] = mapping; 13573ce3688aSEd Tanous } 13581aa375b8SEd Tanous nlohmann::json::object_t certificates; 13591aa375b8SEd Tanous certificates["@odata.id"] = 13601aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates"; 13611aa375b8SEd Tanous certificates["@odata.type"] = 13621aa375b8SEd Tanous "#CertificateCollection.CertificateCollection"; 13631aa375b8SEd Tanous clientCertificate["Certificates"] = std::move(certificates); 13641aa375b8SEd Tanous json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate); 13651aa375b8SEd Tanous 13661aa375b8SEd Tanous getClientCertificates( 13671aa375b8SEd Tanous asyncResp, 13681aa375b8SEd Tanous "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer); 13691aa375b8SEd Tanous 13701476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 13715b5574acSEd Tanous "#OpenBMCAccountService.v1_0_0.AccountService"; 13721476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 13731476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 13741476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 13751476687dSEd Tanous authMethodsConfig.basic; 13761476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 13771476687dSEd Tanous authMethodsConfig.sessionToken; 13781ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 13791ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 13801ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 13811476687dSEd Tanous 13821ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 13831ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 13841ef4c342SEd Tanous // permissions ConfigureManager 138572048780SAbhishek Patel Privileges effectiveUserPrivileges = 13863e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 138772048780SAbhishek Patel 138872048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 138972048780SAbhishek Patel effectiveUserPrivileges)) 139072048780SAbhishek Patel { 13911ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 13921476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 139372048780SAbhishek Patel } 1394d1bde9e5SKrzysztof Grobelny sdbusplus::asio::getAllProperties( 1395d1bde9e5SKrzysztof Grobelny *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1396d1bde9e5SKrzysztof Grobelny "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy", 13975e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec, 13981ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 13993d958bbcSAppaRao Puli if (ec) 14003d958bbcSAppaRao Puli { 14013d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 14023d958bbcSAppaRao Puli return; 14033d958bbcSAppaRao Puli } 1404d1bde9e5SKrzysztof Grobelny 140562598e31SEd Tanous BMCWEB_LOG_DEBUG("Got {} properties for AccountService", 140662598e31SEd Tanous propertiesList.size()); 1407d1bde9e5SKrzysztof Grobelny 1408d1bde9e5SKrzysztof Grobelny const uint8_t* minPasswordLength = nullptr; 1409d1bde9e5SKrzysztof Grobelny const uint32_t* accountUnlockTimeout = nullptr; 1410d1bde9e5SKrzysztof Grobelny const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1411d1bde9e5SKrzysztof Grobelny 1412d1bde9e5SKrzysztof Grobelny const bool success = sdbusplus::unpackPropertiesNoThrow( 1413d1bde9e5SKrzysztof Grobelny dbus_utils::UnpackErrorPrinter(), propertiesList, 1414d1bde9e5SKrzysztof Grobelny "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1415d1bde9e5SKrzysztof Grobelny accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1416d1bde9e5SKrzysztof Grobelny maxLoginAttemptBeforeLockout); 1417d1bde9e5SKrzysztof Grobelny 1418d1bde9e5SKrzysztof Grobelny if (!success) 14193d958bbcSAppaRao Puli { 1420d1bde9e5SKrzysztof Grobelny messages::internalError(asyncResp->res); 1421d1bde9e5SKrzysztof Grobelny return; 14223d958bbcSAppaRao Puli } 1423d1bde9e5SKrzysztof Grobelny 1424d1bde9e5SKrzysztof Grobelny if (minPasswordLength != nullptr) 14253d958bbcSAppaRao Puli { 1426d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength; 14273d958bbcSAppaRao Puli } 1428d1bde9e5SKrzysztof Grobelny 1429d1bde9e5SKrzysztof Grobelny if (accountUnlockTimeout != nullptr) 14303d958bbcSAppaRao Puli { 1431d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["AccountLockoutDuration"] = 1432d1bde9e5SKrzysztof Grobelny *accountUnlockTimeout; 1433d1bde9e5SKrzysztof Grobelny } 1434d1bde9e5SKrzysztof Grobelny 1435d1bde9e5SKrzysztof Grobelny if (maxLoginAttemptBeforeLockout != nullptr) 14363d958bbcSAppaRao Puli { 1437002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1438d1bde9e5SKrzysztof Grobelny *maxLoginAttemptBeforeLockout; 14393d958bbcSAppaRao Puli } 1440d1bde9e5SKrzysztof Grobelny }); 14416973a582SRatan Gupta 144202cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1443ab828d7cSRatan Gupta const std::string& ldapType) { 1444cb13a392SEd Tanous if (!success) 1445cb13a392SEd Tanous { 1446cb13a392SEd Tanous return; 1447cb13a392SEd Tanous } 1448002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1449ab828d7cSRatan Gupta }; 1450ab828d7cSRatan Gupta 1451ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1452ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 14531ef4c342SEd Tanous } 14546973a582SRatan Gupta 14553ce3688aSEd Tanous inline void 14563ce3688aSEd Tanous handleCertificateMappingAttributePatch(crow::Response& res, 14573ce3688aSEd Tanous const std::string& certMapAttribute) 14583ce3688aSEd Tanous { 14593ce3688aSEd Tanous MTLSCommonNameParseMode parseMode = 14603ce3688aSEd Tanous persistent_data::getMTLSCommonNameParseMode(certMapAttribute); 14613ce3688aSEd Tanous if (parseMode == MTLSCommonNameParseMode::Invalid) 14623ce3688aSEd Tanous { 14633ce3688aSEd Tanous messages::propertyValueNotInList(res, "CertificateMappingAttribute", 14643ce3688aSEd Tanous certMapAttribute); 14653ce3688aSEd Tanous return; 14663ce3688aSEd Tanous } 14673ce3688aSEd Tanous 14683ce3688aSEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 14693ce3688aSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 14703ce3688aSEd Tanous authMethodsConfig.mTLSCommonNameParsingMode = parseMode; 14713ce3688aSEd Tanous } 14723ce3688aSEd Tanous 1473*3281bcf1SEd Tanous inline void handleRespondToUnauthenticatedClientsPatch( 1474*3281bcf1SEd Tanous App& app, const crow::Request& req, crow::Response& res, 1475*3281bcf1SEd Tanous bool respondToUnauthenticatedClients) 1476*3281bcf1SEd Tanous { 1477*3281bcf1SEd Tanous if (req.session != nullptr) 1478*3281bcf1SEd Tanous { 1479*3281bcf1SEd Tanous // Sanity check. If the user isn't currently authenticated with mutual 1480*3281bcf1SEd Tanous // TLS, they very likely are about to permanently lock themselves out. 1481*3281bcf1SEd Tanous // Make sure they're using mutual TLS before allowing locking. 1482*3281bcf1SEd Tanous if (req.session->sessionType != persistent_data::SessionType::MutualTLS) 1483*3281bcf1SEd Tanous { 1484*3281bcf1SEd Tanous messages::propertyValueExternalConflict( 1485*3281bcf1SEd Tanous res, 1486*3281bcf1SEd Tanous "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients", 1487*3281bcf1SEd Tanous respondToUnauthenticatedClients); 1488*3281bcf1SEd Tanous return; 1489*3281bcf1SEd Tanous } 1490*3281bcf1SEd Tanous } 1491*3281bcf1SEd Tanous 1492*3281bcf1SEd Tanous persistent_data::AuthConfigMethods& authMethodsConfig = 1493*3281bcf1SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 1494*3281bcf1SEd Tanous 1495*3281bcf1SEd Tanous // Change the settings 1496*3281bcf1SEd Tanous authMethodsConfig.tlsStrict = !respondToUnauthenticatedClients; 1497*3281bcf1SEd Tanous 1498*3281bcf1SEd Tanous // Write settings to disk 1499*3281bcf1SEd Tanous persistent_data::getConfig().writeData(); 1500*3281bcf1SEd Tanous 1501*3281bcf1SEd Tanous // Trigger a reload, to apply the new settings to new connections 1502*3281bcf1SEd Tanous app.loadCertificate(); 1503*3281bcf1SEd Tanous } 1504*3281bcf1SEd Tanous 15051ef4c342SEd Tanous inline void handleAccountServicePatch( 15061ef4c342SEd Tanous App& app, const crow::Request& req, 15071ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15081ef4c342SEd Tanous { 15093ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 151045ca1b86SEd Tanous { 151145ca1b86SEd Tanous return; 151245ca1b86SEd Tanous } 1513f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1514f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1515ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1516f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 151710cb44f3SEd Tanous LdapPatchParams ldapObject; 15183ce3688aSEd Tanous std::optional<std::string> certificateMappingAttribute; 1519*3281bcf1SEd Tanous std::optional<bool> respondToUnauthenticatedClients; 152010cb44f3SEd Tanous LdapPatchParams activeDirectoryObject; 1521c1019828SEd Tanous AuthMethods auth; 1522482a69e7SRavi Teja std::optional<std::string> httpBasicAuth; 15233ce3688aSEd Tanous 1524c1019828SEd Tanous // clang-format off 152515ed6780SWilly Tu if (!json_util::readJsonPatch( 1526c1019828SEd Tanous req, asyncResp->res, 1527c1019828SEd Tanous "AccountLockoutDuration", unlockTimeout, 1528c1019828SEd Tanous "AccountLockoutThreshold", lockoutThreshold, 152910cb44f3SEd Tanous "ActiveDirectory/Authentication/AuthenticationType", activeDirectoryObject.authType, 153010cb44f3SEd Tanous "ActiveDirectory/Authentication/Password", activeDirectoryObject.password, 153110cb44f3SEd Tanous "ActiveDirectory/Authentication/Username", activeDirectoryObject.userName, 153210cb44f3SEd Tanous "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames", activeDirectoryObject.baseDNList, 153310cb44f3SEd Tanous "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute", activeDirectoryObject.groupsAttribute, 153410cb44f3SEd Tanous "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute", activeDirectoryObject.userNameAttribute, 153510cb44f3SEd Tanous "ActiveDirectory/RemoteRoleMapping", activeDirectoryObject.remoteRoleMapData, 153610cb44f3SEd Tanous "ActiveDirectory/ServiceAddresses", activeDirectoryObject.serviceAddressList, 153710cb44f3SEd Tanous "ActiveDirectory/ServiceEnabled", activeDirectoryObject.serviceEnabled, 15383ce3688aSEd Tanous "MultiFactorAuth/ClientCertificate/CertificateMappingAttribute", certificateMappingAttribute, 1539*3281bcf1SEd Tanous "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients", respondToUnauthenticatedClients, 154010cb44f3SEd Tanous "LDAP/Authentication/AuthenticationType", ldapObject.authType, 154110cb44f3SEd Tanous "LDAP/Authentication/Password", ldapObject.password, 154210cb44f3SEd Tanous "LDAP/Authentication/Username", ldapObject.userName, 154310cb44f3SEd Tanous "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames", ldapObject.baseDNList, 154410cb44f3SEd Tanous "LDAP/LDAPService/SearchSettings/GroupsAttribute", ldapObject.groupsAttribute, 154510cb44f3SEd Tanous "LDAP/LDAPService/SearchSettings/UsernameAttribute", ldapObject.userNameAttribute, 154610cb44f3SEd Tanous "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData, 154710cb44f3SEd Tanous "LDAP/ServiceAddresses", ldapObject.serviceAddressList, 154810cb44f3SEd Tanous "LDAP/ServiceEnabled", ldapObject.serviceEnabled, 1549c1019828SEd Tanous "MaxPasswordLength", maxPasswordLength, 1550c1019828SEd Tanous "MinPasswordLength", minPasswordLength, 1551c1019828SEd Tanous "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth, 1552c1019828SEd Tanous "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie, 1553c1019828SEd Tanous "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken, 155410cb44f3SEd Tanous "Oem/OpenBMC/AuthMethods/TLS", auth.tls, 1555482a69e7SRavi Teja "Oem/OpenBMC/AuthMethods/XToken", auth.xToken, 1556482a69e7SRavi Teja "HTTPBasicAuth", httpBasicAuth)) 1557f5ffd806SEd Tanous { 1558f5ffd806SEd Tanous return; 1559f5ffd806SEd Tanous } 1560c1019828SEd Tanous // clang-format on 1561f5ffd806SEd Tanous 1562482a69e7SRavi Teja if (httpBasicAuth) 1563482a69e7SRavi Teja { 1564482a69e7SRavi Teja if (*httpBasicAuth == "Enabled") 1565482a69e7SRavi Teja { 1566482a69e7SRavi Teja auth.basicAuth = true; 1567482a69e7SRavi Teja } 1568482a69e7SRavi Teja else if (*httpBasicAuth == "Disabled") 1569482a69e7SRavi Teja { 1570482a69e7SRavi Teja auth.basicAuth = false; 1571482a69e7SRavi Teja } 1572482a69e7SRavi Teja else 1573482a69e7SRavi Teja { 1574482a69e7SRavi Teja messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth", 1575482a69e7SRavi Teja *httpBasicAuth); 1576482a69e7SRavi Teja } 1577482a69e7SRavi Teja } 1578482a69e7SRavi Teja 1579*3281bcf1SEd Tanous if (respondToUnauthenticatedClients) 1580*3281bcf1SEd Tanous { 1581*3281bcf1SEd Tanous handleRespondToUnauthenticatedClientsPatch( 1582*3281bcf1SEd Tanous app, req, asyncResp->res, *respondToUnauthenticatedClients); 1583*3281bcf1SEd Tanous } 1584*3281bcf1SEd Tanous 15853ce3688aSEd Tanous if (certificateMappingAttribute) 15863ce3688aSEd Tanous { 15873ce3688aSEd Tanous handleCertificateMappingAttributePatch(asyncResp->res, 15883ce3688aSEd Tanous *certificateMappingAttribute); 15893ce3688aSEd Tanous } 15903ce3688aSEd Tanous 1591f5ffd806SEd Tanous if (minPasswordLength) 1592f5ffd806SEd Tanous { 1593d02aad39SEd Tanous setDbusProperty( 1594e93abac6SGinu George asyncResp, "MinPasswordLength", "xyz.openbmc_project.User.Manager", 1595d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 15969ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1597e93abac6SGinu George *minPasswordLength); 1598f5ffd806SEd Tanous } 1599f5ffd806SEd Tanous 1600f5ffd806SEd Tanous if (maxPasswordLength) 1601f5ffd806SEd Tanous { 16021ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1603f5ffd806SEd Tanous } 1604f5ffd806SEd Tanous 160510cb44f3SEd Tanous handleLDAPPatch(std::move(activeDirectoryObject), asyncResp, 160610cb44f3SEd Tanous "ActiveDirectory"); 160710cb44f3SEd Tanous handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP"); 1608f5ffd806SEd Tanous 1609c1019828SEd Tanous handleAuthMethodsPatch(asyncResp, auth); 1610f5ffd806SEd Tanous 1611f5ffd806SEd Tanous if (unlockTimeout) 1612f5ffd806SEd Tanous { 1613d02aad39SEd Tanous setDbusProperty( 1614e93abac6SGinu George asyncResp, "AccountLockoutDuration", 1615e93abac6SGinu George "xyz.openbmc_project.User.Manager", 1616d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 16179ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1618e93abac6SGinu George *unlockTimeout); 1619f5ffd806SEd Tanous } 1620f5ffd806SEd Tanous if (lockoutThreshold) 1621f5ffd806SEd Tanous { 1622d02aad39SEd Tanous setDbusProperty( 1623e93abac6SGinu George asyncResp, "AccountLockoutThreshold", 1624e93abac6SGinu George "xyz.openbmc_project.User.Manager", 1625d02aad39SEd Tanous sdbusplus::message::object_path("/xyz/openbmc_project/user"), 16269ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", 1627e93abac6SGinu George "MaxLoginAttemptBeforeLockout", *lockoutThreshold); 1628f5ffd806SEd Tanous } 16291ef4c342SEd Tanous } 1630f5ffd806SEd Tanous 16314c7d4d33SEd Tanous inline void handleAccountCollectionHead( 16321ef4c342SEd Tanous App& app, const crow::Request& req, 16331ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 16341ef4c342SEd Tanous { 16353ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 163645ca1b86SEd Tanous { 163745ca1b86SEd Tanous return; 163845ca1b86SEd Tanous } 16394c7d4d33SEd Tanous asyncResp->res.addHeader( 16404c7d4d33SEd Tanous boost::beast::http::field::link, 16414c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 16424c7d4d33SEd Tanous } 16434c7d4d33SEd Tanous 16444c7d4d33SEd Tanous inline void handleAccountCollectionGet( 16454c7d4d33SEd Tanous App& app, const crow::Request& req, 16464c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 16474c7d4d33SEd Tanous { 1648afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1649afd369c6SJiaqing Zhao { 1650afd369c6SJiaqing Zhao return; 1651afd369c6SJiaqing Zhao } 16523e72c202SNinad Palsule 16533e72c202SNinad Palsule if (req.session == nullptr) 16543e72c202SNinad Palsule { 16553e72c202SNinad Palsule messages::internalError(asyncResp->res); 16563e72c202SNinad Palsule return; 16573e72c202SNinad Palsule } 16583e72c202SNinad Palsule 1659afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1660afd369c6SJiaqing Zhao boost::beast::http::field::link, 1661afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 16621476687dSEd Tanous 16631476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 16641476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 16651ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 16661476687dSEd Tanous "ManagerAccountCollection"; 16671476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 16681476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 16690f74e643SEd Tanous 16706c51eab1SEd Tanous Privileges effectiveUserPrivileges = 16713e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 16726c51eab1SEd Tanous 1673f5e29f33SJunLin Chen std::string thisUser; 1674f5e29f33SJunLin Chen if (req.session) 1675f5e29f33SJunLin Chen { 1676f5e29f33SJunLin Chen thisUser = req.session->username; 1677f5e29f33SJunLin Chen } 16785eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 16795eb468daSGeorge Liu dbus::utility::getManagedObjects( 16805eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 1681cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 16825e7e2dc5SEd Tanous const boost::system::error_code& ec, 1683711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1684b9b2e0b2SEd Tanous if (ec) 1685b9b2e0b2SEd Tanous { 1686f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1687b9b2e0b2SEd Tanous return; 1688b9b2e0b2SEd Tanous } 1689b9b2e0b2SEd Tanous 1690cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1691002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1692cef1ddfbSEd Tanous 1693cef1ddfbSEd Tanous bool userCanSeeSelf = 1694002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1695cef1ddfbSEd Tanous 1696002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1697b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1698b9b2e0b2SEd Tanous 16999eb808c1SEd Tanous for (const auto& userpath : users) 1700b9b2e0b2SEd Tanous { 17012dfd18efSEd Tanous std::string user = userpath.first.filename(); 17022dfd18efSEd Tanous if (user.empty()) 1703b9b2e0b2SEd Tanous { 17042dfd18efSEd Tanous messages::internalError(asyncResp->res); 170562598e31SEd Tanous BMCWEB_LOG_ERROR("Invalid firmware ID"); 17062dfd18efSEd Tanous 17072dfd18efSEd Tanous return; 1708b9b2e0b2SEd Tanous } 1709f365910cSGunnar Mills 1710f365910cSGunnar Mills // As clarified by Redfish here: 1711f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 17126c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 17136c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 17146c51eab1SEd Tanous // accounts. 17151ef4c342SEd Tanous if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1716f365910cSGunnar Mills { 17171476687dSEd Tanous nlohmann::json::object_t member; 17183b32780dSEd Tanous member["@odata.id"] = boost::urls::format( 17193b32780dSEd Tanous "/redfish/v1/AccountService/Accounts/{}", user); 1720b2ba3072SPatrick Williams memberArray.emplace_back(std::move(member)); 1721b9b2e0b2SEd Tanous } 1722f365910cSGunnar Mills } 17231ef4c342SEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 17245eb468daSGeorge Liu }); 17251ef4c342SEd Tanous } 17266c51eab1SEd Tanous 172797e90da3SNinad Palsule inline void processAfterCreateUser( 172897e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 172997e90da3SNinad Palsule const std::string& username, const std::string& password, 173097e90da3SNinad Palsule const boost::system::error_code& ec, sdbusplus::message_t& m) 173197e90da3SNinad Palsule { 173297e90da3SNinad Palsule if (ec) 173397e90da3SNinad Palsule { 173497e90da3SNinad Palsule userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 173597e90da3SNinad Palsule return; 173697e90da3SNinad Palsule } 173797e90da3SNinad Palsule 173897e90da3SNinad Palsule if (pamUpdatePassword(username, password) != PAM_SUCCESS) 173997e90da3SNinad Palsule { 174097e90da3SNinad Palsule // At this point we have a user that's been 174197e90da3SNinad Palsule // created, but the password set 174297e90da3SNinad Palsule // failed.Something is wrong, so delete the user 174397e90da3SNinad Palsule // that we've already created 174497e90da3SNinad Palsule sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 174597e90da3SNinad Palsule tempObjPath /= username; 174697e90da3SNinad Palsule const std::string userPath(tempObjPath); 174797e90da3SNinad Palsule 174897e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 174997e90da3SNinad Palsule [asyncResp, password](const boost::system::error_code& ec3) { 175097e90da3SNinad Palsule if (ec3) 175197e90da3SNinad Palsule { 175297e90da3SNinad Palsule messages::internalError(asyncResp->res); 175397e90da3SNinad Palsule return; 175497e90da3SNinad Palsule } 175597e90da3SNinad Palsule 175697e90da3SNinad Palsule // If password is invalid 17579bd80831SJason M. Bills messages::propertyValueFormatError(asyncResp->res, nullptr, 175897e90da3SNinad Palsule "Password"); 175997e90da3SNinad Palsule }, 176097e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", userPath, 176197e90da3SNinad Palsule "xyz.openbmc_project.Object.Delete", "Delete"); 176297e90da3SNinad Palsule 176362598e31SEd Tanous BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); 176497e90da3SNinad Palsule return; 176597e90da3SNinad Palsule } 176697e90da3SNinad Palsule 176797e90da3SNinad Palsule messages::created(asyncResp->res); 176897e90da3SNinad Palsule asyncResp->res.addHeader("Location", 176997e90da3SNinad Palsule "/redfish/v1/AccountService/Accounts/" + username); 177097e90da3SNinad Palsule } 177197e90da3SNinad Palsule 177297e90da3SNinad Palsule inline void processAfterGetAllGroups( 177397e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 177497e90da3SNinad Palsule const std::string& username, const std::string& password, 1775e01d0c36SEd Tanous const std::string& roleId, bool enabled, 17769ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes, 177797e90da3SNinad Palsule const std::vector<std::string>& allGroupsList) 177897e90da3SNinad Palsule { 17793e72c202SNinad Palsule std::vector<std::string> userGroups; 17809ba73934SNinad Palsule std::vector<std::string> accountTypeUserGroups; 17819ba73934SNinad Palsule 17829ba73934SNinad Palsule // If user specified account types then convert them to unix user groups 17839ba73934SNinad Palsule if (accountTypes) 17849ba73934SNinad Palsule { 17859ba73934SNinad Palsule if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes, 17869ba73934SNinad Palsule accountTypeUserGroups)) 17879ba73934SNinad Palsule { 17889ba73934SNinad Palsule // Problem in mapping Account Types to User Groups, Error already 17899ba73934SNinad Palsule // logged. 17909ba73934SNinad Palsule return; 17919ba73934SNinad Palsule } 17929ba73934SNinad Palsule } 17939ba73934SNinad Palsule 17943e72c202SNinad Palsule for (const auto& grp : allGroupsList) 17953e72c202SNinad Palsule { 17969ba73934SNinad Palsule // If user specified the account type then only accept groups which are 17979ba73934SNinad Palsule // in the account types group list. 17989ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 17999ba73934SNinad Palsule { 18009ba73934SNinad Palsule bool found = false; 18019ba73934SNinad Palsule for (const auto& grp1 : accountTypeUserGroups) 18029ba73934SNinad Palsule { 18039ba73934SNinad Palsule if (grp == grp1) 18049ba73934SNinad Palsule { 18059ba73934SNinad Palsule found = true; 18069ba73934SNinad Palsule break; 18079ba73934SNinad Palsule } 18089ba73934SNinad Palsule } 18099ba73934SNinad Palsule if (!found) 18109ba73934SNinad Palsule { 18119ba73934SNinad Palsule continue; 18129ba73934SNinad Palsule } 18139ba73934SNinad Palsule } 18149ba73934SNinad Palsule 18153e72c202SNinad Palsule // Console access is provided to the user who is a member of 18163e72c202SNinad Palsule // hostconsole group and has a administrator role. So, set 18173e72c202SNinad Palsule // hostconsole group only for the administrator. 18189ba73934SNinad Palsule if ((grp == "hostconsole") && (roleId != "priv-admin")) 18193e72c202SNinad Palsule { 18209ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 18219ba73934SNinad Palsule { 182262598e31SEd Tanous BMCWEB_LOG_ERROR( 182362598e31SEd Tanous "Only administrator can get HostConsole access"); 18249ba73934SNinad Palsule asyncResp->res.result(boost::beast::http::status::bad_request); 18259ba73934SNinad Palsule return; 18269ba73934SNinad Palsule } 18279ba73934SNinad Palsule continue; 18289ba73934SNinad Palsule } 18293e72c202SNinad Palsule userGroups.emplace_back(grp); 18303e72c202SNinad Palsule } 18319ba73934SNinad Palsule 18329ba73934SNinad Palsule // Make sure user specified groups are valid. This is internal error because 18339ba73934SNinad Palsule // it some inconsistencies between user manager and bmcweb. 18349ba73934SNinad Palsule if (!accountTypeUserGroups.empty() && 18359ba73934SNinad Palsule accountTypeUserGroups.size() != userGroups.size()) 18369ba73934SNinad Palsule { 18379ba73934SNinad Palsule messages::internalError(asyncResp->res); 18389ba73934SNinad Palsule return; 18393e72c202SNinad Palsule } 184097e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 184197e90da3SNinad Palsule [asyncResp, username, password](const boost::system::error_code& ec2, 184297e90da3SNinad Palsule sdbusplus::message_t& m) { 184397e90da3SNinad Palsule processAfterCreateUser(asyncResp, username, password, ec2, m); 184497e90da3SNinad Palsule }, 184597e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 18463e72c202SNinad Palsule "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups, 1847e01d0c36SEd Tanous roleId, enabled); 184897e90da3SNinad Palsule } 184997e90da3SNinad Palsule 18501ef4c342SEd Tanous inline void handleAccountCollectionPost( 18511ef4c342SEd Tanous App& app, const crow::Request& req, 18521ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 18531ef4c342SEd Tanous { 18543ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 185545ca1b86SEd Tanous { 185645ca1b86SEd Tanous return; 185745ca1b86SEd Tanous } 18589712f8acSEd Tanous std::string username; 18599712f8acSEd Tanous std::string password; 1860e01d0c36SEd Tanous std::optional<std::string> roleIdJson; 1861e01d0c36SEd Tanous std::optional<bool> enabledJson; 18629ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes; 1863e01d0c36SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 1864e01d0c36SEd Tanous "Password", password, "RoleId", roleIdJson, 1865e01d0c36SEd Tanous "Enabled", enabledJson, "AccountTypes", 1866e01d0c36SEd Tanous accountTypes)) 186704ae99ecSEd Tanous { 186804ae99ecSEd Tanous return; 186904ae99ecSEd Tanous } 187004ae99ecSEd Tanous 1871e01d0c36SEd Tanous std::string roleId = roleIdJson.value_or("User"); 1872e01d0c36SEd Tanous std::string priv = getPrivilegeFromRoleId(roleId); 187384e12cb7SAppaRao Puli if (priv.empty()) 187404ae99ecSEd Tanous { 1875e01d0c36SEd Tanous messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId"); 187604ae99ecSEd Tanous return; 187704ae99ecSEd Tanous } 18789712f8acSEd Tanous roleId = priv; 187904ae99ecSEd Tanous 1880e01d0c36SEd Tanous bool enabled = enabledJson.value_or(true); 1881e01d0c36SEd Tanous 1882599c71d8SAyushi Smriti // Reading AllGroups property 18831e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 18841ef4c342SEd Tanous *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 18851ef4c342SEd Tanous "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 18861ef4c342SEd Tanous "AllGroups", 18879ba73934SNinad Palsule [asyncResp, username, password{std::move(password)}, roleId, enabled, 18889ba73934SNinad Palsule accountTypes](const boost::system::error_code& ec, 18891e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1890599c71d8SAyushi Smriti if (ec) 1891599c71d8SAyushi Smriti { 189262598e31SEd Tanous BMCWEB_LOG_DEBUG("ERROR with async_method_call"); 1893599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1894599c71d8SAyushi Smriti return; 1895599c71d8SAyushi Smriti } 1896599c71d8SAyushi Smriti 18971e1e598dSJonathan Doman if (allGroupsList.empty()) 1898599c71d8SAyushi Smriti { 1899599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1900599c71d8SAyushi Smriti return; 1901599c71d8SAyushi Smriti } 1902599c71d8SAyushi Smriti 190397e90da3SNinad Palsule processAfterGetAllGroups(asyncResp, username, password, roleId, enabled, 19049ba73934SNinad Palsule accountTypes, allGroupsList); 19051e1e598dSJonathan Doman }); 19061ef4c342SEd Tanous } 1907b9b2e0b2SEd Tanous 19081ef4c342SEd Tanous inline void 19094c7d4d33SEd Tanous handleAccountHead(App& app, const crow::Request& req, 19106c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19114c7d4d33SEd Tanous const std::string& /*accountName*/) 19121ef4c342SEd Tanous { 19133ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 191445ca1b86SEd Tanous { 191545ca1b86SEd Tanous return; 191645ca1b86SEd Tanous } 19174c7d4d33SEd Tanous asyncResp->res.addHeader( 19184c7d4d33SEd Tanous boost::beast::http::field::link, 19194c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 19204c7d4d33SEd Tanous } 1921afd369c6SJiaqing Zhao 19224c7d4d33SEd Tanous inline void 19234c7d4d33SEd Tanous handleAccountGet(App& app, const crow::Request& req, 19244c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19254c7d4d33SEd Tanous const std::string& accountName) 19264c7d4d33SEd Tanous { 1927afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1928afd369c6SJiaqing Zhao { 1929afd369c6SJiaqing Zhao return; 1930afd369c6SJiaqing Zhao } 1931afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1932afd369c6SJiaqing Zhao boost::beast::http::field::link, 1933afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1934afd369c6SJiaqing Zhao 193525b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 193625b54dbaSEd Tanous { 1937031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 193825b54dbaSEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 193925b54dbaSEd Tanous accountName); 1940031514fbSJunLin Chen return; 194125b54dbaSEd Tanous } 1942afd369c6SJiaqing Zhao 1943031514fbSJunLin Chen if (req.session == nullptr) 1944031514fbSJunLin Chen { 1945031514fbSJunLin Chen messages::internalError(asyncResp->res); 1946031514fbSJunLin Chen return; 1947031514fbSJunLin Chen } 19486c51eab1SEd Tanous if (req.session->username != accountName) 1949b9b2e0b2SEd Tanous { 19506c51eab1SEd Tanous // At this point we've determined that the user is trying to 19511ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 19521ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 19531ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 19546c51eab1SEd Tanous Privileges effectiveUserPrivileges = 19553e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 19561ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 19571ef4c342SEd Tanous "ConfigureManager"}; 19586c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 19596c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1960900f9497SJoseph Reynolds { 196162598e31SEd Tanous BMCWEB_LOG_DEBUG("GET Account denied access"); 1962900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1963900f9497SJoseph Reynolds return; 1964900f9497SJoseph Reynolds } 1965900f9497SJoseph Reynolds } 1966900f9497SJoseph Reynolds 19675eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 19685eb468daSGeorge Liu dbus::utility::getManagedObjects( 19695eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 19701ef4c342SEd Tanous [asyncResp, 19715e7e2dc5SEd Tanous accountName](const boost::system::error_code& ec, 1972711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1973b9b2e0b2SEd Tanous if (ec) 1974b9b2e0b2SEd Tanous { 1975f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1976b9b2e0b2SEd Tanous return; 1977b9b2e0b2SEd Tanous } 19783544d2a7SEd Tanous const auto userIt = std::ranges::find_if( 197980f79a40SMichael Shen users, 198080f79a40SMichael Shen [accountName]( 1981b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 198280f79a40SMichael Shen dbus::utility::DBusInterfacesMap>& user) { 198355f79e6fSEd Tanous return accountName == user.first.filename(); 1984b477fd44SP Dheeraj Srujan Kumar }); 1985b9b2e0b2SEd Tanous 198684e12cb7SAppaRao Puli if (userIt == users.end()) 1987b9b2e0b2SEd Tanous { 1988002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1989002d39b4SEd Tanous accountName); 199084e12cb7SAppaRao Puli return; 199184e12cb7SAppaRao Puli } 19924e68c45bSAyushi Smriti 19931476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 199458345856SAbhishek Patel "#ManagerAccount.v1_7_0.ManagerAccount"; 19951476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 19961476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 19971476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 199858345856SAbhishek Patel asyncResp->res.jsonValue["StrictAccountTypes"] = true; 19994e68c45bSAyushi Smriti 200084e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 200165b0dc32SEd Tanous { 2002002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 200365b0dc32SEd Tanous { 200465b0dc32SEd Tanous for (const auto& property : interface.second) 200565b0dc32SEd Tanous { 200665b0dc32SEd Tanous if (property.first == "UserEnabled") 200765b0dc32SEd Tanous { 200865b0dc32SEd Tanous const bool* userEnabled = 2009abf2add6SEd Tanous std::get_if<bool>(&property.second); 201065b0dc32SEd Tanous if (userEnabled == nullptr) 201165b0dc32SEd Tanous { 201262598e31SEd Tanous BMCWEB_LOG_ERROR("UserEnabled wasn't a bool"); 201384e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 201484e12cb7SAppaRao Puli return; 201565b0dc32SEd Tanous } 2016002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 201765b0dc32SEd Tanous } 2018002d39b4SEd Tanous else if (property.first == "UserLockedForFailedAttempt") 201965b0dc32SEd Tanous { 202065b0dc32SEd Tanous const bool* userLocked = 2021abf2add6SEd Tanous std::get_if<bool>(&property.second); 202265b0dc32SEd Tanous if (userLocked == nullptr) 202365b0dc32SEd Tanous { 202462598e31SEd Tanous BMCWEB_LOG_ERROR("UserLockedForF" 202584e12cb7SAppaRao Puli "ailedAttempt " 202662598e31SEd Tanous "wasn't a bool"); 202784e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 202884e12cb7SAppaRao Puli return; 202965b0dc32SEd Tanous } 2030002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 203120fa6a2cSEd Tanous nlohmann::json::array_t allowed; 203220fa6a2cSEd Tanous // can only unlock accounts 203320fa6a2cSEd Tanous allowed.emplace_back("false"); 2034002d39b4SEd Tanous asyncResp->res 203520fa6a2cSEd Tanous .jsonValue["Locked@Redfish.AllowableValues"] = 203620fa6a2cSEd Tanous std::move(allowed); 203765b0dc32SEd Tanous } 203884e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 203984e12cb7SAppaRao Puli { 204054fc587aSNagaraju Goruganti const std::string* userPrivPtr = 2041002d39b4SEd Tanous std::get_if<std::string>(&property.second); 204254fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 204384e12cb7SAppaRao Puli { 204462598e31SEd Tanous BMCWEB_LOG_ERROR("UserPrivilege wasn't a " 204562598e31SEd Tanous "string"); 204684e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 204784e12cb7SAppaRao Puli return; 204884e12cb7SAppaRao Puli } 20491ef4c342SEd Tanous std::string role = getRoleIdFromPrivilege(*userPrivPtr); 205054fc587aSNagaraju Goruganti if (role.empty()) 205184e12cb7SAppaRao Puli { 205262598e31SEd Tanous BMCWEB_LOG_ERROR("Invalid user role"); 205384e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 205484e12cb7SAppaRao Puli return; 205584e12cb7SAppaRao Puli } 205654fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 205784e12cb7SAppaRao Puli 20581476687dSEd Tanous nlohmann::json& roleEntry = 2059002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 20603b32780dSEd Tanous roleEntry["@odata.id"] = boost::urls::format( 20613b32780dSEd Tanous "/redfish/v1/AccountService/Roles/{}", role); 206284e12cb7SAppaRao Puli } 2063002d39b4SEd Tanous else if (property.first == "UserPasswordExpired") 20643bf4e632SJoseph Reynolds { 20653bf4e632SJoseph Reynolds const bool* userPasswordExpired = 20663bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 20673bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 20683bf4e632SJoseph Reynolds { 206962598e31SEd Tanous BMCWEB_LOG_ERROR( 207062598e31SEd Tanous "UserPasswordExpired wasn't a bool"); 20713bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 20723bf4e632SJoseph Reynolds return; 20733bf4e632SJoseph Reynolds } 2074002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 20753bf4e632SJoseph Reynolds *userPasswordExpired; 20763bf4e632SJoseph Reynolds } 2077c7229815SAbhishek Patel else if (property.first == "UserGroups") 2078c7229815SAbhishek Patel { 2079c7229815SAbhishek Patel const std::vector<std::string>* userGroups = 2080c7229815SAbhishek Patel std::get_if<std::vector<std::string>>( 2081c7229815SAbhishek Patel &property.second); 2082c7229815SAbhishek Patel if (userGroups == nullptr) 2083c7229815SAbhishek Patel { 208462598e31SEd Tanous BMCWEB_LOG_ERROR( 208562598e31SEd Tanous "userGroups wasn't a string vector"); 2086c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2087c7229815SAbhishek Patel return; 2088c7229815SAbhishek Patel } 2089c7229815SAbhishek Patel if (!translateUserGroup(*userGroups, asyncResp->res)) 2090c7229815SAbhishek Patel { 209162598e31SEd Tanous BMCWEB_LOG_ERROR("userGroups mapping failed"); 2092c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2093c7229815SAbhishek Patel return; 2094c7229815SAbhishek Patel } 2095c7229815SAbhishek Patel } 209665b0dc32SEd Tanous } 209765b0dc32SEd Tanous } 209865b0dc32SEd Tanous } 209965b0dc32SEd Tanous 21003b32780dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = boost::urls::format( 21013b32780dSEd Tanous "/redfish/v1/AccountService/Accounts/{}", accountName); 2102b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 2103b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 21045eb468daSGeorge Liu }); 21051ef4c342SEd Tanous } 2106a840879dSEd Tanous 21071ef4c342SEd Tanous inline void 210820fc307fSGunnar Mills handleAccountDelete(App& app, const crow::Request& req, 21096c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21101ef4c342SEd Tanous const std::string& username) 21111ef4c342SEd Tanous { 21123ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 211345ca1b86SEd Tanous { 211445ca1b86SEd Tanous return; 211545ca1b86SEd Tanous } 21161ef4c342SEd Tanous 211725b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 211825b54dbaSEd Tanous { 2119031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 2120d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 2121031514fbSJunLin Chen return; 212225b54dbaSEd Tanous } 21231ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 21241ef4c342SEd Tanous tempObjPath /= username; 21251ef4c342SEd Tanous const std::string userPath(tempObjPath); 21261ef4c342SEd Tanous 21271ef4c342SEd Tanous crow::connections::systemBus->async_method_call( 21285e7e2dc5SEd Tanous [asyncResp, username](const boost::system::error_code& ec) { 21291ef4c342SEd Tanous if (ec) 21301ef4c342SEd Tanous { 2131d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 21321ef4c342SEd Tanous username); 21331ef4c342SEd Tanous return; 21341ef4c342SEd Tanous } 21351ef4c342SEd Tanous 21361ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 21371ef4c342SEd Tanous }, 21381ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 21391ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 21401ef4c342SEd Tanous } 21411ef4c342SEd Tanous 21421ef4c342SEd Tanous inline void 21431ef4c342SEd Tanous handleAccountPatch(App& app, const crow::Request& req, 21441ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21451ef4c342SEd Tanous const std::string& username) 21461ef4c342SEd Tanous { 21471ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 21481ef4c342SEd Tanous { 21491ef4c342SEd Tanous return; 21501ef4c342SEd Tanous } 215125b54dbaSEd Tanous if constexpr (BMCWEB_INSECURE_DISABLE_AUTH) 215225b54dbaSEd Tanous { 21531ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 2154d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 21551ef4c342SEd Tanous return; 215625b54dbaSEd Tanous } 2157a24526dcSEd Tanous std::optional<std::string> newUserName; 2158a24526dcSEd Tanous std::optional<std::string> password; 2159a24526dcSEd Tanous std::optional<bool> enabled; 2160a24526dcSEd Tanous std::optional<std::string> roleId; 216124c8542dSRatan Gupta std::optional<bool> locked; 216258345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes; 216358345856SAbhishek Patel 2164031514fbSJunLin Chen if (req.session == nullptr) 2165031514fbSJunLin Chen { 2166031514fbSJunLin Chen messages::internalError(asyncResp->res); 2167031514fbSJunLin Chen return; 2168031514fbSJunLin Chen } 2169031514fbSJunLin Chen 21702b9c1dfeSEd Tanous bool userSelf = (username == req.session->username); 21712b9c1dfeSEd Tanous 2172e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 21733e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 2174e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 2175e9cc5172SEd Tanous bool userHasConfigureUsers = 2176e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 2177e9cc5172SEd Tanous if (userHasConfigureUsers) 2178e9cc5172SEd Tanous { 2179e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 218058345856SAbhishek Patel if (!json_util::readJsonPatch( 218158345856SAbhishek Patel req, asyncResp->res, "UserName", newUserName, "Password", 218258345856SAbhishek Patel password, "RoleId", roleId, "Enabled", enabled, "Locked", 218358345856SAbhishek Patel locked, "AccountTypes", accountTypes)) 2184a840879dSEd Tanous { 2185a840879dSEd Tanous return; 2186a840879dSEd Tanous } 2187e9cc5172SEd Tanous } 2188e9cc5172SEd Tanous else 2189900f9497SJoseph Reynolds { 2190e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 219158345856SAbhishek Patel if (!userSelf) 2192900f9497SJoseph Reynolds { 2193900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2194900f9497SJoseph Reynolds return; 2195900f9497SJoseph Reynolds } 2196031514fbSJunLin Chen 2197e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 21981ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 21991ef4c342SEd Tanous password)) 2200e9cc5172SEd Tanous { 2201e9cc5172SEd Tanous return; 2202e9cc5172SEd Tanous } 2203900f9497SJoseph Reynolds } 2204900f9497SJoseph Reynolds 220566b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 22066c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 22076c51eab1SEd Tanous // updating user properties other then username. If username 22086c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 22096c51eab1SEd Tanous // user rename request. 221066b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 2211a840879dSEd Tanous { 22121ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 2213e518ef32SRavi Teja locked, accountTypes, userSelf, req.session); 221484e12cb7SAppaRao Puli return; 221584e12cb7SAppaRao Puli } 221684e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 22176c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 22181ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 2219e518ef32SRavi Teja locked, userSelf, req, accountTypes(std::move(accountTypes))]( 2220e81de512SEd Tanous const boost::system::error_code& ec, sdbusplus::message_t& m) { 222184e12cb7SAppaRao Puli if (ec) 222284e12cb7SAppaRao Puli { 2223002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2224002d39b4SEd Tanous username); 2225a840879dSEd Tanous return; 2226a840879dSEd Tanous } 2227a840879dSEd Tanous 2228002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 2229e518ef32SRavi Teja locked, accountTypes, userSelf, req.session); 223084e12cb7SAppaRao Puli }, 22311ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 223284e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 223384e12cb7SAppaRao Puli *newUserName); 22341ef4c342SEd Tanous } 22351ef4c342SEd Tanous 22361ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 22371ef4c342SEd Tanous { 22381ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22394c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 22404c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22414c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 22424c7d4d33SEd Tanous 22434c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22441ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 22451ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 22461ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 22471ef4c342SEd Tanous 22481ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22491ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 22501ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 22511ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 22521ef4c342SEd Tanous 22531aa375b8SEd Tanous BMCWEB_ROUTE( 22541aa375b8SEd Tanous app, 22551aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates") 22561aa375b8SEd Tanous .privileges(redfish::privileges::headCertificateCollection) 22571aa375b8SEd Tanous .methods(boost::beast::http::verb::head)(std::bind_front( 22581aa375b8SEd Tanous handleAccountServiceClientCertificatesHead, std::ref(app))); 22591aa375b8SEd Tanous 22601aa375b8SEd Tanous BMCWEB_ROUTE( 22611aa375b8SEd Tanous app, 22621aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates") 22631aa375b8SEd Tanous .privileges(redfish::privileges::getCertificateCollection) 22641aa375b8SEd Tanous .methods(boost::beast::http::verb::get)(std::bind_front( 22651aa375b8SEd Tanous handleAccountServiceClientCertificatesGet, std::ref(app))); 22661aa375b8SEd Tanous 22671aa375b8SEd Tanous BMCWEB_ROUTE( 22681aa375b8SEd Tanous app, 22691aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>") 22701aa375b8SEd Tanous .privileges(redfish::privileges::headCertificate) 22711aa375b8SEd Tanous .methods(boost::beast::http::verb::head)(std::bind_front( 22721aa375b8SEd Tanous handleAccountServiceClientCertificatesInstanceHead, std::ref(app))); 22731aa375b8SEd Tanous 22741aa375b8SEd Tanous BMCWEB_ROUTE( 22751aa375b8SEd Tanous app, 22761aa375b8SEd Tanous "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/") 22771aa375b8SEd Tanous .privileges(redfish::privileges::getCertificate) 22781aa375b8SEd Tanous .methods(boost::beast::http::verb::get)(std::bind_front( 22791aa375b8SEd Tanous handleAccountServiceClientCertificatesInstanceGet, std::ref(app))); 22801aa375b8SEd Tanous 22811ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 22824c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 22834c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22844c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 22854c7d4d33SEd Tanous 22864c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 22871ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 22881ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 22891ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 22901ef4c342SEd Tanous 22911ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 22921ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 22931ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 22941ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 22951ef4c342SEd Tanous 22961ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 22974c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 22984c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22994c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 23004c7d4d33SEd Tanous 23014c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23021ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 23031ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23041ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 23051ef4c342SEd Tanous 23061ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23071ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 23081ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 23091ef4c342SEd Tanous // yet 23101ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 23111ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 23121ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 231384e12cb7SAppaRao Puli 23146c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2315ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 23166c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 231720fc307fSGunnar Mills std::bind_front(handleAccountDelete, std::ref(app))); 231806e086d9SEd Tanous } 231988d16c9aSLewanczyk, Dawid 232088d16c9aSLewanczyk, Dawid } // namespace redfish 2321