188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 187e860f15SJohn Edward Broadbent #include <app.hpp> 1924c8542dSRatan Gupta #include <dbus_utility.hpp> 2065b0dc32SEd Tanous #include <error_messages.hpp> 21b9b2e0b2SEd Tanous #include <openbmc_dbus_rest.hpp> 2252cc112dSEd Tanous #include <persistent_data.hpp> 2345ca1b86SEd Tanous #include <query.hpp> 24ed398213SEd Tanous #include <registries/privilege_registry.hpp> 251e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 26a840879dSEd Tanous #include <utils/json_utils.hpp> 271214b7e7SGunnar Mills 281abe55efSEd Tanous namespace redfish 291abe55efSEd Tanous { 3088d16c9aSLewanczyk, Dawid 3123a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 326973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 332c70f800SEd Tanous constexpr const char* adConfigObject = 34ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 35ab828d7cSRatan Gupta 36b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 376973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 386973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 396973a582SRatan Gupta constexpr const char* ldapConfigInterface = 406973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 416973a582SRatan Gupta constexpr const char* ldapCreateInterface = 426973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 436973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 4406785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 4506785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 466973a582SRatan Gupta constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager"; 476973a582SRatan Gupta constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties"; 486973a582SRatan Gupta constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper"; 496973a582SRatan Gupta constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper"; 506973a582SRatan Gupta constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper"; 516973a582SRatan Gupta 5254fc587aSNagaraju Goruganti struct LDAPRoleMapData 5354fc587aSNagaraju Goruganti { 5454fc587aSNagaraju Goruganti std::string groupName; 5554fc587aSNagaraju Goruganti std::string privilege; 5654fc587aSNagaraju Goruganti }; 5754fc587aSNagaraju Goruganti 586973a582SRatan Gupta struct LDAPConfigData 596973a582SRatan Gupta { 606973a582SRatan Gupta std::string uri{}; 616973a582SRatan Gupta std::string bindDN{}; 626973a582SRatan Gupta std::string baseDN{}; 636973a582SRatan Gupta std::string searchScope{}; 646973a582SRatan Gupta std::string serverType{}; 656973a582SRatan Gupta bool serviceEnabled = false; 666973a582SRatan Gupta std::string userNameAttribute{}; 676973a582SRatan Gupta std::string groupAttribute{}; 6854fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 696973a582SRatan Gupta }; 706973a582SRatan Gupta 7154fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 7284e12cb7SAppaRao Puli { 7384e12cb7SAppaRao Puli if (role == "priv-admin") 7484e12cb7SAppaRao Puli { 7584e12cb7SAppaRao Puli return "Administrator"; 7684e12cb7SAppaRao Puli } 773174e4dfSEd Tanous if (role == "priv-user") 7884e12cb7SAppaRao Puli { 79c80fee55SAppaRao Puli return "ReadOnly"; 8084e12cb7SAppaRao Puli } 813174e4dfSEd Tanous if (role == "priv-operator") 8284e12cb7SAppaRao Puli { 8384e12cb7SAppaRao Puli return "Operator"; 8484e12cb7SAppaRao Puli } 8526f6976fSEd Tanous if (role.empty() || (role == "priv-noaccess")) 86e9e6d240Sjayaprakash Mutyala { 87e9e6d240Sjayaprakash Mutyala return "NoAccess"; 88e9e6d240Sjayaprakash Mutyala } 8984e12cb7SAppaRao Puli return ""; 9084e12cb7SAppaRao Puli } 9154fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 9284e12cb7SAppaRao Puli { 9384e12cb7SAppaRao Puli if (role == "Administrator") 9484e12cb7SAppaRao Puli { 9584e12cb7SAppaRao Puli return "priv-admin"; 9684e12cb7SAppaRao Puli } 973174e4dfSEd Tanous if (role == "ReadOnly") 9884e12cb7SAppaRao Puli { 9984e12cb7SAppaRao Puli return "priv-user"; 10084e12cb7SAppaRao Puli } 1013174e4dfSEd Tanous if (role == "Operator") 10284e12cb7SAppaRao Puli { 10384e12cb7SAppaRao Puli return "priv-operator"; 10484e12cb7SAppaRao Puli } 10526f6976fSEd Tanous if ((role == "NoAccess") || (role.empty())) 106e9e6d240Sjayaprakash Mutyala { 107e9e6d240Sjayaprakash Mutyala return "priv-noaccess"; 108e9e6d240Sjayaprakash Mutyala } 10984e12cb7SAppaRao Puli return ""; 11084e12cb7SAppaRao Puli } 111b9b2e0b2SEd Tanous 1128d1b46d7Szhanghch05 inline void userErrorMessageHandler( 1138d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1148d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 11566b5ca76Sjayaprakash Mutyala { 11666b5ca76Sjayaprakash Mutyala if (e == nullptr) 11766b5ca76Sjayaprakash Mutyala { 11866b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 11966b5ca76Sjayaprakash Mutyala return; 12066b5ca76Sjayaprakash Mutyala } 12166b5ca76Sjayaprakash Mutyala 122055806b3SManojkiran Eda const char* errorMessage = e->name; 12366b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 12466b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 12566b5ca76Sjayaprakash Mutyala { 12666b5ca76Sjayaprakash Mutyala messages::resourceAlreadyExists(asyncResp->res, 1278114bd4dSGunnar Mills "#ManagerAccount.v1_4_0.ManagerAccount", 12866b5ca76Sjayaprakash Mutyala "UserName", newUser); 12966b5ca76Sjayaprakash Mutyala } 13066b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 13166b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 13266b5ca76Sjayaprakash Mutyala { 13366b5ca76Sjayaprakash Mutyala messages::resourceNotFound( 1348114bd4dSGunnar Mills asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username); 13566b5ca76Sjayaprakash Mutyala } 136d4d25793SEd Tanous else if ((strcmp(errorMessage, 137d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 138d4d25793SEd Tanous 0) || 1390fda0f12SGeorge Liu (strcmp( 1400fda0f12SGeorge Liu errorMessage, 1410fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 1420fda0f12SGeorge Liu 0)) 14366b5ca76Sjayaprakash Mutyala { 14466b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 14566b5ca76Sjayaprakash Mutyala } 14666b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 14766b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 14866b5ca76Sjayaprakash Mutyala { 14966b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 15066b5ca76Sjayaprakash Mutyala } 15166b5ca76Sjayaprakash Mutyala else 15266b5ca76Sjayaprakash Mutyala { 15366b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 15466b5ca76Sjayaprakash Mutyala } 15566b5ca76Sjayaprakash Mutyala } 15666b5ca76Sjayaprakash Mutyala 15781ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 158ab828d7cSRatan Gupta const LDAPConfigData& confData, 159ab828d7cSRatan Gupta const std::string& ldapType) 1606973a582SRatan Gupta { 161ab828d7cSRatan Gupta std::string service = 162ab828d7cSRatan Gupta (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService"; 16354fc587aSNagaraju Goruganti 1641476687dSEd Tanous nlohmann::json& ldap = jsonResponse[ldapType]; 16554fc587aSNagaraju Goruganti 1661476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 1671476687dSEd Tanous ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri}); 1681476687dSEd Tanous ldap["Authentication"]["AuthenticationType"] = "UsernameAndPassword"; 1691476687dSEd Tanous ldap["Authentication"]["Username"] = confData.bindDN; 1701476687dSEd Tanous ldap["Authentication"]["Password"] = nullptr; 1711476687dSEd Tanous 1721476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] = 1731476687dSEd Tanous nlohmann::json::array({confData.baseDN}); 1741476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] = 1751476687dSEd Tanous confData.userNameAttribute; 1761476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] = 1771476687dSEd Tanous confData.groupAttribute; 1781476687dSEd Tanous 1791476687dSEd Tanous nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"]; 18054fc587aSNagaraju Goruganti roleMapArray = nlohmann::json::array(); 1819eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 18254fc587aSNagaraju Goruganti { 18354fc587aSNagaraju Goruganti BMCWEB_LOG_DEBUG << "Pushing the data groupName=" 18454fc587aSNagaraju Goruganti << obj.second.groupName << "\n"; 18554fc587aSNagaraju Goruganti roleMapArray.push_back( 18654fc587aSNagaraju Goruganti {nlohmann::json::array({"RemoteGroup", obj.second.groupName}), 18754fc587aSNagaraju Goruganti nlohmann::json::array( 18854fc587aSNagaraju Goruganti {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})}); 18954fc587aSNagaraju Goruganti } 1906973a582SRatan Gupta } 1916973a582SRatan Gupta 1926973a582SRatan Gupta /** 19306785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 19406785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 19506785244SRatan Gupta * 19606785244SRatan Gupta */ 19723a21a1cSEd Tanous inline void handleRoleMapPatch( 1988d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19906785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 200f23b7296SEd Tanous const std::string& serverType, const std::vector<nlohmann::json>& input) 20106785244SRatan Gupta { 20206785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 20306785244SRatan Gupta { 204f23b7296SEd Tanous const nlohmann::json& thisJson = input[index]; 20506785244SRatan Gupta 20606785244SRatan Gupta if (thisJson.is_null()) 20706785244SRatan Gupta { 20806785244SRatan Gupta // delete the existing object 20906785244SRatan Gupta if (index < roleMapObjData.size()) 21006785244SRatan Gupta { 21106785244SRatan Gupta crow::connections::systemBus->async_method_call( 21206785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 21306785244SRatan Gupta index](const boost::system::error_code ec) { 21406785244SRatan Gupta if (ec) 21506785244SRatan Gupta { 21606785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 21706785244SRatan Gupta messages::internalError(asyncResp->res); 21806785244SRatan Gupta return; 21906785244SRatan Gupta } 22006785244SRatan Gupta asyncResp->res 22106785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"][index] = 22206785244SRatan Gupta nullptr; 22306785244SRatan Gupta }, 22406785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 22506785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 22606785244SRatan Gupta } 22706785244SRatan Gupta else 22806785244SRatan Gupta { 22906785244SRatan Gupta BMCWEB_LOG_ERROR << "Can't delete the object"; 23006785244SRatan Gupta messages::propertyValueTypeError( 23171f52d96SEd Tanous asyncResp->res, 23271f52d96SEd Tanous thisJson.dump(2, ' ', true, 23371f52d96SEd Tanous nlohmann::json::error_handler_t::replace), 23406785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index)); 23506785244SRatan Gupta return; 23606785244SRatan Gupta } 23706785244SRatan Gupta } 23806785244SRatan Gupta else if (thisJson.empty()) 23906785244SRatan Gupta { 24006785244SRatan Gupta // Don't do anything for the empty objects,parse next json 24106785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 24206785244SRatan Gupta } 24306785244SRatan Gupta else 24406785244SRatan Gupta { 24506785244SRatan Gupta // update/create the object 24606785244SRatan Gupta std::optional<std::string> remoteGroup; 24706785244SRatan Gupta std::optional<std::string> localRole; 24806785244SRatan Gupta 249f23b7296SEd Tanous // This is a copy, but it's required in this case because of how 250f23b7296SEd Tanous // readJson is structured 251f23b7296SEd Tanous nlohmann::json thisJsonCopy = thisJson; 252f23b7296SEd Tanous if (!json_util::readJson(thisJsonCopy, asyncResp->res, 253f23b7296SEd Tanous "RemoteGroup", remoteGroup, "LocalRole", 254f23b7296SEd Tanous localRole)) 25506785244SRatan Gupta { 25606785244SRatan Gupta continue; 25706785244SRatan Gupta } 25806785244SRatan Gupta 25906785244SRatan Gupta // Update existing RoleMapping Object 26006785244SRatan Gupta if (index < roleMapObjData.size()) 26106785244SRatan Gupta { 26206785244SRatan Gupta BMCWEB_LOG_DEBUG << "Update Role Map Object"; 26306785244SRatan Gupta // If "RemoteGroup" info is provided 26406785244SRatan Gupta if (remoteGroup) 26506785244SRatan Gupta { 26606785244SRatan Gupta crow::connections::systemBus->async_method_call( 26706785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 26806785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 26906785244SRatan Gupta if (ec) 27006785244SRatan Gupta { 271002d39b4SEd Tanous BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 27206785244SRatan Gupta messages::internalError(asyncResp->res); 27306785244SRatan Gupta return; 27406785244SRatan Gupta } 27506785244SRatan Gupta asyncResp->res 276002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 277002d39b4SEd Tanous ["RemoteGroup"] = *remoteGroup; 27806785244SRatan Gupta }, 27906785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 28006785244SRatan Gupta propertyInterface, "Set", 28106785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 28206785244SRatan Gupta "GroupName", 283168e20c1SEd Tanous dbus::utility::DbusVariantType( 284168e20c1SEd Tanous std::move(*remoteGroup))); 28506785244SRatan Gupta } 28606785244SRatan Gupta 28706785244SRatan Gupta // If "LocalRole" info is provided 28806785244SRatan Gupta if (localRole) 28906785244SRatan Gupta { 29006785244SRatan Gupta crow::connections::systemBus->async_method_call( 29106785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 29206785244SRatan Gupta localRole](const boost::system::error_code ec) { 29306785244SRatan Gupta if (ec) 29406785244SRatan Gupta { 295002d39b4SEd Tanous BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 29606785244SRatan Gupta messages::internalError(asyncResp->res); 29706785244SRatan Gupta return; 29806785244SRatan Gupta } 29906785244SRatan Gupta asyncResp->res 300002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 301002d39b4SEd Tanous ["LocalRole"] = *localRole; 30206785244SRatan Gupta }, 30306785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 30406785244SRatan Gupta propertyInterface, "Set", 30506785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 30606785244SRatan Gupta "Privilege", 307168e20c1SEd Tanous dbus::utility::DbusVariantType( 30806785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole)))); 30906785244SRatan Gupta } 31006785244SRatan Gupta } 31106785244SRatan Gupta // Create a new RoleMapping Object. 31206785244SRatan Gupta else 31306785244SRatan Gupta { 31406785244SRatan Gupta BMCWEB_LOG_DEBUG 31506785244SRatan Gupta << "setRoleMappingProperties: Creating new Object"; 31606785244SRatan Gupta std::string pathString = 31706785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index); 31806785244SRatan Gupta 31906785244SRatan Gupta if (!localRole) 32006785244SRatan Gupta { 32106785244SRatan Gupta messages::propertyMissing(asyncResp->res, 32206785244SRatan Gupta pathString + "/LocalRole"); 32306785244SRatan Gupta continue; 32406785244SRatan Gupta } 32506785244SRatan Gupta if (!remoteGroup) 32606785244SRatan Gupta { 32706785244SRatan Gupta messages::propertyMissing(asyncResp->res, 32806785244SRatan Gupta pathString + "/RemoteGroup"); 32906785244SRatan Gupta continue; 33006785244SRatan Gupta } 33106785244SRatan Gupta 33206785244SRatan Gupta std::string dbusObjectPath; 33306785244SRatan Gupta if (serverType == "ActiveDirectory") 33406785244SRatan Gupta { 3352c70f800SEd Tanous dbusObjectPath = adConfigObject; 33606785244SRatan Gupta } 33706785244SRatan Gupta else if (serverType == "LDAP") 33806785244SRatan Gupta { 33923a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 34006785244SRatan Gupta } 34106785244SRatan Gupta 34206785244SRatan Gupta BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup 34306785244SRatan Gupta << ",LocalRole=" << *localRole; 34406785244SRatan Gupta 34506785244SRatan Gupta crow::connections::systemBus->async_method_call( 346271584abSEd Tanous [asyncResp, serverType, localRole, 34706785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 34806785244SRatan Gupta if (ec) 34906785244SRatan Gupta { 35006785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 35106785244SRatan Gupta messages::internalError(asyncResp->res); 35206785244SRatan Gupta return; 35306785244SRatan Gupta } 35406785244SRatan Gupta nlohmann::json& remoteRoleJson = 35506785244SRatan Gupta asyncResp->res 35606785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 3571476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 3581476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 3591476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 3601476687dSEd Tanous remoteRoleJson.push_back(std::move(roleMapEntry)); 36106785244SRatan Gupta }, 36206785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 3633174e4dfSEd Tanous "Create", *remoteGroup, 36406785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 36506785244SRatan Gupta } 36606785244SRatan Gupta } 36706785244SRatan Gupta } 36806785244SRatan Gupta } 36906785244SRatan Gupta 37006785244SRatan Gupta /** 3716973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 3726973a582SRatan Gupta * into JSON 3736973a582SRatan Gupta */ 3746973a582SRatan Gupta template <typename CallbackFunc> 3756973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 3766973a582SRatan Gupta CallbackFunc&& callback) 3776973a582SRatan Gupta { 37854fc587aSNagaraju Goruganti 37954fc587aSNagaraju Goruganti const std::array<const char*, 2> interfaces = {ldapEnableInterface, 38054fc587aSNagaraju Goruganti ldapConfigInterface}; 38154fc587aSNagaraju Goruganti 38254fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 38354fc587aSNagaraju Goruganti [callback, ldapType](const boost::system::error_code ec, 384b9d36b47SEd Tanous const dbus::utility::MapperGetObject& resp) { 38554fc587aSNagaraju Goruganti if (ec || resp.empty()) 38654fc587aSNagaraju Goruganti { 3870fda0f12SGeorge Liu BMCWEB_LOG_ERROR 388002d39b4SEd Tanous << "DBUS response error during getting of service name: " << ec; 38923a21a1cSEd Tanous LDAPConfigData empty{}; 39023a21a1cSEd Tanous callback(false, empty, ldapType); 39154fc587aSNagaraju Goruganti return; 39254fc587aSNagaraju Goruganti } 39354fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 39454fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 395002d39b4SEd Tanous [callback, 396002d39b4SEd Tanous ldapType](const boost::system::error_code errorCode, 397711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) { 3986973a582SRatan Gupta LDAPConfigData confData{}; 39981ce609eSEd Tanous if (errorCode) 4006973a582SRatan Gupta { 401ab828d7cSRatan Gupta callback(false, confData, ldapType); 402002d39b4SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << errorCode; 4036973a582SRatan Gupta return; 4046973a582SRatan Gupta } 405ab828d7cSRatan Gupta 406ab828d7cSRatan Gupta std::string ldapDbusType; 40754fc587aSNagaraju Goruganti std::string searchString; 40854fc587aSNagaraju Goruganti 409ab828d7cSRatan Gupta if (ldapType == "LDAP") 410ab828d7cSRatan Gupta { 4110fda0f12SGeorge Liu ldapDbusType = 4120fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 41354fc587aSNagaraju Goruganti searchString = "openldap"; 414ab828d7cSRatan Gupta } 415ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 416ab828d7cSRatan Gupta { 41754fc587aSNagaraju Goruganti ldapDbusType = 4180fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 41954fc587aSNagaraju Goruganti searchString = "active_directory"; 420ab828d7cSRatan Gupta } 421ab828d7cSRatan Gupta else 422ab828d7cSRatan Gupta { 423002d39b4SEd Tanous BMCWEB_LOG_ERROR << "Can't get the DbusType for the given type=" 424ab828d7cSRatan Gupta << ldapType; 425ab828d7cSRatan Gupta callback(false, confData, ldapType); 426ab828d7cSRatan Gupta return; 427ab828d7cSRatan Gupta } 428ab828d7cSRatan Gupta 429ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 430ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 431ab828d7cSRatan Gupta 4326973a582SRatan Gupta for (const auto& object : ldapObjects) 4336973a582SRatan Gupta { 43454fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 43554fc587aSNagaraju Goruganti // given type 436002d39b4SEd Tanous if (object.first.str.find(searchString) == std::string::npos) 4376973a582SRatan Gupta { 438ab828d7cSRatan Gupta continue; 439ab828d7cSRatan Gupta } 440ab828d7cSRatan Gupta 4416973a582SRatan Gupta for (const auto& interface : object.second) 4426973a582SRatan Gupta { 4436973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 4446973a582SRatan Gupta { 4456973a582SRatan Gupta // rest of the properties are string. 4466973a582SRatan Gupta for (const auto& property : interface.second) 4476973a582SRatan Gupta { 4486973a582SRatan Gupta if (property.first == "Enabled") 4496973a582SRatan Gupta { 4506973a582SRatan Gupta const bool* value = 4516973a582SRatan Gupta std::get_if<bool>(&property.second); 4526973a582SRatan Gupta if (value == nullptr) 4536973a582SRatan Gupta { 4546973a582SRatan Gupta continue; 4556973a582SRatan Gupta } 4566973a582SRatan Gupta confData.serviceEnabled = *value; 4576973a582SRatan Gupta break; 4586973a582SRatan Gupta } 4596973a582SRatan Gupta } 4606973a582SRatan Gupta } 4616973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 4626973a582SRatan Gupta { 4636973a582SRatan Gupta 4646973a582SRatan Gupta for (const auto& property : interface.second) 4656973a582SRatan Gupta { 466271584abSEd Tanous const std::string* strValue = 467002d39b4SEd Tanous std::get_if<std::string>(&property.second); 468271584abSEd Tanous if (strValue == nullptr) 4696973a582SRatan Gupta { 4706973a582SRatan Gupta continue; 4716973a582SRatan Gupta } 4726973a582SRatan Gupta if (property.first == "LDAPServerURI") 4736973a582SRatan Gupta { 474271584abSEd Tanous confData.uri = *strValue; 4756973a582SRatan Gupta } 4766973a582SRatan Gupta else if (property.first == "LDAPBindDN") 4776973a582SRatan Gupta { 478271584abSEd Tanous confData.bindDN = *strValue; 4796973a582SRatan Gupta } 4806973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 4816973a582SRatan Gupta { 482271584abSEd Tanous confData.baseDN = *strValue; 4836973a582SRatan Gupta } 484002d39b4SEd Tanous else if (property.first == "LDAPSearchScope") 4856973a582SRatan Gupta { 486271584abSEd Tanous confData.searchScope = *strValue; 4876973a582SRatan Gupta } 488002d39b4SEd Tanous else if (property.first == "GroupNameAttribute") 4896973a582SRatan Gupta { 490271584abSEd Tanous confData.groupAttribute = *strValue; 4916973a582SRatan Gupta } 492002d39b4SEd Tanous else if (property.first == "UserNameAttribute") 4936973a582SRatan Gupta { 494271584abSEd Tanous confData.userNameAttribute = *strValue; 4956973a582SRatan Gupta } 49654fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 497ab828d7cSRatan Gupta { 498271584abSEd Tanous confData.serverType = *strValue; 49954fc587aSNagaraju Goruganti } 50054fc587aSNagaraju Goruganti } 50154fc587aSNagaraju Goruganti } 502002d39b4SEd Tanous else if (interface.first == 5030fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 50454fc587aSNagaraju Goruganti { 50554fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 50654fc587aSNagaraju Goruganti for (const auto& property : interface.second) 50754fc587aSNagaraju Goruganti { 508271584abSEd Tanous const std::string* strValue = 509002d39b4SEd Tanous std::get_if<std::string>(&property.second); 51054fc587aSNagaraju Goruganti 511271584abSEd Tanous if (strValue == nullptr) 51254fc587aSNagaraju Goruganti { 51354fc587aSNagaraju Goruganti continue; 51454fc587aSNagaraju Goruganti } 51554fc587aSNagaraju Goruganti 51654fc587aSNagaraju Goruganti if (property.first == "GroupName") 51754fc587aSNagaraju Goruganti { 518271584abSEd Tanous roleMapData.groupName = *strValue; 51954fc587aSNagaraju Goruganti } 52054fc587aSNagaraju Goruganti else if (property.first == "Privilege") 52154fc587aSNagaraju Goruganti { 522271584abSEd Tanous roleMapData.privilege = *strValue; 52354fc587aSNagaraju Goruganti } 52454fc587aSNagaraju Goruganti } 52554fc587aSNagaraju Goruganti 526002d39b4SEd Tanous confData.groupRoleList.emplace_back(object.first.str, 527002d39b4SEd Tanous roleMapData); 52854fc587aSNagaraju Goruganti } 52954fc587aSNagaraju Goruganti } 53054fc587aSNagaraju Goruganti } 531ab828d7cSRatan Gupta callback(true, confData, ldapType); 53254fc587aSNagaraju Goruganti }, 533002d39b4SEd Tanous service, ldapRootObject, dbusObjManagerIntf, "GetManagedObjects"); 53454fc587aSNagaraju Goruganti }, 53554fc587aSNagaraju Goruganti mapperBusName, mapperObjectPath, mapperIntf, "GetObject", 53623a21a1cSEd Tanous ldapConfigObjectName, interfaces); 5376973a582SRatan Gupta } 5386973a582SRatan Gupta 5398a07d286SRatan Gupta /** 5408a07d286SRatan Gupta * @brief parses the authentication section under the LDAP 5418a07d286SRatan Gupta * @param input JSON data 5428a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 5438a07d286SRatan Gupta * @param userName userName to be filled from the given JSON. 5448a07d286SRatan Gupta * @param password password to be filled from the given JSON. 5458a07d286SRatan Gupta */ 5464f48d5f6SEd Tanous inline void parseLDAPAuthenticationJson( 5476c51eab1SEd Tanous nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 5486c51eab1SEd Tanous std::optional<std::string>& username, std::optional<std::string>& password) 5498a07d286SRatan Gupta { 5508a07d286SRatan Gupta std::optional<std::string> authType; 5518a07d286SRatan Gupta 5528a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "AuthenticationType", 5538a07d286SRatan Gupta authType, "Username", username, "Password", 5548a07d286SRatan Gupta password)) 5558a07d286SRatan Gupta { 5568a07d286SRatan Gupta return; 5578a07d286SRatan Gupta } 5588a07d286SRatan Gupta if (!authType) 5598a07d286SRatan Gupta { 5608a07d286SRatan Gupta return; 5618a07d286SRatan Gupta } 5628a07d286SRatan Gupta if (*authType != "UsernameAndPassword") 5638a07d286SRatan Gupta { 5648a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, *authType, 5658a07d286SRatan Gupta "AuthenticationType"); 5668a07d286SRatan Gupta return; 5678a07d286SRatan Gupta } 5688a07d286SRatan Gupta } 5698a07d286SRatan Gupta /** 5708a07d286SRatan Gupta * @brief parses the LDAPService section under the LDAP 5718a07d286SRatan Gupta * @param input JSON data 5728a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 5738a07d286SRatan Gupta * @param baseDNList baseDN to be filled from the given JSON. 5748a07d286SRatan Gupta * @param userNameAttribute userName to be filled from the given JSON. 5758a07d286SRatan Gupta * @param groupaAttribute password to be filled from the given JSON. 5768a07d286SRatan Gupta */ 5778a07d286SRatan Gupta 5784f48d5f6SEd Tanous inline void 5794f48d5f6SEd Tanous parseLDAPServiceJson(nlohmann::json input, 5808d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 5818a07d286SRatan Gupta std::optional<std::vector<std::string>>& baseDNList, 5828a07d286SRatan Gupta std::optional<std::string>& userNameAttribute, 5838a07d286SRatan Gupta std::optional<std::string>& groupsAttribute) 5848a07d286SRatan Gupta { 5858a07d286SRatan Gupta std::optional<nlohmann::json> searchSettings; 5868a07d286SRatan Gupta 5878a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "SearchSettings", 5888a07d286SRatan Gupta searchSettings)) 5898a07d286SRatan Gupta { 5908a07d286SRatan Gupta return; 5918a07d286SRatan Gupta } 5928a07d286SRatan Gupta if (!searchSettings) 5938a07d286SRatan Gupta { 5948a07d286SRatan Gupta return; 5958a07d286SRatan Gupta } 5968a07d286SRatan Gupta if (!json_util::readJson(*searchSettings, asyncResp->res, 5978a07d286SRatan Gupta "BaseDistinguishedNames", baseDNList, 5988a07d286SRatan Gupta "UsernameAttribute", userNameAttribute, 5998a07d286SRatan Gupta "GroupsAttribute", groupsAttribute)) 6008a07d286SRatan Gupta { 6018a07d286SRatan Gupta return; 6028a07d286SRatan Gupta } 6038a07d286SRatan Gupta } 6048a07d286SRatan Gupta /** 6058a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 6068a07d286SRatan Gupta json response with the new value. 6078a07d286SRatan Gupta * @param serviceAddressList address to be updated. 6088a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6098a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6108a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6118a07d286SRatan Gupta */ 6128a07d286SRatan Gupta 6134f48d5f6SEd Tanous inline void handleServiceAddressPatch( 6148a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 6158d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6168a07d286SRatan Gupta const std::string& ldapServerElementName, 6178a07d286SRatan Gupta const std::string& ldapConfigObject) 6188a07d286SRatan Gupta { 6198a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6208a07d286SRatan Gupta [asyncResp, ldapServerElementName, 6218a07d286SRatan Gupta serviceAddressList](const boost::system::error_code ec) { 6228a07d286SRatan Gupta if (ec) 6238a07d286SRatan Gupta { 6248a07d286SRatan Gupta BMCWEB_LOG_DEBUG 625c61704abSGunnar Mills << "Error Occurred in updating the service address"; 6268a07d286SRatan Gupta messages::internalError(asyncResp->res); 6278a07d286SRatan Gupta return; 6288a07d286SRatan Gupta } 6298a07d286SRatan Gupta std::vector<std::string> modifiedserviceAddressList = { 6308a07d286SRatan Gupta serviceAddressList.front()}; 631002d39b4SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] = 6328a07d286SRatan Gupta modifiedserviceAddressList; 6338a07d286SRatan Gupta if ((serviceAddressList).size() > 1) 6348a07d286SRatan Gupta { 635002d39b4SEd Tanous messages::propertyValueModified(asyncResp->res, "ServiceAddresses", 6368a07d286SRatan Gupta serviceAddressList.front()); 6378a07d286SRatan Gupta } 6388a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the service address"; 6398a07d286SRatan Gupta }, 6408a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 6418a07d286SRatan Gupta ldapConfigInterface, "LDAPServerURI", 642168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceAddressList.front())); 6438a07d286SRatan Gupta } 6448a07d286SRatan Gupta /** 6458a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 6468a07d286SRatan Gupta json response with the new value. 6478a07d286SRatan Gupta * @param username name of the user which needs to be updated. 6488a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6498a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6508a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6518a07d286SRatan Gupta */ 6528a07d286SRatan Gupta 6534f48d5f6SEd Tanous inline void 6544f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 6558d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6568a07d286SRatan Gupta const std::string& ldapServerElementName, 6578a07d286SRatan Gupta const std::string& ldapConfigObject) 6588a07d286SRatan Gupta { 6598a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6608a07d286SRatan Gupta [asyncResp, username, 6618a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 6628a07d286SRatan Gupta if (ec) 6638a07d286SRatan Gupta { 6646c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the username"; 6658a07d286SRatan Gupta messages::internalError(asyncResp->res); 6668a07d286SRatan Gupta return; 6678a07d286SRatan Gupta } 668002d39b4SEd Tanous asyncResp->res 669002d39b4SEd Tanous .jsonValue[ldapServerElementName]["Authentication"]["Username"] = 670002d39b4SEd Tanous username; 6718a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the username"; 6728a07d286SRatan Gupta }, 6738a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 674168e20c1SEd Tanous ldapConfigInterface, "LDAPBindDN", 675168e20c1SEd Tanous dbus::utility::DbusVariantType(username)); 6768a07d286SRatan Gupta } 6778a07d286SRatan Gupta 6788a07d286SRatan Gupta /** 6798a07d286SRatan Gupta * @brief updates the LDAP password 6808a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 6818a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6828a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6838a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 6848a07d286SRatan Gupta */ 6858a07d286SRatan Gupta 6864f48d5f6SEd Tanous inline void 6874f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 6888d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6898a07d286SRatan Gupta const std::string& ldapServerElementName, 6908a07d286SRatan Gupta const std::string& ldapConfigObject) 6918a07d286SRatan Gupta { 6928a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6938a07d286SRatan Gupta [asyncResp, password, 6948a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 6958a07d286SRatan Gupta if (ec) 6968a07d286SRatan Gupta { 6976c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the password"; 6988a07d286SRatan Gupta messages::internalError(asyncResp->res); 6998a07d286SRatan Gupta return; 7008a07d286SRatan Gupta } 701002d39b4SEd Tanous asyncResp->res 702002d39b4SEd Tanous .jsonValue[ldapServerElementName]["Authentication"]["Password"] = 703002d39b4SEd Tanous ""; 7048a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the password"; 7058a07d286SRatan Gupta }, 7068a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7078a07d286SRatan Gupta ldapConfigInterface, "LDAPBindDNPassword", 708168e20c1SEd Tanous dbus::utility::DbusVariantType(password)); 7098a07d286SRatan Gupta } 7108a07d286SRatan Gupta 7118a07d286SRatan Gupta /** 7128a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7138a07d286SRatan Gupta json response with the new value. 7148a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7158a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7168a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7178a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7188a07d286SRatan Gupta */ 7198a07d286SRatan Gupta 7204f48d5f6SEd Tanous inline void 7214f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 7228d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7238a07d286SRatan Gupta const std::string& ldapServerElementName, 7248a07d286SRatan Gupta const std::string& ldapConfigObject) 7258a07d286SRatan Gupta { 7268a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7278a07d286SRatan Gupta [asyncResp, baseDNList, 7288a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7298a07d286SRatan Gupta if (ec) 7308a07d286SRatan Gupta { 7316c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN"; 7328a07d286SRatan Gupta messages::internalError(asyncResp->res); 7338a07d286SRatan Gupta return; 7348a07d286SRatan Gupta } 735002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 7368a07d286SRatan Gupta auto& searchSettingsJson = 7378a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 7386c51eab1SEd Tanous std::vector<std::string> modifiedBaseDNList = {baseDNList.front()}; 7396c51eab1SEd Tanous searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList; 7408a07d286SRatan Gupta if (baseDNList.size() > 1) 7418a07d286SRatan Gupta { 742002d39b4SEd Tanous messages::propertyValueModified( 743002d39b4SEd Tanous asyncResp->res, "BaseDistinguishedNames", baseDNList.front()); 7448a07d286SRatan Gupta } 7458a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the base DN"; 7468a07d286SRatan Gupta }, 7478a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7488a07d286SRatan Gupta ldapConfigInterface, "LDAPBaseDN", 749168e20c1SEd Tanous dbus::utility::DbusVariantType(baseDNList.front())); 7508a07d286SRatan Gupta } 7518a07d286SRatan Gupta /** 7528a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 7538a07d286SRatan Gupta json response with the new value. 7548a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 7558a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7568a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7578a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7588a07d286SRatan Gupta */ 7598a07d286SRatan Gupta 7604f48d5f6SEd Tanous inline void 7614f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 7628d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7638a07d286SRatan Gupta const std::string& ldapServerElementName, 7648a07d286SRatan Gupta const std::string& ldapConfigObject) 7658a07d286SRatan Gupta { 7668a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7678a07d286SRatan Gupta [asyncResp, userNameAttribute, 7688a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7698a07d286SRatan Gupta if (ec) 7708a07d286SRatan Gupta { 771c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 7728a07d286SRatan Gupta "username attribute"; 7738a07d286SRatan Gupta messages::internalError(asyncResp->res); 7748a07d286SRatan Gupta return; 7758a07d286SRatan Gupta } 776002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 7778a07d286SRatan Gupta auto& searchSettingsJson = 7788a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 7798a07d286SRatan Gupta searchSettingsJson["UsernameAttribute"] = userNameAttribute; 7808a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the user name attr."; 7818a07d286SRatan Gupta }, 7828a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7838a07d286SRatan Gupta ldapConfigInterface, "UserNameAttribute", 784168e20c1SEd Tanous dbus::utility::DbusVariantType(userNameAttribute)); 7858a07d286SRatan Gupta } 7868a07d286SRatan Gupta /** 7878a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 7888a07d286SRatan Gupta json response with the new value. 7898a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 7908a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7918a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7928a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7938a07d286SRatan Gupta */ 7948a07d286SRatan Gupta 7954f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 7968d1b46d7Szhanghch05 const std::string& groupsAttribute, 7978d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7988a07d286SRatan Gupta const std::string& ldapServerElementName, 7998a07d286SRatan Gupta const std::string& ldapConfigObject) 8008a07d286SRatan Gupta { 8018a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8028a07d286SRatan Gupta [asyncResp, groupsAttribute, 8038a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8048a07d286SRatan Gupta if (ec) 8058a07d286SRatan Gupta { 806c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 8078a07d286SRatan Gupta "groupname attribute"; 8088a07d286SRatan Gupta messages::internalError(asyncResp->res); 8098a07d286SRatan Gupta return; 8108a07d286SRatan Gupta } 811002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 8128a07d286SRatan Gupta auto& searchSettingsJson = 8138a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 8148a07d286SRatan Gupta searchSettingsJson["GroupsAttribute"] = groupsAttribute; 8158a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the groupname attr"; 8168a07d286SRatan Gupta }, 8178a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8188a07d286SRatan Gupta ldapConfigInterface, "GroupNameAttribute", 819168e20c1SEd Tanous dbus::utility::DbusVariantType(groupsAttribute)); 8208a07d286SRatan Gupta } 8218a07d286SRatan Gupta /** 8228a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8238a07d286SRatan Gupta json response with the new value. 8248a07d286SRatan Gupta * @param input JSON data. 8258a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8268a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8278a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8288a07d286SRatan Gupta */ 8298a07d286SRatan Gupta 8304f48d5f6SEd Tanous inline void handleServiceEnablePatch( 8316c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8328a07d286SRatan Gupta const std::string& ldapServerElementName, 8338a07d286SRatan Gupta const std::string& ldapConfigObject) 8348a07d286SRatan Gupta { 8358a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8368a07d286SRatan Gupta [asyncResp, serviceEnabled, 8378a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8388a07d286SRatan Gupta if (ec) 8398a07d286SRatan Gupta { 840002d39b4SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the service enable"; 8418a07d286SRatan Gupta messages::internalError(asyncResp->res); 8428a07d286SRatan Gupta return; 8438a07d286SRatan Gupta } 8446c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] = 8458a07d286SRatan Gupta serviceEnabled; 8466c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled; 8478a07d286SRatan Gupta }, 8488a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 849168e20c1SEd Tanous ldapEnableInterface, "Enabled", 850168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceEnabled)); 8518a07d286SRatan Gupta } 8528a07d286SRatan Gupta 8534f48d5f6SEd Tanous inline void 8544f48d5f6SEd Tanous handleAuthMethodsPatch(nlohmann::json& input, 8558d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 85678158631SZbigniew Kurzynski { 85778158631SZbigniew Kurzynski std::optional<bool> basicAuth; 85878158631SZbigniew Kurzynski std::optional<bool> cookie; 85978158631SZbigniew Kurzynski std::optional<bool> sessionToken; 86078158631SZbigniew Kurzynski std::optional<bool> xToken; 861501f1e58SZbigniew Kurzynski std::optional<bool> tls; 86278158631SZbigniew Kurzynski 86378158631SZbigniew Kurzynski if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, 86478158631SZbigniew Kurzynski "Cookie", cookie, "SessionToken", sessionToken, 865501f1e58SZbigniew Kurzynski "XToken", xToken, "TLS", tls)) 86678158631SZbigniew Kurzynski { 86778158631SZbigniew Kurzynski BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; 86878158631SZbigniew Kurzynski return; 86978158631SZbigniew Kurzynski } 87078158631SZbigniew Kurzynski 87178158631SZbigniew Kurzynski // Make a copy of methods configuration 87252cc112dSEd Tanous persistent_data::AuthConfigMethods authMethodsConfig = 87352cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 87478158631SZbigniew Kurzynski 87578158631SZbigniew Kurzynski if (basicAuth) 87678158631SZbigniew Kurzynski { 877f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION 878f16f6263SAlan Kuo messages::actionNotSupported( 8790fda0f12SGeorge Liu asyncResp->res, 8800fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 881f16f6263SAlan Kuo return; 882f16f6263SAlan Kuo #endif 88378158631SZbigniew Kurzynski authMethodsConfig.basic = *basicAuth; 88478158631SZbigniew Kurzynski } 88578158631SZbigniew Kurzynski 88678158631SZbigniew Kurzynski if (cookie) 88778158631SZbigniew Kurzynski { 888f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 8890fda0f12SGeorge Liu messages::actionNotSupported( 8900fda0f12SGeorge Liu asyncResp->res, 8910fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 892f16f6263SAlan Kuo return; 893f16f6263SAlan Kuo #endif 89478158631SZbigniew Kurzynski authMethodsConfig.cookie = *cookie; 89578158631SZbigniew Kurzynski } 89678158631SZbigniew Kurzynski 89778158631SZbigniew Kurzynski if (sessionToken) 89878158631SZbigniew Kurzynski { 899f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION 900f16f6263SAlan Kuo messages::actionNotSupported( 9010fda0f12SGeorge Liu asyncResp->res, 9020fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 903f16f6263SAlan Kuo return; 904f16f6263SAlan Kuo #endif 90578158631SZbigniew Kurzynski authMethodsConfig.sessionToken = *sessionToken; 90678158631SZbigniew Kurzynski } 90778158631SZbigniew Kurzynski 90878158631SZbigniew Kurzynski if (xToken) 90978158631SZbigniew Kurzynski { 910f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 9110fda0f12SGeorge Liu messages::actionNotSupported( 9120fda0f12SGeorge Liu asyncResp->res, 9130fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 914f16f6263SAlan Kuo return; 915f16f6263SAlan Kuo #endif 91678158631SZbigniew Kurzynski authMethodsConfig.xtoken = *xToken; 91778158631SZbigniew Kurzynski } 91878158631SZbigniew Kurzynski 919501f1e58SZbigniew Kurzynski if (tls) 920501f1e58SZbigniew Kurzynski { 921f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 9220fda0f12SGeorge Liu messages::actionNotSupported( 9230fda0f12SGeorge Liu asyncResp->res, 9240fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 925f16f6263SAlan Kuo return; 926f16f6263SAlan Kuo #endif 927501f1e58SZbigniew Kurzynski authMethodsConfig.tls = *tls; 928501f1e58SZbigniew Kurzynski } 929501f1e58SZbigniew Kurzynski 93078158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 931501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 932501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 93378158631SZbigniew Kurzynski { 93478158631SZbigniew Kurzynski // Do not allow user to disable everything 93578158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 93678158631SZbigniew Kurzynski "of disabling all available methods"); 93778158631SZbigniew Kurzynski return; 93878158631SZbigniew Kurzynski } 93978158631SZbigniew Kurzynski 94052cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 94152cc112dSEd Tanous authMethodsConfig); 94278158631SZbigniew Kurzynski // Save configuration immediately 94352cc112dSEd Tanous persistent_data::getConfig().writeData(); 94478158631SZbigniew Kurzynski 94578158631SZbigniew Kurzynski messages::success(asyncResp->res); 94678158631SZbigniew Kurzynski } 94778158631SZbigniew Kurzynski 9488a07d286SRatan Gupta /** 9498a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 9508a07d286SRatan Gupta * value and create the LDAP config object. 9518a07d286SRatan Gupta * @param input JSON data 9528a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9538a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 9548a07d286SRatan Gupta */ 9558a07d286SRatan Gupta 9566c51eab1SEd Tanous inline void handleLDAPPatch(nlohmann::json& input, 9578d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9588a07d286SRatan Gupta const std::string& serverType) 9598a07d286SRatan Gupta { 960eb2bbe56SRatan Gupta std::string dbusObjectPath; 961eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 962eb2bbe56SRatan Gupta { 9632c70f800SEd Tanous dbusObjectPath = adConfigObject; 964eb2bbe56SRatan Gupta } 965eb2bbe56SRatan Gupta else if (serverType == "LDAP") 966eb2bbe56SRatan Gupta { 96723a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 968eb2bbe56SRatan Gupta } 969cb13a392SEd Tanous else 970cb13a392SEd Tanous { 971cb13a392SEd Tanous return; 972cb13a392SEd Tanous } 973eb2bbe56SRatan Gupta 9748a07d286SRatan Gupta std::optional<nlohmann::json> authentication; 9758a07d286SRatan Gupta std::optional<nlohmann::json> ldapService; 9768a07d286SRatan Gupta std::optional<std::vector<std::string>> serviceAddressList; 9778a07d286SRatan Gupta std::optional<bool> serviceEnabled; 9788a07d286SRatan Gupta std::optional<std::vector<std::string>> baseDNList; 9798a07d286SRatan Gupta std::optional<std::string> userNameAttribute; 9808a07d286SRatan Gupta std::optional<std::string> groupsAttribute; 9818a07d286SRatan Gupta std::optional<std::string> userName; 9828a07d286SRatan Gupta std::optional<std::string> password; 98306785244SRatan Gupta std::optional<std::vector<nlohmann::json>> remoteRoleMapData; 9848a07d286SRatan Gupta 9858a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "Authentication", 9868a07d286SRatan Gupta authentication, "LDAPService", ldapService, 9878a07d286SRatan Gupta "ServiceAddresses", serviceAddressList, 98806785244SRatan Gupta "ServiceEnabled", serviceEnabled, 98906785244SRatan Gupta "RemoteRoleMapping", remoteRoleMapData)) 9908a07d286SRatan Gupta { 9918a07d286SRatan Gupta return; 9928a07d286SRatan Gupta } 9938a07d286SRatan Gupta 9948a07d286SRatan Gupta if (authentication) 9958a07d286SRatan Gupta { 9968a07d286SRatan Gupta parseLDAPAuthenticationJson(*authentication, asyncResp, userName, 9978a07d286SRatan Gupta password); 9988a07d286SRatan Gupta } 9998a07d286SRatan Gupta if (ldapService) 10008a07d286SRatan Gupta { 10018a07d286SRatan Gupta parseLDAPServiceJson(*ldapService, asyncResp, baseDNList, 10028a07d286SRatan Gupta userNameAttribute, groupsAttribute); 10038a07d286SRatan Gupta } 10048a07d286SRatan Gupta if (serviceAddressList) 10058a07d286SRatan Gupta { 100626f6976fSEd Tanous if (serviceAddressList->empty()) 10078a07d286SRatan Gupta { 10088a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10098a07d286SRatan Gupta "ServiceAddress"); 10108a07d286SRatan Gupta return; 10118a07d286SRatan Gupta } 10128a07d286SRatan Gupta } 10138a07d286SRatan Gupta if (baseDNList) 10148a07d286SRatan Gupta { 101526f6976fSEd Tanous if (baseDNList->empty()) 10168a07d286SRatan Gupta { 10178a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10188a07d286SRatan Gupta "BaseDistinguishedNames"); 10198a07d286SRatan Gupta return; 10208a07d286SRatan Gupta } 10218a07d286SRatan Gupta } 10228a07d286SRatan Gupta 10238a07d286SRatan Gupta // nothing to update, then return 10248a07d286SRatan Gupta if (!userName && !password && !serviceAddressList && !baseDNList && 102506785244SRatan Gupta !userNameAttribute && !groupsAttribute && !serviceEnabled && 102606785244SRatan Gupta !remoteRoleMapData) 10278a07d286SRatan Gupta { 10288a07d286SRatan Gupta return; 10298a07d286SRatan Gupta } 10308a07d286SRatan Gupta 10318a07d286SRatan Gupta // Get the existing resource first then keep modifying 10328a07d286SRatan Gupta // whenever any property gets updated. 1033002d39b4SEd Tanous getLDAPConfigData( 1034002d39b4SEd Tanous serverType, 1035002d39b4SEd Tanous [asyncResp, userName, password, baseDNList, userNameAttribute, 1036002d39b4SEd Tanous groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath, 1037002d39b4SEd Tanous remoteRoleMapData](bool success, const LDAPConfigData& confData, 103823a21a1cSEd Tanous const std::string& serverT) { 10398a07d286SRatan Gupta if (!success) 10408a07d286SRatan Gupta { 10418a07d286SRatan Gupta messages::internalError(asyncResp->res); 10428a07d286SRatan Gupta return; 10438a07d286SRatan Gupta } 10446c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 10458a07d286SRatan Gupta if (confData.serviceEnabled) 10468a07d286SRatan Gupta { 10478a07d286SRatan Gupta // Disable the service first and update the rest of 10488a07d286SRatan Gupta // the properties. 10496c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 10508a07d286SRatan Gupta } 10518a07d286SRatan Gupta 10528a07d286SRatan Gupta if (serviceAddressList) 10538a07d286SRatan Gupta { 10546c51eab1SEd Tanous handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT, 10556c51eab1SEd Tanous dbusObjectPath); 10568a07d286SRatan Gupta } 10578a07d286SRatan Gupta if (userName) 10588a07d286SRatan Gupta { 10596c51eab1SEd Tanous handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath); 10608a07d286SRatan Gupta } 10618a07d286SRatan Gupta if (password) 10628a07d286SRatan Gupta { 10636c51eab1SEd Tanous handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath); 10648a07d286SRatan Gupta } 10658a07d286SRatan Gupta 10668a07d286SRatan Gupta if (baseDNList) 10678a07d286SRatan Gupta { 10686c51eab1SEd Tanous handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath); 10698a07d286SRatan Gupta } 10708a07d286SRatan Gupta if (userNameAttribute) 10718a07d286SRatan Gupta { 10726c51eab1SEd Tanous handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT, 10736c51eab1SEd Tanous dbusObjectPath); 10748a07d286SRatan Gupta } 10758a07d286SRatan Gupta if (groupsAttribute) 10768a07d286SRatan Gupta { 10776c51eab1SEd Tanous handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT, 10786c51eab1SEd Tanous dbusObjectPath); 10798a07d286SRatan Gupta } 10808a07d286SRatan Gupta if (serviceEnabled) 10818a07d286SRatan Gupta { 10828a07d286SRatan Gupta // if user has given the value as true then enable 10838a07d286SRatan Gupta // the service. if user has given false then no-op 10848a07d286SRatan Gupta // as service is already stopped. 10858a07d286SRatan Gupta if (*serviceEnabled) 10868a07d286SRatan Gupta { 10876c51eab1SEd Tanous handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT, 10886c51eab1SEd Tanous dbusObjectPath); 10898a07d286SRatan Gupta } 10908a07d286SRatan Gupta } 10918a07d286SRatan Gupta else 10928a07d286SRatan Gupta { 10938a07d286SRatan Gupta // if user has not given the service enabled value 10948a07d286SRatan Gupta // then revert it to the same state as it was 10958a07d286SRatan Gupta // before. 10968a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 109723a21a1cSEd Tanous serverT, dbusObjectPath); 10988a07d286SRatan Gupta } 109906785244SRatan Gupta 110006785244SRatan Gupta if (remoteRoleMapData) 110106785244SRatan Gupta { 11026c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 11036c51eab1SEd Tanous *remoteRoleMapData); 110406785244SRatan Gupta } 11058a07d286SRatan Gupta }); 11068a07d286SRatan Gupta } 1107d4b5443fSEd Tanous 11086c51eab1SEd Tanous inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp, 11096c51eab1SEd Tanous const std::string& username, 11106c51eab1SEd Tanous std::optional<std::string> password, 11116c51eab1SEd Tanous std::optional<bool> enabled, 11126c51eab1SEd Tanous std::optional<std::string> roleId, 11136c51eab1SEd Tanous std::optional<bool> locked) 11141abe55efSEd Tanous { 1115b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1116b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1117b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 11186c51eab1SEd Tanous 11196c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 11206c51eab1SEd Tanous dbusObjectPath, 11211106333aSEd Tanous [dbusObjectPath, username, password(std::move(password)), 11221106333aSEd Tanous roleId(std::move(roleId)), enabled, locked, 11231106333aSEd Tanous asyncResp{std::move(asyncResp)}](int rc) { 1124e662eae8SEd Tanous if (rc <= 0) 11256c51eab1SEd Tanous { 1126002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, 1127002d39b4SEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount", 11286c51eab1SEd Tanous username); 11296c51eab1SEd Tanous return; 11306c51eab1SEd Tanous } 11316c51eab1SEd Tanous 11326c51eab1SEd Tanous if (password) 11336c51eab1SEd Tanous { 11346c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 11356c51eab1SEd Tanous 11366c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 11376c51eab1SEd Tanous { 11386c51eab1SEd Tanous messages::resourceNotFound( 11396c51eab1SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 11406c51eab1SEd Tanous username); 11416c51eab1SEd Tanous } 11426c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 11436c51eab1SEd Tanous { 11446c51eab1SEd Tanous // If password is invalid 1145002d39b4SEd Tanous messages::propertyValueFormatError(asyncResp->res, *password, 1146002d39b4SEd Tanous "Password"); 11476c51eab1SEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 11486c51eab1SEd Tanous } 11496c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 11506c51eab1SEd Tanous { 11516c51eab1SEd Tanous messages::internalError(asyncResp->res); 11526c51eab1SEd Tanous return; 11536c51eab1SEd Tanous } 1154e7b1b62bSEd Tanous else 1155e7b1b62bSEd Tanous { 1156e7b1b62bSEd Tanous messages::success(asyncResp->res); 1157e7b1b62bSEd Tanous } 11586c51eab1SEd Tanous } 11596c51eab1SEd Tanous 11606c51eab1SEd Tanous if (enabled) 11616c51eab1SEd Tanous { 11626c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 11636c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 11646c51eab1SEd Tanous if (ec) 11656c51eab1SEd Tanous { 11666c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 11676c51eab1SEd Tanous messages::internalError(asyncResp->res); 11686c51eab1SEd Tanous return; 11696c51eab1SEd Tanous } 11706c51eab1SEd Tanous messages::success(asyncResp->res); 11716c51eab1SEd Tanous return; 11726c51eab1SEd Tanous }, 1173e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 11746c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 11756c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserEnabled", 1176168e20c1SEd Tanous dbus::utility::DbusVariantType{*enabled}); 11776c51eab1SEd Tanous } 11786c51eab1SEd Tanous 11796c51eab1SEd Tanous if (roleId) 11806c51eab1SEd Tanous { 11816c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 11826c51eab1SEd Tanous if (priv.empty()) 11836c51eab1SEd Tanous { 11846c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 11856c51eab1SEd Tanous "RoleId"); 11866c51eab1SEd Tanous return; 11876c51eab1SEd Tanous } 11886c51eab1SEd Tanous if (priv == "priv-noaccess") 11896c51eab1SEd Tanous { 11906c51eab1SEd Tanous priv = ""; 11916c51eab1SEd Tanous } 11926c51eab1SEd Tanous 11936c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 11946c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 11956c51eab1SEd Tanous if (ec) 11966c51eab1SEd Tanous { 11976c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 11986c51eab1SEd Tanous messages::internalError(asyncResp->res); 11996c51eab1SEd Tanous return; 12006c51eab1SEd Tanous } 12016c51eab1SEd Tanous messages::success(asyncResp->res); 12026c51eab1SEd Tanous }, 1203e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12046c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12056c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserPrivilege", 1206168e20c1SEd Tanous dbus::utility::DbusVariantType{priv}); 12076c51eab1SEd Tanous } 12086c51eab1SEd Tanous 12096c51eab1SEd Tanous if (locked) 12106c51eab1SEd Tanous { 12116c51eab1SEd Tanous // admin can unlock the account which is locked by 12126c51eab1SEd Tanous // successive authentication failures but admin should 12136c51eab1SEd Tanous // not be allowed to lock an account. 12146c51eab1SEd Tanous if (*locked) 12156c51eab1SEd Tanous { 12166c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 12176c51eab1SEd Tanous "Locked"); 12186c51eab1SEd Tanous return; 12196c51eab1SEd Tanous } 12206c51eab1SEd Tanous 12216c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 12226c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 12236c51eab1SEd Tanous if (ec) 12246c51eab1SEd Tanous { 12256c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 12266c51eab1SEd Tanous messages::internalError(asyncResp->res); 12276c51eab1SEd Tanous return; 12286c51eab1SEd Tanous } 12296c51eab1SEd Tanous messages::success(asyncResp->res); 12306c51eab1SEd Tanous return; 12316c51eab1SEd Tanous }, 1232e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12336c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12346c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", 1235168e20c1SEd Tanous "UserLockedForFailedAttempt", 1236168e20c1SEd Tanous dbus::utility::DbusVariantType{*locked}); 12376c51eab1SEd Tanous } 12386c51eab1SEd Tanous }); 12396c51eab1SEd Tanous } 12406c51eab1SEd Tanous 1241*4c7d4d33SEd Tanous inline void handleAccountServiceHead( 1242*4c7d4d33SEd Tanous App& app, const crow::Request& req, 12431ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 12446c51eab1SEd Tanous { 1245*4c7d4d33SEd Tanous 12463ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 124745ca1b86SEd Tanous { 124845ca1b86SEd Tanous return; 124945ca1b86SEd Tanous } 1250*4c7d4d33SEd Tanous asyncResp->res.addHeader( 1251*4c7d4d33SEd Tanous boost::beast::http::field::link, 1252*4c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1253*4c7d4d33SEd Tanous } 1254*4c7d4d33SEd Tanous 1255*4c7d4d33SEd Tanous inline void 1256*4c7d4d33SEd Tanous handleAccountServiceGet(App& app, const crow::Request& req, 1257*4c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1258*4c7d4d33SEd Tanous { 1259*4c7d4d33SEd Tanous handleAccountServiceHead(app, req, asyncResp); 126052cc112dSEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 12611ef4c342SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 126278158631SZbigniew Kurzynski 12631476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 12641476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 12651476687dSEd Tanous json["@odata.type"] = "#AccountService." 12661476687dSEd Tanous "v1_10_0.AccountService"; 12671476687dSEd Tanous json["Id"] = "AccountService"; 12681476687dSEd Tanous json["Name"] = "Account Service"; 12691476687dSEd Tanous json["Description"] = "Account Service"; 12701476687dSEd Tanous json["ServiceEnabled"] = true; 12711476687dSEd Tanous json["MaxPasswordLength"] = 20; 12721ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 12731476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 12741476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 12751476687dSEd Tanous "#OemAccountService.v1_0_0.AccountService"; 12761476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 12771476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 12781476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 12791476687dSEd Tanous authMethodsConfig.basic; 12801476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 12811476687dSEd Tanous authMethodsConfig.sessionToken; 12821ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 12831ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 12841ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 12851476687dSEd Tanous 12861ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 12871ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 12881ef4c342SEd Tanous // permissions ConfigureManager 128972048780SAbhishek Patel Privileges effectiveUserPrivileges = 129072048780SAbhishek Patel redfish::getUserPrivileges(req.userRole); 129172048780SAbhishek Patel 129272048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 129372048780SAbhishek Patel effectiveUserPrivileges)) 129472048780SAbhishek Patel { 12951ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 12961476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 129772048780SAbhishek Patel } 12983d958bbcSAppaRao Puli crow::connections::systemBus->async_method_call( 1299002d39b4SEd Tanous [asyncResp](const boost::system::error_code ec, 13001ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 13013d958bbcSAppaRao Puli if (ec) 13023d958bbcSAppaRao Puli { 13033d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 13043d958bbcSAppaRao Puli return; 13053d958bbcSAppaRao Puli } 13063d958bbcSAppaRao Puli BMCWEB_LOG_DEBUG << "Got " << propertiesList.size() 13073d958bbcSAppaRao Puli << "properties for AccountService"; 1308002d39b4SEd Tanous for (const std::pair<std::string, dbus::utility::DbusVariantType>& 1309168e20c1SEd Tanous property : propertiesList) 13103d958bbcSAppaRao Puli { 13113d958bbcSAppaRao Puli if (property.first == "MinPasswordLength") 13123d958bbcSAppaRao Puli { 13131ef4c342SEd Tanous const uint8_t* value = std::get_if<uint8_t>(&property.second); 13143d958bbcSAppaRao Puli if (value != nullptr) 13153d958bbcSAppaRao Puli { 1316002d39b4SEd Tanous asyncResp->res.jsonValue["MinPasswordLength"] = *value; 13173d958bbcSAppaRao Puli } 13183d958bbcSAppaRao Puli } 13193d958bbcSAppaRao Puli if (property.first == "AccountUnlockTimeout") 13203d958bbcSAppaRao Puli { 13211ef4c342SEd Tanous const uint32_t* value = std::get_if<uint32_t>(&property.second); 13223d958bbcSAppaRao Puli if (value != nullptr) 13233d958bbcSAppaRao Puli { 13241ef4c342SEd Tanous asyncResp->res.jsonValue["AccountLockoutDuration"] = *value; 13253d958bbcSAppaRao Puli } 13263d958bbcSAppaRao Puli } 13273d958bbcSAppaRao Puli if (property.first == "MaxLoginAttemptBeforeLockout") 13283d958bbcSAppaRao Puli { 13291ef4c342SEd Tanous const uint16_t* value = std::get_if<uint16_t>(&property.second); 13303d958bbcSAppaRao Puli if (value != nullptr) 13313d958bbcSAppaRao Puli { 1332002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 13336c51eab1SEd Tanous *value; 13343d958bbcSAppaRao Puli } 13353d958bbcSAppaRao Puli } 13363d958bbcSAppaRao Puli } 13373d958bbcSAppaRao Puli }, 13381ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 13393d958bbcSAppaRao Puli "org.freedesktop.DBus.Properties", "GetAll", 13403d958bbcSAppaRao Puli "xyz.openbmc_project.User.AccountPolicy"); 13416973a582SRatan Gupta 134202cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1343ab828d7cSRatan Gupta const std::string& ldapType) { 1344cb13a392SEd Tanous if (!success) 1345cb13a392SEd Tanous { 1346cb13a392SEd Tanous return; 1347cb13a392SEd Tanous } 1348002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1349ab828d7cSRatan Gupta }; 1350ab828d7cSRatan Gupta 1351ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1352ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 13531ef4c342SEd Tanous } 13546973a582SRatan Gupta 13551ef4c342SEd Tanous inline void handleAccountServicePatch( 13561ef4c342SEd Tanous App& app, const crow::Request& req, 13571ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 13581ef4c342SEd Tanous { 13593ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 136045ca1b86SEd Tanous { 136145ca1b86SEd Tanous return; 136245ca1b86SEd Tanous } 1363f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1364f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1365ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1366f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 1367f5ffd806SEd Tanous std::optional<nlohmann::json> ldapObject; 1368f5ffd806SEd Tanous std::optional<nlohmann::json> activeDirectoryObject; 1369f5ffd806SEd Tanous std::optional<nlohmann::json> oemObject; 1370f5ffd806SEd Tanous 137115ed6780SWilly Tu if (!json_util::readJsonPatch( 13721ef4c342SEd Tanous req, asyncResp->res, "AccountLockoutDuration", unlockTimeout, 13731ef4c342SEd Tanous "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength", 13741ef4c342SEd Tanous maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP", 13751ef4c342SEd Tanous ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem", 1376f5ffd806SEd Tanous oemObject)) 1377f5ffd806SEd Tanous { 1378f5ffd806SEd Tanous return; 1379f5ffd806SEd Tanous } 1380f5ffd806SEd Tanous 1381f5ffd806SEd Tanous if (minPasswordLength) 1382f5ffd806SEd Tanous { 1383ef73ad0dSPaul Fertser crow::connections::systemBus->async_method_call( 1384ef73ad0dSPaul Fertser [asyncResp](const boost::system::error_code ec) { 1385ef73ad0dSPaul Fertser if (ec) 1386ef73ad0dSPaul Fertser { 1387ef73ad0dSPaul Fertser messages::internalError(asyncResp->res); 1388ef73ad0dSPaul Fertser return; 1389ef73ad0dSPaul Fertser } 1390ef73ad0dSPaul Fertser messages::success(asyncResp->res); 1391ef73ad0dSPaul Fertser }, 13921ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1393ef73ad0dSPaul Fertser "org.freedesktop.DBus.Properties", "Set", 13941ef4c342SEd Tanous "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1395ef73ad0dSPaul Fertser dbus::utility::DbusVariantType(*minPasswordLength)); 1396f5ffd806SEd Tanous } 1397f5ffd806SEd Tanous 1398f5ffd806SEd Tanous if (maxPasswordLength) 1399f5ffd806SEd Tanous { 14001ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1401f5ffd806SEd Tanous } 1402f5ffd806SEd Tanous 1403f5ffd806SEd Tanous if (ldapObject) 1404f5ffd806SEd Tanous { 1405f5ffd806SEd Tanous handleLDAPPatch(*ldapObject, asyncResp, "LDAP"); 1406f5ffd806SEd Tanous } 1407f5ffd806SEd Tanous 1408f5ffd806SEd Tanous if (std::optional<nlohmann::json> oemOpenBMCObject; 14091ef4c342SEd Tanous oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", 1410f5ffd806SEd Tanous oemOpenBMCObject)) 1411f5ffd806SEd Tanous { 1412f5ffd806SEd Tanous if (std::optional<nlohmann::json> authMethodsObject; 1413f5ffd806SEd Tanous oemOpenBMCObject && 1414f5ffd806SEd Tanous json_util::readJson(*oemOpenBMCObject, asyncResp->res, 1415f5ffd806SEd Tanous "AuthMethods", authMethodsObject)) 1416f5ffd806SEd Tanous { 1417f5ffd806SEd Tanous if (authMethodsObject) 1418f5ffd806SEd Tanous { 14191ef4c342SEd Tanous handleAuthMethodsPatch(*authMethodsObject, asyncResp); 1420f5ffd806SEd Tanous } 1421f5ffd806SEd Tanous } 1422f5ffd806SEd Tanous } 1423f5ffd806SEd Tanous 1424f5ffd806SEd Tanous if (activeDirectoryObject) 1425f5ffd806SEd Tanous { 14261ef4c342SEd Tanous handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory"); 1427f5ffd806SEd Tanous } 1428f5ffd806SEd Tanous 1429f5ffd806SEd Tanous if (unlockTimeout) 1430f5ffd806SEd Tanous { 1431f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 1432f5ffd806SEd Tanous [asyncResp](const boost::system::error_code ec) { 1433f5ffd806SEd Tanous if (ec) 1434f5ffd806SEd Tanous { 1435f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1436f5ffd806SEd Tanous return; 1437f5ffd806SEd Tanous } 1438f5ffd806SEd Tanous messages::success(asyncResp->res); 1439f5ffd806SEd Tanous }, 14401ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1441f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 14421ef4c342SEd Tanous "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1443168e20c1SEd Tanous dbus::utility::DbusVariantType(*unlockTimeout)); 1444f5ffd806SEd Tanous } 1445f5ffd806SEd Tanous if (lockoutThreshold) 1446f5ffd806SEd Tanous { 1447f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 1448f5ffd806SEd Tanous [asyncResp](const boost::system::error_code ec) { 1449f5ffd806SEd Tanous if (ec) 1450f5ffd806SEd Tanous { 1451f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1452f5ffd806SEd Tanous return; 1453f5ffd806SEd Tanous } 1454f5ffd806SEd Tanous messages::success(asyncResp->res); 1455f5ffd806SEd Tanous }, 14561ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1457f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1458f5ffd806SEd Tanous "xyz.openbmc_project.User.AccountPolicy", 1459f5ffd806SEd Tanous "MaxLoginAttemptBeforeLockout", 1460168e20c1SEd Tanous dbus::utility::DbusVariantType(*lockoutThreshold)); 1461f5ffd806SEd Tanous } 14621ef4c342SEd Tanous } 1463f5ffd806SEd Tanous 1464*4c7d4d33SEd Tanous inline void handleAccountCollectionHead( 14651ef4c342SEd Tanous App& app, const crow::Request& req, 14661ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14671ef4c342SEd Tanous { 1468*4c7d4d33SEd Tanous 14693ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 147045ca1b86SEd Tanous { 147145ca1b86SEd Tanous return; 147245ca1b86SEd Tanous } 1473*4c7d4d33SEd Tanous asyncResp->res.addHeader( 1474*4c7d4d33SEd Tanous boost::beast::http::field::link, 1475*4c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 1476*4c7d4d33SEd Tanous } 1477*4c7d4d33SEd Tanous 1478*4c7d4d33SEd Tanous inline void handleAccountCollectionGet( 1479*4c7d4d33SEd Tanous App& app, const crow::Request& req, 1480*4c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 1481*4c7d4d33SEd Tanous { 1482*4c7d4d33SEd Tanous handleAccountCollectionHead(app, req, asyncResp); 14831476687dSEd Tanous 14841476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 14851476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 14861ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 14871476687dSEd Tanous "ManagerAccountCollection"; 14881476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 14891476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 14900f74e643SEd Tanous 14916c51eab1SEd Tanous Privileges effectiveUserPrivileges = 14926c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 14936c51eab1SEd Tanous 1494f5e29f33SJunLin Chen std::string thisUser; 1495f5e29f33SJunLin Chen if (req.session) 1496f5e29f33SJunLin Chen { 1497f5e29f33SJunLin Chen thisUser = req.session->username; 1498f5e29f33SJunLin Chen } 1499b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1500cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 1501cef1ddfbSEd Tanous const boost::system::error_code ec, 1502711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1503b9b2e0b2SEd Tanous if (ec) 1504b9b2e0b2SEd Tanous { 1505f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1506b9b2e0b2SEd Tanous return; 1507b9b2e0b2SEd Tanous } 1508b9b2e0b2SEd Tanous 1509cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1510002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1511cef1ddfbSEd Tanous 1512cef1ddfbSEd Tanous bool userCanSeeSelf = 1513002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1514cef1ddfbSEd Tanous 1515002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1516b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1517b9b2e0b2SEd Tanous 15189eb808c1SEd Tanous for (const auto& userpath : users) 1519b9b2e0b2SEd Tanous { 15202dfd18efSEd Tanous std::string user = userpath.first.filename(); 15212dfd18efSEd Tanous if (user.empty()) 1522b9b2e0b2SEd Tanous { 15232dfd18efSEd Tanous messages::internalError(asyncResp->res); 15242dfd18efSEd Tanous BMCWEB_LOG_ERROR << "Invalid firmware ID"; 15252dfd18efSEd Tanous 15262dfd18efSEd Tanous return; 1527b9b2e0b2SEd Tanous } 1528f365910cSGunnar Mills 1529f365910cSGunnar Mills // As clarified by Redfish here: 1530f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 15316c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 15326c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 15336c51eab1SEd Tanous // accounts. 15341ef4c342SEd Tanous if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1535f365910cSGunnar Mills { 15361476687dSEd Tanous nlohmann::json::object_t member; 15371476687dSEd Tanous member["@odata.id"] = 1538002d39b4SEd Tanous "/redfish/v1/AccountService/Accounts/" + user; 15391476687dSEd Tanous memberArray.push_back(std::move(member)); 1540b9b2e0b2SEd Tanous } 1541f365910cSGunnar Mills } 15421ef4c342SEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 1543b9b2e0b2SEd Tanous }, 15441ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1545b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 15461ef4c342SEd Tanous } 15476c51eab1SEd Tanous 15481ef4c342SEd Tanous inline void handleAccountCollectionPost( 15491ef4c342SEd Tanous App& app, const crow::Request& req, 15501ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15511ef4c342SEd Tanous { 15523ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 155345ca1b86SEd Tanous { 155445ca1b86SEd Tanous return; 155545ca1b86SEd Tanous } 15569712f8acSEd Tanous std::string username; 15579712f8acSEd Tanous std::string password; 1558a24526dcSEd Tanous std::optional<std::string> roleId("User"); 1559a24526dcSEd Tanous std::optional<bool> enabled = true; 15601ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 15611ef4c342SEd Tanous "Password", password, "RoleId", roleId, 15621ef4c342SEd Tanous "Enabled", enabled)) 156304ae99ecSEd Tanous { 156404ae99ecSEd Tanous return; 156504ae99ecSEd Tanous } 156604ae99ecSEd Tanous 156754fc587aSNagaraju Goruganti std::string priv = getPrivilegeFromRoleId(*roleId); 156884e12cb7SAppaRao Puli if (priv.empty()) 156904ae99ecSEd Tanous { 15701ef4c342SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId"); 157104ae99ecSEd Tanous return; 157204ae99ecSEd Tanous } 157396200606Sjayaprakash Mutyala // TODO: Following override will be reverted once support in 15746c51eab1SEd Tanous // phosphor-user-manager is added. In order to avoid dependency 15756c51eab1SEd Tanous // issues, this is added in bmcweb, which will removed, once 157696200606Sjayaprakash Mutyala // phosphor-user-manager supports priv-noaccess. 157796200606Sjayaprakash Mutyala if (priv == "priv-noaccess") 157896200606Sjayaprakash Mutyala { 157996200606Sjayaprakash Mutyala roleId = ""; 158096200606Sjayaprakash Mutyala } 158196200606Sjayaprakash Mutyala else 158296200606Sjayaprakash Mutyala { 15839712f8acSEd Tanous roleId = priv; 158496200606Sjayaprakash Mutyala } 158504ae99ecSEd Tanous 1586599c71d8SAyushi Smriti // Reading AllGroups property 15871e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 15881ef4c342SEd Tanous *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 15891ef4c342SEd Tanous "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 15901ef4c342SEd Tanous "AllGroups", 1591599c71d8SAyushi Smriti [asyncResp, username, password{std::move(password)}, roleId, 1592168e20c1SEd Tanous enabled](const boost::system::error_code ec, 15931e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1594599c71d8SAyushi Smriti if (ec) 1595599c71d8SAyushi Smriti { 1596599c71d8SAyushi Smriti BMCWEB_LOG_DEBUG << "ERROR with async_method_call"; 1597599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1598599c71d8SAyushi Smriti return; 1599599c71d8SAyushi Smriti } 1600599c71d8SAyushi Smriti 16011e1e598dSJonathan Doman if (allGroupsList.empty()) 1602599c71d8SAyushi Smriti { 1603599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1604599c71d8SAyushi Smriti return; 1605599c71d8SAyushi Smriti } 1606599c71d8SAyushi Smriti 160704ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 16081ef4c342SEd Tanous [asyncResp, username, password](const boost::system::error_code ec2, 160959d494eeSPatrick Williams sdbusplus::message_t& m) { 161023a21a1cSEd Tanous if (ec2) 161104ae99ecSEd Tanous { 16121ef4c342SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 161304ae99ecSEd Tanous return; 161404ae99ecSEd Tanous } 161504ae99ecSEd Tanous 1616002d39b4SEd Tanous if (pamUpdatePassword(username, password) != PAM_SUCCESS) 161704ae99ecSEd Tanous { 16186c51eab1SEd Tanous // At this point we have a user that's been 16196c51eab1SEd Tanous // created, but the password set 16206c51eab1SEd Tanous // failed.Something is wrong, so delete the user 16216c51eab1SEd Tanous // that we've already created 16221ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1623b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1624b477fd44SP Dheeraj Srujan Kumar const std::string userPath(tempObjPath); 1625b477fd44SP Dheeraj Srujan Kumar 162604ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 16271ef4c342SEd Tanous [asyncResp, password](const boost::system::error_code ec3) { 162823a21a1cSEd Tanous if (ec3) 162904ae99ecSEd Tanous { 1630002d39b4SEd Tanous messages::internalError(asyncResp->res); 163104ae99ecSEd Tanous return; 163204ae99ecSEd Tanous } 163304ae99ecSEd Tanous 16340d4197e0Sanil kumar appana // If password is invalid 16351ef4c342SEd Tanous messages::propertyValueFormatError(asyncResp->res, password, 16361ef4c342SEd Tanous "Password"); 163704ae99ecSEd Tanous }, 1638002d39b4SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 1639002d39b4SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 164004ae99ecSEd Tanous 164104ae99ecSEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 164204ae99ecSEd Tanous return; 164304ae99ecSEd Tanous } 164404ae99ecSEd Tanous 1645f12894f8SJason M. Bills messages::created(asyncResp->res); 164604ae99ecSEd Tanous asyncResp->res.addHeader( 16471ef4c342SEd Tanous "Location", "/redfish/v1/AccountService/Accounts/" + username); 164804ae99ecSEd Tanous }, 1649002d39b4SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1650002d39b4SEd Tanous "xyz.openbmc_project.User.Manager", "CreateUser", username, 1651002d39b4SEd Tanous allGroupsList, *roleId, *enabled); 16521e1e598dSJonathan Doman }); 16531ef4c342SEd Tanous } 1654b9b2e0b2SEd Tanous 16551ef4c342SEd Tanous inline void 1656*4c7d4d33SEd Tanous handleAccountHead(App& app, const crow::Request& req, 16576c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1658*4c7d4d33SEd Tanous const std::string& /*accountName*/) 16591ef4c342SEd Tanous { 1660*4c7d4d33SEd Tanous 16613ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 166245ca1b86SEd Tanous { 166345ca1b86SEd Tanous return; 166445ca1b86SEd Tanous } 1665*4c7d4d33SEd Tanous asyncResp->res.addHeader( 1666*4c7d4d33SEd Tanous boost::beast::http::field::link, 1667*4c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1668*4c7d4d33SEd Tanous } 1669*4c7d4d33SEd Tanous inline void 1670*4c7d4d33SEd Tanous handleAccountGet(App& app, const crow::Request& req, 1671*4c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1672*4c7d4d33SEd Tanous const std::string& accountName) 1673*4c7d4d33SEd Tanous { 1674*4c7d4d33SEd Tanous handleAccountHead(app, req, asyncResp, accountName); 16751ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1676031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1677002d39b4SEd Tanous messages::resourceNotFound( 16781ef4c342SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", accountName); 1679031514fbSJunLin Chen return; 1680031514fbSJunLin Chen 16811ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1682031514fbSJunLin Chen if (req.session == nullptr) 1683031514fbSJunLin Chen { 1684031514fbSJunLin Chen messages::internalError(asyncResp->res); 1685031514fbSJunLin Chen return; 1686031514fbSJunLin Chen } 16876c51eab1SEd Tanous if (req.session->username != accountName) 1688b9b2e0b2SEd Tanous { 16896c51eab1SEd Tanous // At this point we've determined that the user is trying to 16901ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 16911ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 16921ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 16936c51eab1SEd Tanous Privileges effectiveUserPrivileges = 16946c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 16951ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 16961ef4c342SEd Tanous "ConfigureManager"}; 16976c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 16986c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1699900f9497SJoseph Reynolds { 1700900f9497SJoseph Reynolds BMCWEB_LOG_DEBUG << "GET Account denied access"; 1701900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1702900f9497SJoseph Reynolds return; 1703900f9497SJoseph Reynolds } 1704900f9497SJoseph Reynolds } 1705900f9497SJoseph Reynolds 1706b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 17071ef4c342SEd Tanous [asyncResp, 17081ef4c342SEd Tanous accountName](const boost::system::error_code ec, 1709711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1710b9b2e0b2SEd Tanous if (ec) 1711b9b2e0b2SEd Tanous { 1712f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1713b9b2e0b2SEd Tanous return; 1714b9b2e0b2SEd Tanous } 1715711ac7a9SEd Tanous const auto userIt = std::find_if( 1716b477fd44SP Dheeraj Srujan Kumar users.begin(), users.end(), 1717b477fd44SP Dheeraj Srujan Kumar [accountName]( 1718b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 1719002d39b4SEd Tanous dbus::utility::DBusInteracesMap>& user) { 172055f79e6fSEd Tanous return accountName == user.first.filename(); 1721b477fd44SP Dheeraj Srujan Kumar }); 1722b9b2e0b2SEd Tanous 172384e12cb7SAppaRao Puli if (userIt == users.end()) 1724b9b2e0b2SEd Tanous { 1725002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1726002d39b4SEd Tanous accountName); 172784e12cb7SAppaRao Puli return; 172884e12cb7SAppaRao Puli } 17294e68c45bSAyushi Smriti 17301476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 17311476687dSEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount"; 17321476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 17331476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 17341476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 17351476687dSEd Tanous asyncResp->res.jsonValue["AccountTypes"] = {"Redfish"}; 17364e68c45bSAyushi Smriti 173784e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 173865b0dc32SEd Tanous { 1739002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 174065b0dc32SEd Tanous { 174165b0dc32SEd Tanous for (const auto& property : interface.second) 174265b0dc32SEd Tanous { 174365b0dc32SEd Tanous if (property.first == "UserEnabled") 174465b0dc32SEd Tanous { 174565b0dc32SEd Tanous const bool* userEnabled = 1746abf2add6SEd Tanous std::get_if<bool>(&property.second); 174765b0dc32SEd Tanous if (userEnabled == nullptr) 174865b0dc32SEd Tanous { 1749002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserEnabled wasn't a bool"; 175084e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 175184e12cb7SAppaRao Puli return; 175265b0dc32SEd Tanous } 1753002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 175465b0dc32SEd Tanous } 1755002d39b4SEd Tanous else if (property.first == "UserLockedForFailedAttempt") 175665b0dc32SEd Tanous { 175765b0dc32SEd Tanous const bool* userLocked = 1758abf2add6SEd Tanous std::get_if<bool>(&property.second); 175965b0dc32SEd Tanous if (userLocked == nullptr) 176065b0dc32SEd Tanous { 176184e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "UserLockedForF" 176284e12cb7SAppaRao Puli "ailedAttempt " 176384e12cb7SAppaRao Puli "wasn't a bool"; 176484e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 176584e12cb7SAppaRao Puli return; 176665b0dc32SEd Tanous } 1767002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 1768002d39b4SEd Tanous asyncResp->res 1769002d39b4SEd Tanous .jsonValue["Locked@Redfish.AllowableValues"] = { 17703bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 177165b0dc32SEd Tanous } 177284e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 177384e12cb7SAppaRao Puli { 177454fc587aSNagaraju Goruganti const std::string* userPrivPtr = 1775002d39b4SEd Tanous std::get_if<std::string>(&property.second); 177654fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 177784e12cb7SAppaRao Puli { 1778002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserPrivilege wasn't a " 177984e12cb7SAppaRao Puli "string"; 178084e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 178184e12cb7SAppaRao Puli return; 178284e12cb7SAppaRao Puli } 17831ef4c342SEd Tanous std::string role = getRoleIdFromPrivilege(*userPrivPtr); 178454fc587aSNagaraju Goruganti if (role.empty()) 178584e12cb7SAppaRao Puli { 178684e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "Invalid user role"; 178784e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 178884e12cb7SAppaRao Puli return; 178984e12cb7SAppaRao Puli } 179054fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 179184e12cb7SAppaRao Puli 17921476687dSEd Tanous nlohmann::json& roleEntry = 1793002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 17941476687dSEd Tanous roleEntry["@odata.id"] = 1795002d39b4SEd Tanous "/redfish/v1/AccountService/Roles/" + role; 179684e12cb7SAppaRao Puli } 1797002d39b4SEd Tanous else if (property.first == "UserPasswordExpired") 17983bf4e632SJoseph Reynolds { 17993bf4e632SJoseph Reynolds const bool* userPasswordExpired = 18003bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 18013bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 18023bf4e632SJoseph Reynolds { 18030fda0f12SGeorge Liu BMCWEB_LOG_ERROR 18040fda0f12SGeorge Liu << "UserPasswordExpired wasn't a bool"; 18053bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 18063bf4e632SJoseph Reynolds return; 18073bf4e632SJoseph Reynolds } 1808002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 18093bf4e632SJoseph Reynolds *userPasswordExpired; 18103bf4e632SJoseph Reynolds } 181165b0dc32SEd Tanous } 181265b0dc32SEd Tanous } 181365b0dc32SEd Tanous } 181465b0dc32SEd Tanous 1815b9b2e0b2SEd Tanous asyncResp->res.jsonValue["@odata.id"] = 181684e12cb7SAppaRao Puli "/redfish/v1/AccountService/Accounts/" + accountName; 1817b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 1818b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 1819b9b2e0b2SEd Tanous }, 18201ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1821b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 18221ef4c342SEd Tanous } 1823a840879dSEd Tanous 18241ef4c342SEd Tanous inline void 18251ef4c342SEd Tanous handleAccounttDelete(App& app, const crow::Request& req, 18266c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 18271ef4c342SEd Tanous const std::string& username) 18281ef4c342SEd Tanous { 18293ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 183045ca1b86SEd Tanous { 183145ca1b86SEd Tanous return; 183245ca1b86SEd Tanous } 18331ef4c342SEd Tanous 18341ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1835031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1836031514fbSJunLin Chen messages::resourceNotFound( 18371ef4c342SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username); 1838031514fbSJunLin Chen return; 1839031514fbSJunLin Chen 18401ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 18411ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 18421ef4c342SEd Tanous tempObjPath /= username; 18431ef4c342SEd Tanous const std::string userPath(tempObjPath); 18441ef4c342SEd Tanous 18451ef4c342SEd Tanous crow::connections::systemBus->async_method_call( 18461ef4c342SEd Tanous [asyncResp, username](const boost::system::error_code ec) { 18471ef4c342SEd Tanous if (ec) 18481ef4c342SEd Tanous { 18491ef4c342SEd Tanous messages::resourceNotFound(asyncResp->res, 18501ef4c342SEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount", 18511ef4c342SEd Tanous username); 18521ef4c342SEd Tanous return; 18531ef4c342SEd Tanous } 18541ef4c342SEd Tanous 18551ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 18561ef4c342SEd Tanous }, 18571ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 18581ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 18591ef4c342SEd Tanous } 18601ef4c342SEd Tanous 18611ef4c342SEd Tanous inline void 18621ef4c342SEd Tanous handleAccountPatch(App& app, const crow::Request& req, 18631ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 18641ef4c342SEd Tanous const std::string& username) 18651ef4c342SEd Tanous { 18661ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 18671ef4c342SEd Tanous { 18681ef4c342SEd Tanous return; 18691ef4c342SEd Tanous } 18701ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 18711ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 18721ef4c342SEd Tanous messages::resourceNotFound( 18731ef4c342SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username); 18741ef4c342SEd Tanous return; 18751ef4c342SEd Tanous 18761ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1877a24526dcSEd Tanous std::optional<std::string> newUserName; 1878a24526dcSEd Tanous std::optional<std::string> password; 1879a24526dcSEd Tanous std::optional<bool> enabled; 1880a24526dcSEd Tanous std::optional<std::string> roleId; 188124c8542dSRatan Gupta std::optional<bool> locked; 1882e9cc5172SEd Tanous 1883031514fbSJunLin Chen if (req.session == nullptr) 1884031514fbSJunLin Chen { 1885031514fbSJunLin Chen messages::internalError(asyncResp->res); 1886031514fbSJunLin Chen return; 1887031514fbSJunLin Chen } 1888031514fbSJunLin Chen 1889e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 1890e9cc5172SEd Tanous redfish::getUserPrivileges(req.userRole); 1891e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 1892e9cc5172SEd Tanous bool userHasConfigureUsers = 1893e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 1894e9cc5172SEd Tanous if (userHasConfigureUsers) 1895e9cc5172SEd Tanous { 1896e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 18971ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", 18981ef4c342SEd Tanous newUserName, "Password", password, 18991ef4c342SEd Tanous "RoleId", roleId, "Enabled", enabled, 19001ef4c342SEd Tanous "Locked", locked)) 1901a840879dSEd Tanous { 1902a840879dSEd Tanous return; 1903a840879dSEd Tanous } 1904e9cc5172SEd Tanous } 1905e9cc5172SEd Tanous else 1906900f9497SJoseph Reynolds { 1907e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 1908e9cc5172SEd Tanous if (username != req.session->username) 1909900f9497SJoseph Reynolds { 1910900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1911900f9497SJoseph Reynolds return; 1912900f9497SJoseph Reynolds } 1913031514fbSJunLin Chen 1914e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 19151ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 19161ef4c342SEd Tanous password)) 1917e9cc5172SEd Tanous { 1918e9cc5172SEd Tanous return; 1919e9cc5172SEd Tanous } 1920900f9497SJoseph Reynolds } 1921900f9497SJoseph Reynolds 192266b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 19236c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 19246c51eab1SEd Tanous // updating user properties other then username. If username 19256c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 19266c51eab1SEd Tanous // user rename request. 192766b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 1928a840879dSEd Tanous { 19291ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 19301ef4c342SEd Tanous locked); 193184e12cb7SAppaRao Puli return; 193284e12cb7SAppaRao Puli } 193384e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 19346c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 19351ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 193659d494eeSPatrick Williams locked](const boost::system::error_code ec, sdbusplus::message_t& m) { 193784e12cb7SAppaRao Puli if (ec) 193884e12cb7SAppaRao Puli { 1939002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 1940002d39b4SEd Tanous username); 1941a840879dSEd Tanous return; 1942a840879dSEd Tanous } 1943a840879dSEd Tanous 1944002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 1945002d39b4SEd Tanous locked); 194684e12cb7SAppaRao Puli }, 19471ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 194884e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 194984e12cb7SAppaRao Puli *newUserName); 19501ef4c342SEd Tanous } 19511ef4c342SEd Tanous 19521ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 19531ef4c342SEd Tanous { 19541ef4c342SEd Tanous 19551ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 1956*4c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 1957*4c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 1958*4c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 1959*4c7d4d33SEd Tanous 1960*4c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 19611ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 19621ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 19631ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 19641ef4c342SEd Tanous 19651ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 19661ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 19671ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 19681ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 19691ef4c342SEd Tanous 19701ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 1971*4c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 1972*4c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 1973*4c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 1974*4c7d4d33SEd Tanous 1975*4c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 19761ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 19771ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 19781ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 19791ef4c342SEd Tanous 19801ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 19811ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 19821ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 19831ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 19841ef4c342SEd Tanous 19851ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1986*4c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 1987*4c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 1988*4c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 1989*4c7d4d33SEd Tanous 1990*4c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 19911ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 19921ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 19931ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 19941ef4c342SEd Tanous 19951ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 19961ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 19971ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 19981ef4c342SEd Tanous // yet 19991ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 20001ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 20011ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 200284e12cb7SAppaRao Puli 20036c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2004ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 20056c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 20061ef4c342SEd Tanous std::bind_front(handleAccounttDelete, std::ref(app))); 200706e086d9SEd Tanous } 200888d16c9aSLewanczyk, Dawid 200988d16c9aSLewanczyk, Dawid } // namespace redfish 2010