188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid #include "node.hpp" 1888d16c9aSLewanczyk, Dawid 197e860f15SJohn Edward Broadbent #include <app.hpp> 2024c8542dSRatan Gupta #include <dbus_utility.hpp> 2165b0dc32SEd Tanous #include <error_messages.hpp> 22b9b2e0b2SEd Tanous #include <openbmc_dbus_rest.hpp> 2352cc112dSEd Tanous #include <persistent_data.hpp> 24a840879dSEd Tanous #include <utils/json_utils.hpp> 251214b7e7SGunnar Mills 26abf2add6SEd Tanous #include <variant> 27b9b2e0b2SEd Tanous 281abe55efSEd Tanous namespace redfish 291abe55efSEd Tanous { 3088d16c9aSLewanczyk, Dawid 3123a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 326973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 332c70f800SEd Tanous constexpr const char* adConfigObject = 34ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 35ab828d7cSRatan Gupta 366973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 376973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 386973a582SRatan Gupta constexpr const char* ldapConfigInterface = 396973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 406973a582SRatan Gupta constexpr const char* ldapCreateInterface = 416973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 426973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 4306785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 4406785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 456973a582SRatan Gupta constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager"; 466973a582SRatan Gupta constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties"; 476973a582SRatan Gupta constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper"; 486973a582SRatan Gupta constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper"; 496973a582SRatan Gupta constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper"; 506973a582SRatan Gupta 5154fc587aSNagaraju Goruganti struct LDAPRoleMapData 5254fc587aSNagaraju Goruganti { 5354fc587aSNagaraju Goruganti std::string groupName; 5454fc587aSNagaraju Goruganti std::string privilege; 5554fc587aSNagaraju Goruganti }; 5654fc587aSNagaraju Goruganti 576973a582SRatan Gupta struct LDAPConfigData 586973a582SRatan Gupta { 596973a582SRatan Gupta std::string uri{}; 606973a582SRatan Gupta std::string bindDN{}; 616973a582SRatan Gupta std::string baseDN{}; 626973a582SRatan Gupta std::string searchScope{}; 636973a582SRatan Gupta std::string serverType{}; 646973a582SRatan Gupta bool serviceEnabled = false; 656973a582SRatan Gupta std::string userNameAttribute{}; 666973a582SRatan Gupta std::string groupAttribute{}; 6754fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 686973a582SRatan Gupta }; 696973a582SRatan Gupta 7019bd78d9SPatrick Williams using DbusVariantType = std::variant<bool, int32_t, std::string>; 71107077deSPrzemyslaw Czarnowski 72107077deSPrzemyslaw Czarnowski using DbusInterfaceType = boost::container::flat_map< 73107077deSPrzemyslaw Czarnowski std::string, boost::container::flat_map<std::string, DbusVariantType>>; 74107077deSPrzemyslaw Czarnowski 75107077deSPrzemyslaw Czarnowski using ManagedObjectType = 76107077deSPrzemyslaw Czarnowski std::vector<std::pair<sdbusplus::message::object_path, DbusInterfaceType>>; 77107077deSPrzemyslaw Czarnowski 786973a582SRatan Gupta using GetObjectType = 796973a582SRatan Gupta std::vector<std::pair<std::string, std::vector<std::string>>>; 8084e12cb7SAppaRao Puli 8154fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 8284e12cb7SAppaRao Puli { 8384e12cb7SAppaRao Puli if (role == "priv-admin") 8484e12cb7SAppaRao Puli { 8584e12cb7SAppaRao Puli return "Administrator"; 8684e12cb7SAppaRao Puli } 873174e4dfSEd Tanous if (role == "priv-user") 8884e12cb7SAppaRao Puli { 89c80fee55SAppaRao Puli return "ReadOnly"; 9084e12cb7SAppaRao Puli } 913174e4dfSEd Tanous if (role == "priv-operator") 9284e12cb7SAppaRao Puli { 9384e12cb7SAppaRao Puli return "Operator"; 9484e12cb7SAppaRao Puli } 953174e4dfSEd Tanous if ((role == "") || (role == "priv-noaccess")) 96e9e6d240Sjayaprakash Mutyala { 97e9e6d240Sjayaprakash Mutyala return "NoAccess"; 98e9e6d240Sjayaprakash Mutyala } 9984e12cb7SAppaRao Puli return ""; 10084e12cb7SAppaRao Puli } 10154fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 10284e12cb7SAppaRao Puli { 10384e12cb7SAppaRao Puli if (role == "Administrator") 10484e12cb7SAppaRao Puli { 10584e12cb7SAppaRao Puli return "priv-admin"; 10684e12cb7SAppaRao Puli } 1073174e4dfSEd Tanous if (role == "ReadOnly") 10884e12cb7SAppaRao Puli { 10984e12cb7SAppaRao Puli return "priv-user"; 11084e12cb7SAppaRao Puli } 1113174e4dfSEd Tanous if (role == "Operator") 11284e12cb7SAppaRao Puli { 11384e12cb7SAppaRao Puli return "priv-operator"; 11484e12cb7SAppaRao Puli } 1153174e4dfSEd Tanous if ((role == "NoAccess") || (role == "")) 116e9e6d240Sjayaprakash Mutyala { 117e9e6d240Sjayaprakash Mutyala return "priv-noaccess"; 118e9e6d240Sjayaprakash Mutyala } 11984e12cb7SAppaRao Puli return ""; 12084e12cb7SAppaRao Puli } 121b9b2e0b2SEd Tanous 1228d1b46d7Szhanghch05 inline void userErrorMessageHandler( 1238d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1248d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 12566b5ca76Sjayaprakash Mutyala { 12666b5ca76Sjayaprakash Mutyala if (e == nullptr) 12766b5ca76Sjayaprakash Mutyala { 12866b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 12966b5ca76Sjayaprakash Mutyala return; 13066b5ca76Sjayaprakash Mutyala } 13166b5ca76Sjayaprakash Mutyala 132055806b3SManojkiran Eda const char* errorMessage = e->name; 13366b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 13466b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 13566b5ca76Sjayaprakash Mutyala { 13666b5ca76Sjayaprakash Mutyala messages::resourceAlreadyExists(asyncResp->res, 1378114bd4dSGunnar Mills "#ManagerAccount.v1_4_0.ManagerAccount", 13866b5ca76Sjayaprakash Mutyala "UserName", newUser); 13966b5ca76Sjayaprakash Mutyala } 14066b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 14166b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 14266b5ca76Sjayaprakash Mutyala { 14366b5ca76Sjayaprakash Mutyala messages::resourceNotFound( 1448114bd4dSGunnar Mills asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", username); 14566b5ca76Sjayaprakash Mutyala } 146d4d25793SEd Tanous else if ((strcmp(errorMessage, 147d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 148d4d25793SEd Tanous 0) || 149d4d25793SEd Tanous (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 150d4d25793SEd Tanous "UserNameGroupFail") == 0)) 15166b5ca76Sjayaprakash Mutyala { 15266b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 15366b5ca76Sjayaprakash Mutyala } 15466b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 15566b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 15666b5ca76Sjayaprakash Mutyala { 15766b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 15866b5ca76Sjayaprakash Mutyala } 15966b5ca76Sjayaprakash Mutyala else 16066b5ca76Sjayaprakash Mutyala { 16166b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 16266b5ca76Sjayaprakash Mutyala } 16366b5ca76Sjayaprakash Mutyala 16466b5ca76Sjayaprakash Mutyala return; 16566b5ca76Sjayaprakash Mutyala } 16666b5ca76Sjayaprakash Mutyala 16781ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 168ab828d7cSRatan Gupta const LDAPConfigData& confData, 169ab828d7cSRatan Gupta const std::string& ldapType) 1706973a582SRatan Gupta { 171ab828d7cSRatan Gupta std::string service = 172ab828d7cSRatan Gupta (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService"; 17337cce918SMarri Devender Rao nlohmann::json ldap = { 1746973a582SRatan Gupta {"ServiceEnabled", confData.serviceEnabled}, 1756973a582SRatan Gupta {"ServiceAddresses", nlohmann::json::array({confData.uri})}, 1766973a582SRatan Gupta {"Authentication", 1776973a582SRatan Gupta {{"AuthenticationType", "UsernameAndPassword"}, 1786973a582SRatan Gupta {"Username", confData.bindDN}, 1796973a582SRatan Gupta {"Password", nullptr}}}, 1806973a582SRatan Gupta {"LDAPService", 1816973a582SRatan Gupta {{"SearchSettings", 1826973a582SRatan Gupta {{"BaseDistinguishedNames", 1836973a582SRatan Gupta nlohmann::json::array({confData.baseDN})}, 1846973a582SRatan Gupta {"UsernameAttribute", confData.userNameAttribute}, 1856973a582SRatan Gupta {"GroupsAttribute", confData.groupAttribute}}}}}, 1866973a582SRatan Gupta }; 18754fc587aSNagaraju Goruganti 18881ce609eSEd Tanous jsonResponse[ldapType].update(ldap); 18954fc587aSNagaraju Goruganti 19081ce609eSEd Tanous nlohmann::json& roleMapArray = jsonResponse[ldapType]["RemoteRoleMapping"]; 19154fc587aSNagaraju Goruganti roleMapArray = nlohmann::json::array(); 19254fc587aSNagaraju Goruganti for (auto& obj : confData.groupRoleList) 19354fc587aSNagaraju Goruganti { 19454fc587aSNagaraju Goruganti BMCWEB_LOG_DEBUG << "Pushing the data groupName=" 19554fc587aSNagaraju Goruganti << obj.second.groupName << "\n"; 19654fc587aSNagaraju Goruganti roleMapArray.push_back( 19754fc587aSNagaraju Goruganti {nlohmann::json::array({"RemoteGroup", obj.second.groupName}), 19854fc587aSNagaraju Goruganti nlohmann::json::array( 19954fc587aSNagaraju Goruganti {"LocalRole", getRoleIdFromPrivilege(obj.second.privilege)})}); 20054fc587aSNagaraju Goruganti } 2016973a582SRatan Gupta } 2026973a582SRatan Gupta 2036973a582SRatan Gupta /** 20406785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 20506785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 20606785244SRatan Gupta * 20706785244SRatan Gupta */ 20823a21a1cSEd Tanous inline void handleRoleMapPatch( 2098d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21006785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 211f23b7296SEd Tanous const std::string& serverType, const std::vector<nlohmann::json>& input) 21206785244SRatan Gupta { 21306785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 21406785244SRatan Gupta { 215f23b7296SEd Tanous const nlohmann::json& thisJson = input[index]; 21606785244SRatan Gupta 21706785244SRatan Gupta if (thisJson.is_null()) 21806785244SRatan Gupta { 21906785244SRatan Gupta // delete the existing object 22006785244SRatan Gupta if (index < roleMapObjData.size()) 22106785244SRatan Gupta { 22206785244SRatan Gupta crow::connections::systemBus->async_method_call( 22306785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 22406785244SRatan Gupta index](const boost::system::error_code ec) { 22506785244SRatan Gupta if (ec) 22606785244SRatan Gupta { 22706785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 22806785244SRatan Gupta messages::internalError(asyncResp->res); 22906785244SRatan Gupta return; 23006785244SRatan Gupta } 23106785244SRatan Gupta asyncResp->res 23206785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"][index] = 23306785244SRatan Gupta nullptr; 23406785244SRatan Gupta }, 23506785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 23606785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 23706785244SRatan Gupta } 23806785244SRatan Gupta else 23906785244SRatan Gupta { 24006785244SRatan Gupta BMCWEB_LOG_ERROR << "Can't delete the object"; 24106785244SRatan Gupta messages::propertyValueTypeError( 24271f52d96SEd Tanous asyncResp->res, 24371f52d96SEd Tanous thisJson.dump(2, ' ', true, 24471f52d96SEd Tanous nlohmann::json::error_handler_t::replace), 24506785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index)); 24606785244SRatan Gupta return; 24706785244SRatan Gupta } 24806785244SRatan Gupta } 24906785244SRatan Gupta else if (thisJson.empty()) 25006785244SRatan Gupta { 25106785244SRatan Gupta // Don't do anything for the empty objects,parse next json 25206785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 25306785244SRatan Gupta } 25406785244SRatan Gupta else 25506785244SRatan Gupta { 25606785244SRatan Gupta // update/create the object 25706785244SRatan Gupta std::optional<std::string> remoteGroup; 25806785244SRatan Gupta std::optional<std::string> localRole; 25906785244SRatan Gupta 260f23b7296SEd Tanous // This is a copy, but it's required in this case because of how 261f23b7296SEd Tanous // readJson is structured 262f23b7296SEd Tanous nlohmann::json thisJsonCopy = thisJson; 263f23b7296SEd Tanous if (!json_util::readJson(thisJsonCopy, asyncResp->res, 264f23b7296SEd Tanous "RemoteGroup", remoteGroup, "LocalRole", 265f23b7296SEd Tanous localRole)) 26606785244SRatan Gupta { 26706785244SRatan Gupta continue; 26806785244SRatan Gupta } 26906785244SRatan Gupta 27006785244SRatan Gupta // Update existing RoleMapping Object 27106785244SRatan Gupta if (index < roleMapObjData.size()) 27206785244SRatan Gupta { 27306785244SRatan Gupta BMCWEB_LOG_DEBUG << "Update Role Map Object"; 27406785244SRatan Gupta // If "RemoteGroup" info is provided 27506785244SRatan Gupta if (remoteGroup) 27606785244SRatan Gupta { 27706785244SRatan Gupta crow::connections::systemBus->async_method_call( 27806785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 27906785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 28006785244SRatan Gupta if (ec) 28106785244SRatan Gupta { 28206785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " 28306785244SRatan Gupta << ec; 28406785244SRatan Gupta messages::internalError(asyncResp->res); 28506785244SRatan Gupta return; 28606785244SRatan Gupta } 28706785244SRatan Gupta asyncResp->res 28806785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"] 28906785244SRatan Gupta [index]["RemoteGroup"] = *remoteGroup; 29006785244SRatan Gupta }, 29106785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 29206785244SRatan Gupta propertyInterface, "Set", 29306785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 29406785244SRatan Gupta "GroupName", 29506785244SRatan Gupta std::variant<std::string>(std::move(*remoteGroup))); 29606785244SRatan Gupta } 29706785244SRatan Gupta 29806785244SRatan Gupta // If "LocalRole" info is provided 29906785244SRatan Gupta if (localRole) 30006785244SRatan Gupta { 30106785244SRatan Gupta crow::connections::systemBus->async_method_call( 30206785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 30306785244SRatan Gupta localRole](const boost::system::error_code ec) { 30406785244SRatan Gupta if (ec) 30506785244SRatan Gupta { 30606785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " 30706785244SRatan Gupta << ec; 30806785244SRatan Gupta messages::internalError(asyncResp->res); 30906785244SRatan Gupta return; 31006785244SRatan Gupta } 31106785244SRatan Gupta asyncResp->res 31206785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"] 31306785244SRatan Gupta [index]["LocalRole"] = *localRole; 31406785244SRatan Gupta }, 31506785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 31606785244SRatan Gupta propertyInterface, "Set", 31706785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 31806785244SRatan Gupta "Privilege", 31906785244SRatan Gupta std::variant<std::string>( 32006785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole)))); 32106785244SRatan Gupta } 32206785244SRatan Gupta } 32306785244SRatan Gupta // Create a new RoleMapping Object. 32406785244SRatan Gupta else 32506785244SRatan Gupta { 32606785244SRatan Gupta BMCWEB_LOG_DEBUG 32706785244SRatan Gupta << "setRoleMappingProperties: Creating new Object"; 32806785244SRatan Gupta std::string pathString = 32906785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index); 33006785244SRatan Gupta 33106785244SRatan Gupta if (!localRole) 33206785244SRatan Gupta { 33306785244SRatan Gupta messages::propertyMissing(asyncResp->res, 33406785244SRatan Gupta pathString + "/LocalRole"); 33506785244SRatan Gupta continue; 33606785244SRatan Gupta } 33706785244SRatan Gupta if (!remoteGroup) 33806785244SRatan Gupta { 33906785244SRatan Gupta messages::propertyMissing(asyncResp->res, 34006785244SRatan Gupta pathString + "/RemoteGroup"); 34106785244SRatan Gupta continue; 34206785244SRatan Gupta } 34306785244SRatan Gupta 34406785244SRatan Gupta std::string dbusObjectPath; 34506785244SRatan Gupta if (serverType == "ActiveDirectory") 34606785244SRatan Gupta { 3472c70f800SEd Tanous dbusObjectPath = adConfigObject; 34806785244SRatan Gupta } 34906785244SRatan Gupta else if (serverType == "LDAP") 35006785244SRatan Gupta { 35123a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 35206785244SRatan Gupta } 35306785244SRatan Gupta 35406785244SRatan Gupta BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup 35506785244SRatan Gupta << ",LocalRole=" << *localRole; 35606785244SRatan Gupta 35706785244SRatan Gupta crow::connections::systemBus->async_method_call( 358271584abSEd Tanous [asyncResp, serverType, localRole, 35906785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 36006785244SRatan Gupta if (ec) 36106785244SRatan Gupta { 36206785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 36306785244SRatan Gupta messages::internalError(asyncResp->res); 36406785244SRatan Gupta return; 36506785244SRatan Gupta } 36606785244SRatan Gupta nlohmann::json& remoteRoleJson = 36706785244SRatan Gupta asyncResp->res 36806785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 36906785244SRatan Gupta remoteRoleJson.push_back( 37006785244SRatan Gupta {{"LocalRole", *localRole}, 37106785244SRatan Gupta {"RemoteGroup", *remoteGroup}}); 37206785244SRatan Gupta }, 37306785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 3743174e4dfSEd Tanous "Create", *remoteGroup, 37506785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 37606785244SRatan Gupta } 37706785244SRatan Gupta } 37806785244SRatan Gupta } 37906785244SRatan Gupta } 38006785244SRatan Gupta 38106785244SRatan Gupta /** 3826973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 3836973a582SRatan Gupta * into JSON 3846973a582SRatan Gupta */ 3856973a582SRatan Gupta template <typename CallbackFunc> 3866973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 3876973a582SRatan Gupta CallbackFunc&& callback) 3886973a582SRatan Gupta { 38954fc587aSNagaraju Goruganti 39054fc587aSNagaraju Goruganti const std::array<const char*, 2> interfaces = {ldapEnableInterface, 39154fc587aSNagaraju Goruganti ldapConfigInterface}; 39254fc587aSNagaraju Goruganti 39354fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 39454fc587aSNagaraju Goruganti [callback, ldapType](const boost::system::error_code ec, 39554fc587aSNagaraju Goruganti const GetObjectType& resp) { 39654fc587aSNagaraju Goruganti if (ec || resp.empty()) 39754fc587aSNagaraju Goruganti { 39854fc587aSNagaraju Goruganti BMCWEB_LOG_ERROR << "DBUS response error during getting of " 39954fc587aSNagaraju Goruganti "service name: " 40054fc587aSNagaraju Goruganti << ec; 40123a21a1cSEd Tanous LDAPConfigData empty{}; 40223a21a1cSEd Tanous callback(false, empty, ldapType); 40354fc587aSNagaraju Goruganti return; 40454fc587aSNagaraju Goruganti } 40554fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 40654fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 40781ce609eSEd Tanous [callback, ldapType](const boost::system::error_code errorCode, 4086973a582SRatan Gupta const ManagedObjectType& ldapObjects) { 4096973a582SRatan Gupta LDAPConfigData confData{}; 41081ce609eSEd Tanous if (errorCode) 4116973a582SRatan Gupta { 412ab828d7cSRatan Gupta callback(false, confData, ldapType); 41354fc587aSNagaraju Goruganti BMCWEB_LOG_ERROR << "D-Bus responses error: " 41481ce609eSEd Tanous << errorCode; 4156973a582SRatan Gupta return; 4166973a582SRatan Gupta } 417ab828d7cSRatan Gupta 418ab828d7cSRatan Gupta std::string ldapDbusType; 41954fc587aSNagaraju Goruganti std::string searchString; 42054fc587aSNagaraju Goruganti 421ab828d7cSRatan Gupta if (ldapType == "LDAP") 422ab828d7cSRatan Gupta { 42354fc587aSNagaraju Goruganti ldapDbusType = "xyz.openbmc_project.User.Ldap.Config." 42454fc587aSNagaraju Goruganti "Type.OpenLdap"; 42554fc587aSNagaraju Goruganti searchString = "openldap"; 426ab828d7cSRatan Gupta } 427ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 428ab828d7cSRatan Gupta { 42954fc587aSNagaraju Goruganti ldapDbusType = 43054fc587aSNagaraju Goruganti "xyz.openbmc_project.User.Ldap.Config.Type." 431ab828d7cSRatan Gupta "ActiveDirectory"; 43254fc587aSNagaraju Goruganti searchString = "active_directory"; 433ab828d7cSRatan Gupta } 434ab828d7cSRatan Gupta else 435ab828d7cSRatan Gupta { 43654fc587aSNagaraju Goruganti BMCWEB_LOG_ERROR 43754fc587aSNagaraju Goruganti << "Can't get the DbusType for the given type=" 438ab828d7cSRatan Gupta << ldapType; 439ab828d7cSRatan Gupta callback(false, confData, ldapType); 440ab828d7cSRatan Gupta return; 441ab828d7cSRatan Gupta } 442ab828d7cSRatan Gupta 443ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 444ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 445ab828d7cSRatan Gupta 4466973a582SRatan Gupta for (const auto& object : ldapObjects) 4476973a582SRatan Gupta { 44854fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 44954fc587aSNagaraju Goruganti // given type 45054fc587aSNagaraju Goruganti if (object.first.str.find(searchString) == 45154fc587aSNagaraju Goruganti std::string::npos) 4526973a582SRatan Gupta { 453ab828d7cSRatan Gupta continue; 454ab828d7cSRatan Gupta } 455ab828d7cSRatan Gupta 4566973a582SRatan Gupta for (const auto& interface : object.second) 4576973a582SRatan Gupta { 4586973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 4596973a582SRatan Gupta { 4606973a582SRatan Gupta // rest of the properties are string. 4616973a582SRatan Gupta for (const auto& property : interface.second) 4626973a582SRatan Gupta { 4636973a582SRatan Gupta if (property.first == "Enabled") 4646973a582SRatan Gupta { 4656973a582SRatan Gupta const bool* value = 4666973a582SRatan Gupta std::get_if<bool>(&property.second); 4676973a582SRatan Gupta if (value == nullptr) 4686973a582SRatan Gupta { 4696973a582SRatan Gupta continue; 4706973a582SRatan Gupta } 4716973a582SRatan Gupta confData.serviceEnabled = *value; 4726973a582SRatan Gupta break; 4736973a582SRatan Gupta } 4746973a582SRatan Gupta } 4756973a582SRatan Gupta } 4766973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 4776973a582SRatan Gupta { 4786973a582SRatan Gupta 4796973a582SRatan Gupta for (const auto& property : interface.second) 4806973a582SRatan Gupta { 481271584abSEd Tanous const std::string* strValue = 48254fc587aSNagaraju Goruganti std::get_if<std::string>( 48354fc587aSNagaraju Goruganti &property.second); 484271584abSEd Tanous if (strValue == nullptr) 4856973a582SRatan Gupta { 4866973a582SRatan Gupta continue; 4876973a582SRatan Gupta } 4886973a582SRatan Gupta if (property.first == "LDAPServerURI") 4896973a582SRatan Gupta { 490271584abSEd Tanous confData.uri = *strValue; 4916973a582SRatan Gupta } 4926973a582SRatan Gupta else if (property.first == "LDAPBindDN") 4936973a582SRatan Gupta { 494271584abSEd Tanous confData.bindDN = *strValue; 4956973a582SRatan Gupta } 4966973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 4976973a582SRatan Gupta { 498271584abSEd Tanous confData.baseDN = *strValue; 4996973a582SRatan Gupta } 50054fc587aSNagaraju Goruganti else if (property.first == 50154fc587aSNagaraju Goruganti "LDAPSearchScope") 5026973a582SRatan Gupta { 503271584abSEd Tanous confData.searchScope = *strValue; 5046973a582SRatan Gupta } 50554fc587aSNagaraju Goruganti else if (property.first == 50654fc587aSNagaraju Goruganti "GroupNameAttribute") 5076973a582SRatan Gupta { 508271584abSEd Tanous confData.groupAttribute = *strValue; 5096973a582SRatan Gupta } 51054fc587aSNagaraju Goruganti else if (property.first == 51154fc587aSNagaraju Goruganti "UserNameAttribute") 5126973a582SRatan Gupta { 513271584abSEd Tanous confData.userNameAttribute = *strValue; 5146973a582SRatan Gupta } 51554fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 516ab828d7cSRatan Gupta { 517271584abSEd Tanous confData.serverType = *strValue; 51854fc587aSNagaraju Goruganti } 51954fc587aSNagaraju Goruganti } 52054fc587aSNagaraju Goruganti } 52154fc587aSNagaraju Goruganti else if (interface.first == 52254fc587aSNagaraju Goruganti "xyz.openbmc_project.User." 52354fc587aSNagaraju Goruganti "PrivilegeMapperEntry") 52454fc587aSNagaraju Goruganti { 52554fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 52654fc587aSNagaraju Goruganti for (const auto& property : interface.second) 52754fc587aSNagaraju Goruganti { 528271584abSEd Tanous const std::string* strValue = 52954fc587aSNagaraju Goruganti std::get_if<std::string>( 53054fc587aSNagaraju Goruganti &property.second); 53154fc587aSNagaraju Goruganti 532271584abSEd Tanous if (strValue == nullptr) 53354fc587aSNagaraju Goruganti { 53454fc587aSNagaraju Goruganti continue; 53554fc587aSNagaraju Goruganti } 53654fc587aSNagaraju Goruganti 53754fc587aSNagaraju Goruganti if (property.first == "GroupName") 53854fc587aSNagaraju Goruganti { 539271584abSEd Tanous roleMapData.groupName = *strValue; 54054fc587aSNagaraju Goruganti } 54154fc587aSNagaraju Goruganti else if (property.first == "Privilege") 54254fc587aSNagaraju Goruganti { 543271584abSEd Tanous roleMapData.privilege = *strValue; 54454fc587aSNagaraju Goruganti } 54554fc587aSNagaraju Goruganti } 54654fc587aSNagaraju Goruganti 5470f0353b6SEd Tanous confData.groupRoleList.emplace_back( 5480f0353b6SEd Tanous object.first.str, roleMapData); 54954fc587aSNagaraju Goruganti } 55054fc587aSNagaraju Goruganti } 55154fc587aSNagaraju Goruganti } 552ab828d7cSRatan Gupta callback(true, confData, ldapType); 55354fc587aSNagaraju Goruganti }, 55454fc587aSNagaraju Goruganti service, ldapRootObject, dbusObjManagerIntf, 5556973a582SRatan Gupta "GetManagedObjects"); 55654fc587aSNagaraju Goruganti }, 55754fc587aSNagaraju Goruganti mapperBusName, mapperObjectPath, mapperIntf, "GetObject", 55823a21a1cSEd Tanous ldapConfigObjectName, interfaces); 5596973a582SRatan Gupta } 5606973a582SRatan Gupta 5618a07d286SRatan Gupta /** 5628a07d286SRatan Gupta * @brief parses the authentication section under the LDAP 5638a07d286SRatan Gupta * @param input JSON data 5648a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 5658a07d286SRatan Gupta * @param userName userName to be filled from the given JSON. 5668a07d286SRatan Gupta * @param password password to be filled from the given JSON. 5678a07d286SRatan Gupta */ 5688d1b46d7Szhanghch05 void parseLDAPAuthenticationJson( 569*6c51eab1SEd Tanous nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 570*6c51eab1SEd Tanous std::optional<std::string>& username, std::optional<std::string>& password) 5718a07d286SRatan Gupta { 5728a07d286SRatan Gupta std::optional<std::string> authType; 5738a07d286SRatan Gupta 5748a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "AuthenticationType", 5758a07d286SRatan Gupta authType, "Username", username, "Password", 5768a07d286SRatan Gupta password)) 5778a07d286SRatan Gupta { 5788a07d286SRatan Gupta return; 5798a07d286SRatan Gupta } 5808a07d286SRatan Gupta if (!authType) 5818a07d286SRatan Gupta { 5828a07d286SRatan Gupta return; 5838a07d286SRatan Gupta } 5848a07d286SRatan Gupta if (*authType != "UsernameAndPassword") 5858a07d286SRatan Gupta { 5868a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, *authType, 5878a07d286SRatan Gupta "AuthenticationType"); 5888a07d286SRatan Gupta return; 5898a07d286SRatan Gupta } 5908a07d286SRatan Gupta } 5918a07d286SRatan Gupta /** 5928a07d286SRatan Gupta * @brief parses the LDAPService section under the LDAP 5938a07d286SRatan Gupta * @param input JSON data 5948a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 5958a07d286SRatan Gupta * @param baseDNList baseDN to be filled from the given JSON. 5968a07d286SRatan Gupta * @param userNameAttribute userName to be filled from the given JSON. 5978a07d286SRatan Gupta * @param groupaAttribute password to be filled from the given JSON. 5988a07d286SRatan Gupta */ 5998a07d286SRatan Gupta 600*6c51eab1SEd Tanous void parseLDAPServiceJson(nlohmann::json input, 6018d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6028a07d286SRatan Gupta std::optional<std::vector<std::string>>& baseDNList, 6038a07d286SRatan Gupta std::optional<std::string>& userNameAttribute, 6048a07d286SRatan Gupta std::optional<std::string>& groupsAttribute) 6058a07d286SRatan Gupta { 6068a07d286SRatan Gupta std::optional<nlohmann::json> searchSettings; 6078a07d286SRatan Gupta 6088a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "SearchSettings", 6098a07d286SRatan Gupta searchSettings)) 6108a07d286SRatan Gupta { 6118a07d286SRatan Gupta return; 6128a07d286SRatan Gupta } 6138a07d286SRatan Gupta if (!searchSettings) 6148a07d286SRatan Gupta { 6158a07d286SRatan Gupta return; 6168a07d286SRatan Gupta } 6178a07d286SRatan Gupta if (!json_util::readJson(*searchSettings, asyncResp->res, 6188a07d286SRatan Gupta "BaseDistinguishedNames", baseDNList, 6198a07d286SRatan Gupta "UsernameAttribute", userNameAttribute, 6208a07d286SRatan Gupta "GroupsAttribute", groupsAttribute)) 6218a07d286SRatan Gupta { 6228a07d286SRatan Gupta return; 6238a07d286SRatan Gupta } 6248a07d286SRatan Gupta } 6258a07d286SRatan Gupta /** 6268a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 6278a07d286SRatan Gupta json response with the new value. 6288a07d286SRatan Gupta * @param serviceAddressList address to be updated. 6298a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6308a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6318a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6328a07d286SRatan Gupta */ 6338a07d286SRatan Gupta 6348a07d286SRatan Gupta void handleServiceAddressPatch( 6358a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 6368d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6378a07d286SRatan Gupta const std::string& ldapServerElementName, 6388a07d286SRatan Gupta const std::string& ldapConfigObject) 6398a07d286SRatan Gupta { 6408a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6418a07d286SRatan Gupta [asyncResp, ldapServerElementName, 6428a07d286SRatan Gupta serviceAddressList](const boost::system::error_code ec) { 6438a07d286SRatan Gupta if (ec) 6448a07d286SRatan Gupta { 6458a07d286SRatan Gupta BMCWEB_LOG_DEBUG 646c61704abSGunnar Mills << "Error Occurred in updating the service address"; 6478a07d286SRatan Gupta messages::internalError(asyncResp->res); 6488a07d286SRatan Gupta return; 6498a07d286SRatan Gupta } 6508a07d286SRatan Gupta std::vector<std::string> modifiedserviceAddressList = { 6518a07d286SRatan Gupta serviceAddressList.front()}; 6528a07d286SRatan Gupta asyncResp->res 6538a07d286SRatan Gupta .jsonValue[ldapServerElementName]["ServiceAddresses"] = 6548a07d286SRatan Gupta modifiedserviceAddressList; 6558a07d286SRatan Gupta if ((serviceAddressList).size() > 1) 6568a07d286SRatan Gupta { 6578a07d286SRatan Gupta messages::propertyValueModified(asyncResp->res, 6588a07d286SRatan Gupta "ServiceAddresses", 6598a07d286SRatan Gupta serviceAddressList.front()); 6608a07d286SRatan Gupta } 6618a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the service address"; 6628a07d286SRatan Gupta }, 6638a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 6648a07d286SRatan Gupta ldapConfigInterface, "LDAPServerURI", 6658a07d286SRatan Gupta std::variant<std::string>(serviceAddressList.front())); 6668a07d286SRatan Gupta } 6678a07d286SRatan Gupta /** 6688a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 6698a07d286SRatan Gupta json response with the new value. 6708a07d286SRatan Gupta * @param username name of the user which needs to be updated. 6718a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6728a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6738a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6748a07d286SRatan Gupta */ 6758a07d286SRatan Gupta 676*6c51eab1SEd Tanous void handleUserNamePatch(const std::string& username, 6778d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6788a07d286SRatan Gupta const std::string& ldapServerElementName, 6798a07d286SRatan Gupta const std::string& ldapConfigObject) 6808a07d286SRatan Gupta { 6818a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6828a07d286SRatan Gupta [asyncResp, username, 6838a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 6848a07d286SRatan Gupta if (ec) 6858a07d286SRatan Gupta { 686*6c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the username"; 6878a07d286SRatan Gupta messages::internalError(asyncResp->res); 6888a07d286SRatan Gupta return; 6898a07d286SRatan Gupta } 690*6c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 691*6c51eab1SEd Tanous ["Username"] = username; 6928a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the username"; 6938a07d286SRatan Gupta }, 6948a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 695*6c51eab1SEd Tanous ldapConfigInterface, "LDAPBindDN", std::variant<std::string>(username)); 6968a07d286SRatan Gupta } 6978a07d286SRatan Gupta 6988a07d286SRatan Gupta /** 6998a07d286SRatan Gupta * @brief updates the LDAP password 7008a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 7018a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7028a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7038a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 7048a07d286SRatan Gupta */ 7058a07d286SRatan Gupta 706*6c51eab1SEd Tanous void handlePasswordPatch(const std::string& password, 7078d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7088a07d286SRatan Gupta const std::string& ldapServerElementName, 7098a07d286SRatan Gupta const std::string& ldapConfigObject) 7108a07d286SRatan Gupta { 7118a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7128a07d286SRatan Gupta [asyncResp, password, 7138a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7148a07d286SRatan Gupta if (ec) 7158a07d286SRatan Gupta { 716*6c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the password"; 7178a07d286SRatan Gupta messages::internalError(asyncResp->res); 7188a07d286SRatan Gupta return; 7198a07d286SRatan Gupta } 720*6c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 721*6c51eab1SEd Tanous ["Password"] = ""; 7228a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the password"; 7238a07d286SRatan Gupta }, 7248a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7258a07d286SRatan Gupta ldapConfigInterface, "LDAPBindDNPassword", 7268a07d286SRatan Gupta std::variant<std::string>(password)); 7278a07d286SRatan Gupta } 7288a07d286SRatan Gupta 7298a07d286SRatan Gupta /** 7308a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7318a07d286SRatan Gupta json response with the new value. 7328a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7338a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7348a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7358a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7368a07d286SRatan Gupta */ 7378a07d286SRatan Gupta 7388a07d286SRatan Gupta void handleBaseDNPatch(const std::vector<std::string>& baseDNList, 7398d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7408a07d286SRatan Gupta const std::string& ldapServerElementName, 7418a07d286SRatan Gupta const std::string& ldapConfigObject) 7428a07d286SRatan Gupta { 7438a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7448a07d286SRatan Gupta [asyncResp, baseDNList, 7458a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7468a07d286SRatan Gupta if (ec) 7478a07d286SRatan Gupta { 748*6c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN"; 7498a07d286SRatan Gupta messages::internalError(asyncResp->res); 7508a07d286SRatan Gupta return; 7518a07d286SRatan Gupta } 7528a07d286SRatan Gupta auto& serverTypeJson = 7538a07d286SRatan Gupta asyncResp->res.jsonValue[ldapServerElementName]; 7548a07d286SRatan Gupta auto& searchSettingsJson = 7558a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 756*6c51eab1SEd Tanous std::vector<std::string> modifiedBaseDNList = {baseDNList.front()}; 757*6c51eab1SEd Tanous searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList; 7588a07d286SRatan Gupta if (baseDNList.size() > 1) 7598a07d286SRatan Gupta { 7608a07d286SRatan Gupta messages::propertyValueModified(asyncResp->res, 7618a07d286SRatan Gupta "BaseDistinguishedNames", 7628a07d286SRatan Gupta baseDNList.front()); 7638a07d286SRatan Gupta } 7648a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the base DN"; 7658a07d286SRatan Gupta }, 7668a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7678a07d286SRatan Gupta ldapConfigInterface, "LDAPBaseDN", 7688a07d286SRatan Gupta std::variant<std::string>(baseDNList.front())); 7698a07d286SRatan Gupta } 7708a07d286SRatan Gupta /** 7718a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 7728a07d286SRatan Gupta json response with the new value. 7738a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 7748a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7758a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7768a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7778a07d286SRatan Gupta */ 7788a07d286SRatan Gupta 7798d1b46d7Szhanghch05 void handleUserNameAttrPatch( 7808d1b46d7Szhanghch05 const std::string& userNameAttribute, 7818d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7828a07d286SRatan Gupta const std::string& ldapServerElementName, 7838a07d286SRatan Gupta const std::string& ldapConfigObject) 7848a07d286SRatan Gupta { 7858a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7868a07d286SRatan Gupta [asyncResp, userNameAttribute, 7878a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7888a07d286SRatan Gupta if (ec) 7898a07d286SRatan Gupta { 790c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 7918a07d286SRatan Gupta "username attribute"; 7928a07d286SRatan Gupta messages::internalError(asyncResp->res); 7938a07d286SRatan Gupta return; 7948a07d286SRatan Gupta } 7958a07d286SRatan Gupta auto& serverTypeJson = 7968a07d286SRatan Gupta asyncResp->res.jsonValue[ldapServerElementName]; 7978a07d286SRatan Gupta auto& searchSettingsJson = 7988a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 7998a07d286SRatan Gupta searchSettingsJson["UsernameAttribute"] = userNameAttribute; 8008a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the user name attr."; 8018a07d286SRatan Gupta }, 8028a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8038a07d286SRatan Gupta ldapConfigInterface, "UserNameAttribute", 8048a07d286SRatan Gupta std::variant<std::string>(userNameAttribute)); 8058a07d286SRatan Gupta } 8068a07d286SRatan Gupta /** 8078a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 8088a07d286SRatan Gupta json response with the new value. 8098a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 8108a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8118a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8128a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8138a07d286SRatan Gupta */ 8148a07d286SRatan Gupta 8158d1b46d7Szhanghch05 void handleGroupNameAttrPatch( 8168d1b46d7Szhanghch05 const std::string& groupsAttribute, 8178d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8188a07d286SRatan Gupta const std::string& ldapServerElementName, 8198a07d286SRatan Gupta const std::string& ldapConfigObject) 8208a07d286SRatan Gupta { 8218a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8228a07d286SRatan Gupta [asyncResp, groupsAttribute, 8238a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8248a07d286SRatan Gupta if (ec) 8258a07d286SRatan Gupta { 826c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 8278a07d286SRatan Gupta "groupname attribute"; 8288a07d286SRatan Gupta messages::internalError(asyncResp->res); 8298a07d286SRatan Gupta return; 8308a07d286SRatan Gupta } 8318a07d286SRatan Gupta auto& serverTypeJson = 8328a07d286SRatan Gupta asyncResp->res.jsonValue[ldapServerElementName]; 8338a07d286SRatan Gupta auto& searchSettingsJson = 8348a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 8358a07d286SRatan Gupta searchSettingsJson["GroupsAttribute"] = groupsAttribute; 8368a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the groupname attr"; 8378a07d286SRatan Gupta }, 8388a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8398a07d286SRatan Gupta ldapConfigInterface, "GroupNameAttribute", 8408a07d286SRatan Gupta std::variant<std::string>(groupsAttribute)); 8418a07d286SRatan Gupta } 8428a07d286SRatan Gupta /** 8438a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8448a07d286SRatan Gupta json response with the new value. 8458a07d286SRatan Gupta * @param input JSON data. 8468a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8478a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8488a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8498a07d286SRatan Gupta */ 8508a07d286SRatan Gupta 8518d1b46d7Szhanghch05 void handleServiceEnablePatch( 852*6c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8538a07d286SRatan Gupta const std::string& ldapServerElementName, 8548a07d286SRatan Gupta const std::string& ldapConfigObject) 8558a07d286SRatan Gupta { 8568a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8578a07d286SRatan Gupta [asyncResp, serviceEnabled, 8588a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8598a07d286SRatan Gupta if (ec) 8608a07d286SRatan Gupta { 8618a07d286SRatan Gupta BMCWEB_LOG_DEBUG 862c61704abSGunnar Mills << "Error Occurred in Updating the service enable"; 8638a07d286SRatan Gupta messages::internalError(asyncResp->res); 8648a07d286SRatan Gupta return; 8658a07d286SRatan Gupta } 866*6c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] = 8678a07d286SRatan Gupta serviceEnabled; 868*6c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled; 8698a07d286SRatan Gupta }, 8708a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8718a07d286SRatan Gupta ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled)); 8728a07d286SRatan Gupta } 8738a07d286SRatan Gupta 874*6c51eab1SEd Tanous void handleAuthMethodsPatch(nlohmann::json& input, 8758d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 87678158631SZbigniew Kurzynski { 87778158631SZbigniew Kurzynski std::optional<bool> basicAuth; 87878158631SZbigniew Kurzynski std::optional<bool> cookie; 87978158631SZbigniew Kurzynski std::optional<bool> sessionToken; 88078158631SZbigniew Kurzynski std::optional<bool> xToken; 881501f1e58SZbigniew Kurzynski std::optional<bool> tls; 88278158631SZbigniew Kurzynski 88378158631SZbigniew Kurzynski if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, 88478158631SZbigniew Kurzynski "Cookie", cookie, "SessionToken", sessionToken, 885501f1e58SZbigniew Kurzynski "XToken", xToken, "TLS", tls)) 88678158631SZbigniew Kurzynski { 88778158631SZbigniew Kurzynski BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; 88878158631SZbigniew Kurzynski return; 88978158631SZbigniew Kurzynski } 89078158631SZbigniew Kurzynski 89178158631SZbigniew Kurzynski // Make a copy of methods configuration 89252cc112dSEd Tanous persistent_data::AuthConfigMethods authMethodsConfig = 89352cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 89478158631SZbigniew Kurzynski 89578158631SZbigniew Kurzynski if (basicAuth) 89678158631SZbigniew Kurzynski { 897f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION 898f16f6263SAlan Kuo messages::actionNotSupported( 899f16f6263SAlan Kuo asyncResp->res, "Setting BasicAuth when basic-auth feature " 900f16f6263SAlan Kuo "is disabled"); 901f16f6263SAlan Kuo return; 902f16f6263SAlan Kuo #endif 90378158631SZbigniew Kurzynski authMethodsConfig.basic = *basicAuth; 90478158631SZbigniew Kurzynski } 90578158631SZbigniew Kurzynski 90678158631SZbigniew Kurzynski if (cookie) 90778158631SZbigniew Kurzynski { 908f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 909*6c51eab1SEd Tanous messages::actionNotSupported(asyncResp->res, 910*6c51eab1SEd Tanous "Setting Cookie when cookie-auth feature " 911f16f6263SAlan Kuo "is disabled"); 912f16f6263SAlan Kuo return; 913f16f6263SAlan Kuo #endif 91478158631SZbigniew Kurzynski authMethodsConfig.cookie = *cookie; 91578158631SZbigniew Kurzynski } 91678158631SZbigniew Kurzynski 91778158631SZbigniew Kurzynski if (sessionToken) 91878158631SZbigniew Kurzynski { 919f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION 920f16f6263SAlan Kuo messages::actionNotSupported( 921*6c51eab1SEd Tanous asyncResp->res, "Setting SessionToken when session-auth feature " 922f16f6263SAlan Kuo "is disabled"); 923f16f6263SAlan Kuo return; 924f16f6263SAlan Kuo #endif 92578158631SZbigniew Kurzynski authMethodsConfig.sessionToken = *sessionToken; 92678158631SZbigniew Kurzynski } 92778158631SZbigniew Kurzynski 92878158631SZbigniew Kurzynski if (xToken) 92978158631SZbigniew Kurzynski { 930f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 931*6c51eab1SEd Tanous messages::actionNotSupported(asyncResp->res, 932*6c51eab1SEd Tanous "Setting XToken when xtoken-auth feature " 933f16f6263SAlan Kuo "is disabled"); 934f16f6263SAlan Kuo return; 935f16f6263SAlan Kuo #endif 93678158631SZbigniew Kurzynski authMethodsConfig.xtoken = *xToken; 93778158631SZbigniew Kurzynski } 93878158631SZbigniew Kurzynski 939501f1e58SZbigniew Kurzynski if (tls) 940501f1e58SZbigniew Kurzynski { 941f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 942*6c51eab1SEd Tanous messages::actionNotSupported(asyncResp->res, 943*6c51eab1SEd Tanous "Setting TLS when mutual-tls-auth feature " 944f16f6263SAlan Kuo "is disabled"); 945f16f6263SAlan Kuo return; 946f16f6263SAlan Kuo #endif 947501f1e58SZbigniew Kurzynski authMethodsConfig.tls = *tls; 948501f1e58SZbigniew Kurzynski } 949501f1e58SZbigniew Kurzynski 95078158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 951501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 952501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 95378158631SZbigniew Kurzynski { 95478158631SZbigniew Kurzynski // Do not allow user to disable everything 95578158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 95678158631SZbigniew Kurzynski "of disabling all available methods"); 95778158631SZbigniew Kurzynski return; 95878158631SZbigniew Kurzynski } 95978158631SZbigniew Kurzynski 96052cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 96152cc112dSEd Tanous authMethodsConfig); 96278158631SZbigniew Kurzynski // Save configuration immediately 96352cc112dSEd Tanous persistent_data::getConfig().writeData(); 96478158631SZbigniew Kurzynski 96578158631SZbigniew Kurzynski messages::success(asyncResp->res); 96678158631SZbigniew Kurzynski } 96778158631SZbigniew Kurzynski 9688a07d286SRatan Gupta /** 9698a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 9708a07d286SRatan Gupta * value and create the LDAP config object. 9718a07d286SRatan Gupta * @param input JSON data 9728a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9738a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 9748a07d286SRatan Gupta */ 9758a07d286SRatan Gupta 976*6c51eab1SEd Tanous inline void handleLDAPPatch(nlohmann::json& input, 9778d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9788a07d286SRatan Gupta const std::string& serverType) 9798a07d286SRatan Gupta { 980eb2bbe56SRatan Gupta std::string dbusObjectPath; 981eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 982eb2bbe56SRatan Gupta { 9832c70f800SEd Tanous dbusObjectPath = adConfigObject; 984eb2bbe56SRatan Gupta } 985eb2bbe56SRatan Gupta else if (serverType == "LDAP") 986eb2bbe56SRatan Gupta { 98723a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 988eb2bbe56SRatan Gupta } 989cb13a392SEd Tanous else 990cb13a392SEd Tanous { 991cb13a392SEd Tanous return; 992cb13a392SEd Tanous } 993eb2bbe56SRatan Gupta 9948a07d286SRatan Gupta std::optional<nlohmann::json> authentication; 9958a07d286SRatan Gupta std::optional<nlohmann::json> ldapService; 9968a07d286SRatan Gupta std::optional<std::vector<std::string>> serviceAddressList; 9978a07d286SRatan Gupta std::optional<bool> serviceEnabled; 9988a07d286SRatan Gupta std::optional<std::vector<std::string>> baseDNList; 9998a07d286SRatan Gupta std::optional<std::string> userNameAttribute; 10008a07d286SRatan Gupta std::optional<std::string> groupsAttribute; 10018a07d286SRatan Gupta std::optional<std::string> userName; 10028a07d286SRatan Gupta std::optional<std::string> password; 100306785244SRatan Gupta std::optional<std::vector<nlohmann::json>> remoteRoleMapData; 10048a07d286SRatan Gupta 10058a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "Authentication", 10068a07d286SRatan Gupta authentication, "LDAPService", ldapService, 10078a07d286SRatan Gupta "ServiceAddresses", serviceAddressList, 100806785244SRatan Gupta "ServiceEnabled", serviceEnabled, 100906785244SRatan Gupta "RemoteRoleMapping", remoteRoleMapData)) 10108a07d286SRatan Gupta { 10118a07d286SRatan Gupta return; 10128a07d286SRatan Gupta } 10138a07d286SRatan Gupta 10148a07d286SRatan Gupta if (authentication) 10158a07d286SRatan Gupta { 10168a07d286SRatan Gupta parseLDAPAuthenticationJson(*authentication, asyncResp, userName, 10178a07d286SRatan Gupta password); 10188a07d286SRatan Gupta } 10198a07d286SRatan Gupta if (ldapService) 10208a07d286SRatan Gupta { 10218a07d286SRatan Gupta parseLDAPServiceJson(*ldapService, asyncResp, baseDNList, 10228a07d286SRatan Gupta userNameAttribute, groupsAttribute); 10238a07d286SRatan Gupta } 10248a07d286SRatan Gupta if (serviceAddressList) 10258a07d286SRatan Gupta { 10268a07d286SRatan Gupta if ((*serviceAddressList).size() == 0) 10278a07d286SRatan Gupta { 10288a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10298a07d286SRatan Gupta "ServiceAddress"); 10308a07d286SRatan Gupta return; 10318a07d286SRatan Gupta } 10328a07d286SRatan Gupta } 10338a07d286SRatan Gupta if (baseDNList) 10348a07d286SRatan Gupta { 10358a07d286SRatan Gupta if ((*baseDNList).size() == 0) 10368a07d286SRatan Gupta { 10378a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10388a07d286SRatan Gupta "BaseDistinguishedNames"); 10398a07d286SRatan Gupta return; 10408a07d286SRatan Gupta } 10418a07d286SRatan Gupta } 10428a07d286SRatan Gupta 10438a07d286SRatan Gupta // nothing to update, then return 10448a07d286SRatan Gupta if (!userName && !password && !serviceAddressList && !baseDNList && 104506785244SRatan Gupta !userNameAttribute && !groupsAttribute && !serviceEnabled && 104606785244SRatan Gupta !remoteRoleMapData) 10478a07d286SRatan Gupta { 10488a07d286SRatan Gupta return; 10498a07d286SRatan Gupta } 10508a07d286SRatan Gupta 10518a07d286SRatan Gupta // Get the existing resource first then keep modifying 10528a07d286SRatan Gupta // whenever any property gets updated. 1053*6c51eab1SEd Tanous getLDAPConfigData(serverType, [asyncResp, userName, password, baseDNList, 1054*6c51eab1SEd Tanous userNameAttribute, groupsAttribute, 1055*6c51eab1SEd Tanous serviceAddressList, serviceEnabled, 1056*6c51eab1SEd Tanous dbusObjectPath, remoteRoleMapData]( 1057*6c51eab1SEd Tanous bool success, 1058*6c51eab1SEd Tanous const LDAPConfigData& confData, 105923a21a1cSEd Tanous const std::string& serverT) { 10608a07d286SRatan Gupta if (!success) 10618a07d286SRatan Gupta { 10628a07d286SRatan Gupta messages::internalError(asyncResp->res); 10638a07d286SRatan Gupta return; 10648a07d286SRatan Gupta } 1065*6c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 10668a07d286SRatan Gupta if (confData.serviceEnabled) 10678a07d286SRatan Gupta { 10688a07d286SRatan Gupta // Disable the service first and update the rest of 10698a07d286SRatan Gupta // the properties. 1070*6c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 10718a07d286SRatan Gupta } 10728a07d286SRatan Gupta 10738a07d286SRatan Gupta if (serviceAddressList) 10748a07d286SRatan Gupta { 1075*6c51eab1SEd Tanous handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT, 1076*6c51eab1SEd Tanous dbusObjectPath); 10778a07d286SRatan Gupta } 10788a07d286SRatan Gupta if (userName) 10798a07d286SRatan Gupta { 1080*6c51eab1SEd Tanous handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath); 10818a07d286SRatan Gupta } 10828a07d286SRatan Gupta if (password) 10838a07d286SRatan Gupta { 1084*6c51eab1SEd Tanous handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath); 10858a07d286SRatan Gupta } 10868a07d286SRatan Gupta 10878a07d286SRatan Gupta if (baseDNList) 10888a07d286SRatan Gupta { 1089*6c51eab1SEd Tanous handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath); 10908a07d286SRatan Gupta } 10918a07d286SRatan Gupta if (userNameAttribute) 10928a07d286SRatan Gupta { 1093*6c51eab1SEd Tanous handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT, 1094*6c51eab1SEd Tanous dbusObjectPath); 10958a07d286SRatan Gupta } 10968a07d286SRatan Gupta if (groupsAttribute) 10978a07d286SRatan Gupta { 1098*6c51eab1SEd Tanous handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT, 1099*6c51eab1SEd Tanous dbusObjectPath); 11008a07d286SRatan Gupta } 11018a07d286SRatan Gupta if (serviceEnabled) 11028a07d286SRatan Gupta { 11038a07d286SRatan Gupta // if user has given the value as true then enable 11048a07d286SRatan Gupta // the service. if user has given false then no-op 11058a07d286SRatan Gupta // as service is already stopped. 11068a07d286SRatan Gupta if (*serviceEnabled) 11078a07d286SRatan Gupta { 1108*6c51eab1SEd Tanous handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT, 1109*6c51eab1SEd Tanous dbusObjectPath); 11108a07d286SRatan Gupta } 11118a07d286SRatan Gupta } 11128a07d286SRatan Gupta else 11138a07d286SRatan Gupta { 11148a07d286SRatan Gupta // if user has not given the service enabled value 11158a07d286SRatan Gupta // then revert it to the same state as it was 11168a07d286SRatan Gupta // before. 11178a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 111823a21a1cSEd Tanous serverT, dbusObjectPath); 11198a07d286SRatan Gupta } 112006785244SRatan Gupta 112106785244SRatan Gupta if (remoteRoleMapData) 112206785244SRatan Gupta { 1123*6c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 1124*6c51eab1SEd Tanous *remoteRoleMapData); 112506785244SRatan Gupta } 11268a07d286SRatan Gupta }); 11278a07d286SRatan Gupta } 1128d4b5443fSEd Tanous 1129*6c51eab1SEd Tanous inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp, 1130*6c51eab1SEd Tanous const std::string& username, 1131*6c51eab1SEd Tanous std::optional<std::string> password, 1132*6c51eab1SEd Tanous std::optional<bool> enabled, 1133*6c51eab1SEd Tanous std::optional<std::string> roleId, 1134*6c51eab1SEd Tanous std::optional<bool> locked) 11351abe55efSEd Tanous { 1136*6c51eab1SEd Tanous std::string dbusObjectPath = "/xyz/openbmc_project/user/" + username; 1137*6c51eab1SEd Tanous dbus::utility::escapePathForDbus(dbusObjectPath); 1138*6c51eab1SEd Tanous 1139*6c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 1140*6c51eab1SEd Tanous dbusObjectPath, 1141*6c51eab1SEd Tanous [dbusObjectPath(std::move(dbusObjectPath)), username, 1142*6c51eab1SEd Tanous password(std::move(password)), roleId(std::move(roleId)), enabled, 1143*6c51eab1SEd Tanous locked, asyncResp{std::move(asyncResp)}](int rc) { 1144*6c51eab1SEd Tanous if (!rc) 1145*6c51eab1SEd Tanous { 1146*6c51eab1SEd Tanous messages::resourceNotFound( 1147*6c51eab1SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 1148*6c51eab1SEd Tanous username); 1149*6c51eab1SEd Tanous return; 1150*6c51eab1SEd Tanous } 1151*6c51eab1SEd Tanous 1152*6c51eab1SEd Tanous if (password) 1153*6c51eab1SEd Tanous { 1154*6c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 1155*6c51eab1SEd Tanous 1156*6c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 1157*6c51eab1SEd Tanous { 1158*6c51eab1SEd Tanous messages::resourceNotFound( 1159*6c51eab1SEd Tanous asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount", 1160*6c51eab1SEd Tanous username); 1161*6c51eab1SEd Tanous } 1162*6c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 1163*6c51eab1SEd Tanous { 1164*6c51eab1SEd Tanous // If password is invalid 1165*6c51eab1SEd Tanous messages::propertyValueFormatError(asyncResp->res, 1166*6c51eab1SEd Tanous *password, "Password"); 1167*6c51eab1SEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 1168*6c51eab1SEd Tanous } 1169*6c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 1170*6c51eab1SEd Tanous { 1171*6c51eab1SEd Tanous messages::internalError(asyncResp->res); 1172*6c51eab1SEd Tanous return; 1173*6c51eab1SEd Tanous } 1174*6c51eab1SEd Tanous } 1175*6c51eab1SEd Tanous 1176*6c51eab1SEd Tanous if (enabled) 1177*6c51eab1SEd Tanous { 1178*6c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 1179*6c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 1180*6c51eab1SEd Tanous if (ec) 1181*6c51eab1SEd Tanous { 1182*6c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 1183*6c51eab1SEd Tanous messages::internalError(asyncResp->res); 1184*6c51eab1SEd Tanous return; 1185*6c51eab1SEd Tanous } 1186*6c51eab1SEd Tanous messages::success(asyncResp->res); 1187*6c51eab1SEd Tanous return; 1188*6c51eab1SEd Tanous }, 1189*6c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(), 1190*6c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1191*6c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserEnabled", 1192*6c51eab1SEd Tanous std::variant<bool>{*enabled}); 1193*6c51eab1SEd Tanous } 1194*6c51eab1SEd Tanous 1195*6c51eab1SEd Tanous if (roleId) 1196*6c51eab1SEd Tanous { 1197*6c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 1198*6c51eab1SEd Tanous if (priv.empty()) 1199*6c51eab1SEd Tanous { 1200*6c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 1201*6c51eab1SEd Tanous "RoleId"); 1202*6c51eab1SEd Tanous return; 1203*6c51eab1SEd Tanous } 1204*6c51eab1SEd Tanous if (priv == "priv-noaccess") 1205*6c51eab1SEd Tanous { 1206*6c51eab1SEd Tanous priv = ""; 1207*6c51eab1SEd Tanous } 1208*6c51eab1SEd Tanous 1209*6c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 1210*6c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 1211*6c51eab1SEd Tanous if (ec) 1212*6c51eab1SEd Tanous { 1213*6c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 1214*6c51eab1SEd Tanous messages::internalError(asyncResp->res); 1215*6c51eab1SEd Tanous return; 1216*6c51eab1SEd Tanous } 1217*6c51eab1SEd Tanous messages::success(asyncResp->res); 1218*6c51eab1SEd Tanous }, 1219*6c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(), 1220*6c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1221*6c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserPrivilege", 1222*6c51eab1SEd Tanous std::variant<std::string>{priv}); 1223*6c51eab1SEd Tanous } 1224*6c51eab1SEd Tanous 1225*6c51eab1SEd Tanous if (locked) 1226*6c51eab1SEd Tanous { 1227*6c51eab1SEd Tanous // admin can unlock the account which is locked by 1228*6c51eab1SEd Tanous // successive authentication failures but admin should 1229*6c51eab1SEd Tanous // not be allowed to lock an account. 1230*6c51eab1SEd Tanous if (*locked) 1231*6c51eab1SEd Tanous { 1232*6c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 1233*6c51eab1SEd Tanous "Locked"); 1234*6c51eab1SEd Tanous return; 1235*6c51eab1SEd Tanous } 1236*6c51eab1SEd Tanous 1237*6c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 1238*6c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 1239*6c51eab1SEd Tanous if (ec) 1240*6c51eab1SEd Tanous { 1241*6c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 1242*6c51eab1SEd Tanous messages::internalError(asyncResp->res); 1243*6c51eab1SEd Tanous return; 1244*6c51eab1SEd Tanous } 1245*6c51eab1SEd Tanous messages::success(asyncResp->res); 1246*6c51eab1SEd Tanous return; 1247*6c51eab1SEd Tanous }, 1248*6c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath.c_str(), 1249*6c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1250*6c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", 1251*6c51eab1SEd Tanous "UserLockedForFailedAttempt", std::variant<bool>{*locked}); 1252*6c51eab1SEd Tanous } 1253*6c51eab1SEd Tanous }); 1254*6c51eab1SEd Tanous } 1255*6c51eab1SEd Tanous 1256*6c51eab1SEd Tanous inline void requestAccountServiceRoutes(App& app) 1257*6c51eab1SEd Tanous { 1258*6c51eab1SEd Tanous 1259*6c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 1260*6c51eab1SEd Tanous .privileges({{"Login"}}) 1261*6c51eab1SEd Tanous .methods( 1262*6c51eab1SEd Tanous boost::beast::http::verb::get)([](const crow::Request& /* req */, 1263*6c51eab1SEd Tanous const std::shared_ptr< 1264*6c51eab1SEd Tanous bmcweb::AsyncResp>& asyncResp) 1265*6c51eab1SEd Tanous -> void { 126652cc112dSEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 1267*6c51eab1SEd Tanous persistent_data::SessionStore::getInstance() 1268*6c51eab1SEd Tanous .getAuthMethodsConfig(); 126978158631SZbigniew Kurzynski 12708d1b46d7Szhanghch05 asyncResp->res.jsonValue = { 12713d958bbcSAppaRao Puli {"@odata.id", "/redfish/v1/AccountService"}, 12723d958bbcSAppaRao Puli {"@odata.type", "#AccountService." 1273ba9dd4a8SGunnar Mills "v1_5_0.AccountService"}, 12743d958bbcSAppaRao Puli {"Id", "AccountService"}, 12753d958bbcSAppaRao Puli {"Name", "Account Service"}, 12763d958bbcSAppaRao Puli {"Description", "Account Service"}, 12773d958bbcSAppaRao Puli {"ServiceEnabled", true}, 1278343ff2e1SAppaRao Puli {"MaxPasswordLength", 20}, 12793d958bbcSAppaRao Puli {"Accounts", 12803d958bbcSAppaRao Puli {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}}, 128137cce918SMarri Devender Rao {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}}, 128278158631SZbigniew Kurzynski {"Oem", 128378158631SZbigniew Kurzynski {{"OpenBMC", 128478158631SZbigniew Kurzynski {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"}, 128578158631SZbigniew Kurzynski {"AuthMethods", 128678158631SZbigniew Kurzynski { 128778158631SZbigniew Kurzynski {"BasicAuth", authMethodsConfig.basic}, 128878158631SZbigniew Kurzynski {"SessionToken", authMethodsConfig.sessionToken}, 128978158631SZbigniew Kurzynski {"XToken", authMethodsConfig.xtoken}, 129078158631SZbigniew Kurzynski {"Cookie", authMethodsConfig.cookie}, 1291501f1e58SZbigniew Kurzynski {"TLS", authMethodsConfig.tls}, 129278158631SZbigniew Kurzynski }}}}}}, 129337cce918SMarri Devender Rao {"LDAP", 129437cce918SMarri Devender Rao {{"Certificates", 129537cce918SMarri Devender Rao {{"@odata.id", 129637cce918SMarri Devender Rao "/redfish/v1/AccountService/LDAP/Certificates"}}}}}}; 12973d958bbcSAppaRao Puli crow::connections::systemBus->async_method_call( 12983d958bbcSAppaRao Puli [asyncResp]( 12993d958bbcSAppaRao Puli const boost::system::error_code ec, 1300*6c51eab1SEd Tanous const std::vector< 1301*6c51eab1SEd Tanous std::pair<std::string, 1302*6c51eab1SEd Tanous std::variant<uint32_t, uint16_t, uint8_t>>>& 13033d958bbcSAppaRao Puli propertiesList) { 13043d958bbcSAppaRao Puli if (ec) 13053d958bbcSAppaRao Puli { 13063d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 13073d958bbcSAppaRao Puli return; 13083d958bbcSAppaRao Puli } 13093d958bbcSAppaRao Puli BMCWEB_LOG_DEBUG << "Got " << propertiesList.size() 13103d958bbcSAppaRao Puli << "properties for AccountService"; 13113d958bbcSAppaRao Puli for (const std::pair<std::string, 1312*6c51eab1SEd Tanous std::variant<uint32_t, uint16_t, 1313*6c51eab1SEd Tanous uint8_t>>& property : 1314*6c51eab1SEd Tanous propertiesList) 13153d958bbcSAppaRao Puli { 13163d958bbcSAppaRao Puli if (property.first == "MinPasswordLength") 13173d958bbcSAppaRao Puli { 13183d958bbcSAppaRao Puli const uint8_t* value = 1319abf2add6SEd Tanous std::get_if<uint8_t>(&property.second); 13203d958bbcSAppaRao Puli if (value != nullptr) 13213d958bbcSAppaRao Puli { 13223d958bbcSAppaRao Puli asyncResp->res.jsonValue["MinPasswordLength"] = 13233d958bbcSAppaRao Puli *value; 13243d958bbcSAppaRao Puli } 13253d958bbcSAppaRao Puli } 13263d958bbcSAppaRao Puli if (property.first == "AccountUnlockTimeout") 13273d958bbcSAppaRao Puli { 13283d958bbcSAppaRao Puli const uint32_t* value = 1329abf2add6SEd Tanous std::get_if<uint32_t>(&property.second); 13303d958bbcSAppaRao Puli if (value != nullptr) 13313d958bbcSAppaRao Puli { 1332*6c51eab1SEd Tanous asyncResp->res 1333*6c51eab1SEd Tanous .jsonValue["AccountLockoutDuration"] = 13343d958bbcSAppaRao Puli *value; 13353d958bbcSAppaRao Puli } 13363d958bbcSAppaRao Puli } 13373d958bbcSAppaRao Puli if (property.first == "MaxLoginAttemptBeforeLockout") 13383d958bbcSAppaRao Puli { 13393d958bbcSAppaRao Puli const uint16_t* value = 1340abf2add6SEd Tanous std::get_if<uint16_t>(&property.second); 13413d958bbcSAppaRao Puli if (value != nullptr) 13423d958bbcSAppaRao Puli { 13433d958bbcSAppaRao Puli asyncResp->res 1344*6c51eab1SEd Tanous .jsonValue["AccountLockoutThreshold"] = 1345*6c51eab1SEd Tanous *value; 13463d958bbcSAppaRao Puli } 13473d958bbcSAppaRao Puli } 13483d958bbcSAppaRao Puli } 13493d958bbcSAppaRao Puli }, 13503d958bbcSAppaRao Puli "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 13513d958bbcSAppaRao Puli "org.freedesktop.DBus.Properties", "GetAll", 13523d958bbcSAppaRao Puli "xyz.openbmc_project.User.AccountPolicy"); 13536973a582SRatan Gupta 1354ab828d7cSRatan Gupta auto callback = [asyncResp](bool success, LDAPConfigData& confData, 1355ab828d7cSRatan Gupta const std::string& ldapType) { 1356cb13a392SEd Tanous if (!success) 1357cb13a392SEd Tanous { 1358cb13a392SEd Tanous return; 1359cb13a392SEd Tanous } 1360*6c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, 1361*6c51eab1SEd Tanous ldapType); 1362ab828d7cSRatan Gupta }; 1363ab828d7cSRatan Gupta 1364ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1365ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 1366*6c51eab1SEd Tanous }); 13676973a582SRatan Gupta 1368*6c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 1369f365910cSGunnar Mills // According to the PrivilegeRegistry, GET should actually be 1370f365910cSGunnar Mills // "Login". A "Login" only privilege would return an empty "Members" 1371f365910cSGunnar Mills // list. Not going to worry about this since none of the defined 1372f365910cSGunnar Mills // roles are just "Login". E.g. Readonly is {"Login", 1373f365910cSGunnar Mills // "ConfigureSelf"}. In the rare event anyone defines a role that 1374f365910cSGunnar Mills // has Login but not ConfigureSelf, implement this. 1375*6c51eab1SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 1376*6c51eab1SEd Tanous .methods(boost::beast::http::verb::get)( 1377*6c51eab1SEd Tanous [](const crow::Request& req, 1378*6c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { 13798d1b46d7Szhanghch05 asyncResp->res.jsonValue = { 13808d1b46d7Szhanghch05 {"@odata.id", "/redfish/v1/AccountService/Accounts"}, 13810f74e643SEd Tanous {"@odata.type", "#ManagerAccountCollection." 13820f74e643SEd Tanous "ManagerAccountCollection"}, 13830f74e643SEd Tanous {"Name", "Accounts Collection"}, 13840f74e643SEd Tanous {"Description", "BMC User Accounts"}}; 13850f74e643SEd Tanous 1386*6c51eab1SEd Tanous Privileges requiredPermissionsToSeeNonSelf = { 1387*6c51eab1SEd Tanous {"ConfigureUsers"}}; 1388*6c51eab1SEd Tanous Privileges effectiveUserPrivileges = 1389*6c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 1390*6c51eab1SEd Tanous bool userCanSeeAllAccounts = 1391*6c51eab1SEd Tanous effectiveUserPrivileges.isSupersetOf( 1392*6c51eab1SEd Tanous requiredPermissionsToSeeNonSelf); 1393*6c51eab1SEd Tanous 1394*6c51eab1SEd Tanous std::string thisUser = req.session->username; 1395*6c51eab1SEd Tanous 1396b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1397*6c51eab1SEd Tanous [asyncResp, userCanSeeAllAccounts, 1398*6c51eab1SEd Tanous thisUser](const boost::system::error_code ec, 1399b9b2e0b2SEd Tanous const ManagedObjectType& users) { 1400b9b2e0b2SEd Tanous if (ec) 1401b9b2e0b2SEd Tanous { 1402f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1403b9b2e0b2SEd Tanous return; 1404b9b2e0b2SEd Tanous } 1405b9b2e0b2SEd Tanous 1406b9b2e0b2SEd Tanous nlohmann::json& memberArray = 1407b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Members"]; 1408b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1409b9b2e0b2SEd Tanous 14102dfd18efSEd Tanous for (auto& userpath : users) 1411b9b2e0b2SEd Tanous { 14122dfd18efSEd Tanous std::string user = userpath.first.filename(); 14132dfd18efSEd Tanous if (user.empty()) 1414b9b2e0b2SEd Tanous { 14152dfd18efSEd Tanous messages::internalError(asyncResp->res); 14162dfd18efSEd Tanous BMCWEB_LOG_ERROR << "Invalid firmware ID"; 14172dfd18efSEd Tanous 14182dfd18efSEd Tanous return; 1419b9b2e0b2SEd Tanous } 1420f365910cSGunnar Mills 1421f365910cSGunnar Mills // As clarified by Redfish here: 1422f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 1423*6c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 1424*6c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 1425*6c51eab1SEd Tanous // accounts. 1426*6c51eab1SEd Tanous if (thisUser == user || userCanSeeAllAccounts) 1427f365910cSGunnar Mills { 1428b9b2e0b2SEd Tanous memberArray.push_back( 1429f365910cSGunnar Mills {{"@odata.id", 1430*6c51eab1SEd Tanous "/redfish/v1/AccountService/Accounts/" + 1431*6c51eab1SEd Tanous user}}); 1432b9b2e0b2SEd Tanous } 1433f365910cSGunnar Mills } 1434f365910cSGunnar Mills asyncResp->res.jsonValue["Members@odata.count"] = 1435f365910cSGunnar Mills memberArray.size(); 1436b9b2e0b2SEd Tanous }, 1437*6c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", 1438*6c51eab1SEd Tanous "/xyz/openbmc_project/user", 1439b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 1440*6c51eab1SEd Tanous }); 1441*6c51eab1SEd Tanous 1442*6c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 1443*6c51eab1SEd Tanous .privileges({{"ConfigureUsers"}}) 1444*6c51eab1SEd Tanous .methods(boost::beast::http::verb::post)([](const crow::Request& req, 1445*6c51eab1SEd Tanous const std::shared_ptr< 1446*6c51eab1SEd Tanous bmcweb::AsyncResp>& 1447*6c51eab1SEd Tanous asyncResp) -> void { 14489712f8acSEd Tanous std::string username; 14499712f8acSEd Tanous std::string password; 1450a24526dcSEd Tanous std::optional<std::string> roleId("User"); 1451a24526dcSEd Tanous std::optional<bool> enabled = true; 14528d1b46d7Szhanghch05 if (!json_util::readJson(req, asyncResp->res, "UserName", username, 14538d1b46d7Szhanghch05 "Password", password, "RoleId", roleId, 14548d1b46d7Szhanghch05 "Enabled", enabled)) 145504ae99ecSEd Tanous { 145604ae99ecSEd Tanous return; 145704ae99ecSEd Tanous } 145804ae99ecSEd Tanous 145954fc587aSNagaraju Goruganti std::string priv = getPrivilegeFromRoleId(*roleId); 146084e12cb7SAppaRao Puli if (priv.empty()) 146104ae99ecSEd Tanous { 1462*6c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 1463*6c51eab1SEd Tanous "RoleId"); 146404ae99ecSEd Tanous return; 146504ae99ecSEd Tanous } 146696200606Sjayaprakash Mutyala // TODO: Following override will be reverted once support in 1467*6c51eab1SEd Tanous // phosphor-user-manager is added. In order to avoid dependency 1468*6c51eab1SEd Tanous // issues, this is added in bmcweb, which will removed, once 146996200606Sjayaprakash Mutyala // phosphor-user-manager supports priv-noaccess. 147096200606Sjayaprakash Mutyala if (priv == "priv-noaccess") 147196200606Sjayaprakash Mutyala { 147296200606Sjayaprakash Mutyala roleId = ""; 147396200606Sjayaprakash Mutyala } 147496200606Sjayaprakash Mutyala else 147596200606Sjayaprakash Mutyala { 14769712f8acSEd Tanous roleId = priv; 147796200606Sjayaprakash Mutyala } 147804ae99ecSEd Tanous 1479599c71d8SAyushi Smriti // Reading AllGroups property 1480599c71d8SAyushi Smriti crow::connections::systemBus->async_method_call( 1481599c71d8SAyushi Smriti [asyncResp, username, password{std::move(password)}, roleId, 1482*6c51eab1SEd Tanous enabled]( 1483*6c51eab1SEd Tanous const boost::system::error_code ec, 1484599c71d8SAyushi Smriti const std::variant<std::vector<std::string>>& allGroups) { 1485599c71d8SAyushi Smriti if (ec) 1486599c71d8SAyushi Smriti { 1487599c71d8SAyushi Smriti BMCWEB_LOG_DEBUG << "ERROR with async_method_call"; 1488599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1489599c71d8SAyushi Smriti return; 1490599c71d8SAyushi Smriti } 1491599c71d8SAyushi Smriti 1492599c71d8SAyushi Smriti const std::vector<std::string>* allGroupsList = 1493599c71d8SAyushi Smriti std::get_if<std::vector<std::string>>(&allGroups); 1494599c71d8SAyushi Smriti 1495599c71d8SAyushi Smriti if (allGroupsList == nullptr || allGroupsList->empty()) 1496599c71d8SAyushi Smriti { 1497599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1498599c71d8SAyushi Smriti return; 1499599c71d8SAyushi Smriti } 1500599c71d8SAyushi Smriti 150104ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 1502f23b7296SEd Tanous [asyncResp, username, 1503f23b7296SEd Tanous password](const boost::system::error_code ec2, 15040d4197e0Sanil kumar appana sdbusplus::message::message& m) { 150523a21a1cSEd Tanous if (ec2) 150604ae99ecSEd Tanous { 1507*6c51eab1SEd Tanous userErrorMessageHandler( 1508*6c51eab1SEd Tanous m.get_error(), asyncResp, username, ""); 150904ae99ecSEd Tanous return; 151004ae99ecSEd Tanous } 151104ae99ecSEd Tanous 151266b5ca76Sjayaprakash Mutyala if (pamUpdatePassword(username, password) != 151366b5ca76Sjayaprakash Mutyala PAM_SUCCESS) 151404ae99ecSEd Tanous { 1515*6c51eab1SEd Tanous // At this point we have a user that's been 1516*6c51eab1SEd Tanous // created, but the password set 1517*6c51eab1SEd Tanous // failed.Something is wrong, so delete the user 1518*6c51eab1SEd Tanous // that we've already created 151904ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 152023a21a1cSEd Tanous [asyncResp, password]( 152123a21a1cSEd Tanous const boost::system::error_code ec3) { 152223a21a1cSEd Tanous if (ec3) 152304ae99ecSEd Tanous { 1524*6c51eab1SEd Tanous messages::internalError( 1525*6c51eab1SEd Tanous asyncResp->res); 152604ae99ecSEd Tanous return; 152704ae99ecSEd Tanous } 152804ae99ecSEd Tanous 15290d4197e0Sanil kumar appana // If password is invalid 15300d4197e0Sanil kumar appana messages::propertyValueFormatError( 1531*6c51eab1SEd Tanous asyncResp->res, password, 1532*6c51eab1SEd Tanous "Password"); 153304ae99ecSEd Tanous }, 153404ae99ecSEd Tanous "xyz.openbmc_project.User.Manager", 153504ae99ecSEd Tanous "/xyz/openbmc_project/user/" + username, 1536*6c51eab1SEd Tanous "xyz.openbmc_project.Object.Delete", 1537*6c51eab1SEd Tanous "Delete"); 153804ae99ecSEd Tanous 153904ae99ecSEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 154004ae99ecSEd Tanous return; 154104ae99ecSEd Tanous } 154204ae99ecSEd Tanous 1543f12894f8SJason M. Bills messages::created(asyncResp->res); 154404ae99ecSEd Tanous asyncResp->res.addHeader( 154504ae99ecSEd Tanous "Location", 1546*6c51eab1SEd Tanous "/redfish/v1/AccountService/Accounts/" + 1547*6c51eab1SEd Tanous username); 154804ae99ecSEd Tanous }, 1549599c71d8SAyushi Smriti "xyz.openbmc_project.User.Manager", 1550599c71d8SAyushi Smriti "/xyz/openbmc_project/user", 1551*6c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", "CreateUser", 1552*6c51eab1SEd Tanous username, *allGroupsList, *roleId, *enabled); 1553599c71d8SAyushi Smriti }, 1554599c71d8SAyushi Smriti "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1555599c71d8SAyushi Smriti "org.freedesktop.DBus.Properties", "Get", 1556599c71d8SAyushi Smriti "xyz.openbmc_project.User.Manager", "AllGroups"); 1557*6c51eab1SEd Tanous }); 1558b9b2e0b2SEd Tanous 1559*6c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1560*6c51eab1SEd Tanous .privileges( 1561*6c51eab1SEd Tanous {{"ConfigureUsers"}, {"ConfigureManager"}, {"ConfigureSelf"}}) 1562*6c51eab1SEd Tanous .methods( 1563*6c51eab1SEd Tanous boost::beast::http::verb:: 1564*6c51eab1SEd Tanous get)([](const crow::Request& req, 1565*6c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1566*6c51eab1SEd Tanous const std::string& accountName) -> void { 1567*6c51eab1SEd Tanous if (req.session->username != accountName) 1568b9b2e0b2SEd Tanous { 1569*6c51eab1SEd Tanous // At this point we've determined that the user is trying to 1570*6c51eab1SEd Tanous // modify a user that isn't them. We need to verify that they 1571*6c51eab1SEd Tanous // have permissions to modify other users, so re-run the auth 1572*6c51eab1SEd Tanous // check with the same permissions, minus ConfigureSelf. 1573*6c51eab1SEd Tanous Privileges effectiveUserPrivileges = 1574*6c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 1575*6c51eab1SEd Tanous Privileges requiredPermissionsToChangeNonSelf = { 1576*6c51eab1SEd Tanous {"ConfigureUsers"}, {"ConfigureManager"}}; 1577*6c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 1578*6c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1579900f9497SJoseph Reynolds { 1580900f9497SJoseph Reynolds BMCWEB_LOG_DEBUG << "GET Account denied access"; 1581900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1582900f9497SJoseph Reynolds return; 1583900f9497SJoseph Reynolds } 1584900f9497SJoseph Reynolds } 1585900f9497SJoseph Reynolds 1586b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1587*6c51eab1SEd Tanous [asyncResp, accountName](const boost::system::error_code ec, 1588b9b2e0b2SEd Tanous const ManagedObjectType& users) { 1589b9b2e0b2SEd Tanous if (ec) 1590b9b2e0b2SEd Tanous { 1591f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1592b9b2e0b2SEd Tanous return; 1593b9b2e0b2SEd Tanous } 159484e12cb7SAppaRao Puli auto userIt = users.begin(); 1595b9b2e0b2SEd Tanous 159684e12cb7SAppaRao Puli for (; userIt != users.end(); userIt++) 1597b9b2e0b2SEd Tanous { 1598*6c51eab1SEd Tanous if (boost::ends_with(userIt->first.str, 1599*6c51eab1SEd Tanous "/" + accountName)) 1600b9b2e0b2SEd Tanous { 160184e12cb7SAppaRao Puli break; 1602b9b2e0b2SEd Tanous } 1603b9b2e0b2SEd Tanous } 160484e12cb7SAppaRao Puli if (userIt == users.end()) 1605b9b2e0b2SEd Tanous { 1606*6c51eab1SEd Tanous messages::resourceNotFound( 1607*6c51eab1SEd Tanous asyncResp->res, "ManagerAccount", accountName); 160884e12cb7SAppaRao Puli return; 160984e12cb7SAppaRao Puli } 16104e68c45bSAyushi Smriti 16114e68c45bSAyushi Smriti asyncResp->res.jsonValue = { 1612*6c51eab1SEd Tanous {"@odata.type", 1613*6c51eab1SEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount"}, 16144e68c45bSAyushi Smriti {"Name", "User Account"}, 16154e68c45bSAyushi Smriti {"Description", "User Account"}, 16168114bd4dSGunnar Mills {"Password", nullptr}, 16178114bd4dSGunnar Mills {"AccountTypes", {"Redfish"}}}; 16184e68c45bSAyushi Smriti 161984e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 162065b0dc32SEd Tanous { 162165b0dc32SEd Tanous if (interface.first == 162265b0dc32SEd Tanous "xyz.openbmc_project.User.Attributes") 162365b0dc32SEd Tanous { 162465b0dc32SEd Tanous for (const auto& property : interface.second) 162565b0dc32SEd Tanous { 162665b0dc32SEd Tanous if (property.first == "UserEnabled") 162765b0dc32SEd Tanous { 162865b0dc32SEd Tanous const bool* userEnabled = 1629abf2add6SEd Tanous std::get_if<bool>(&property.second); 163065b0dc32SEd Tanous if (userEnabled == nullptr) 163165b0dc32SEd Tanous { 163265b0dc32SEd Tanous BMCWEB_LOG_ERROR 163365b0dc32SEd Tanous << "UserEnabled wasn't a bool"; 163484e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 163584e12cb7SAppaRao Puli return; 163665b0dc32SEd Tanous } 163765b0dc32SEd Tanous asyncResp->res.jsonValue["Enabled"] = 163865b0dc32SEd Tanous *userEnabled; 163965b0dc32SEd Tanous } 164065b0dc32SEd Tanous else if (property.first == 164165b0dc32SEd Tanous "UserLockedForFailedAttempt") 164265b0dc32SEd Tanous { 164365b0dc32SEd Tanous const bool* userLocked = 1644abf2add6SEd Tanous std::get_if<bool>(&property.second); 164565b0dc32SEd Tanous if (userLocked == nullptr) 164665b0dc32SEd Tanous { 164784e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "UserLockedForF" 164884e12cb7SAppaRao Puli "ailedAttempt " 164984e12cb7SAppaRao Puli "wasn't a bool"; 165084e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 165184e12cb7SAppaRao Puli return; 165265b0dc32SEd Tanous } 165365b0dc32SEd Tanous asyncResp->res.jsonValue["Locked"] = 165465b0dc32SEd Tanous *userLocked; 165524c8542dSRatan Gupta asyncResp->res.jsonValue 165624c8542dSRatan Gupta ["Locked@Redfish.AllowableValues"] = { 16573bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 165865b0dc32SEd Tanous } 165984e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 166084e12cb7SAppaRao Puli { 166154fc587aSNagaraju Goruganti const std::string* userPrivPtr = 1662*6c51eab1SEd Tanous std::get_if<std::string>( 1663*6c51eab1SEd Tanous &property.second); 166454fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 166584e12cb7SAppaRao Puli { 166684e12cb7SAppaRao Puli BMCWEB_LOG_ERROR 166784e12cb7SAppaRao Puli << "UserPrivilege wasn't a " 166884e12cb7SAppaRao Puli "string"; 166984e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 167084e12cb7SAppaRao Puli return; 167184e12cb7SAppaRao Puli } 167254fc587aSNagaraju Goruganti std::string role = 167354fc587aSNagaraju Goruganti getRoleIdFromPrivilege(*userPrivPtr); 167454fc587aSNagaraju Goruganti if (role.empty()) 167584e12cb7SAppaRao Puli { 167684e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "Invalid user role"; 167784e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 167884e12cb7SAppaRao Puli return; 167984e12cb7SAppaRao Puli } 168054fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 168184e12cb7SAppaRao Puli 1682*6c51eab1SEd Tanous asyncResp->res.jsonValue["Links"]["Role"] = 1683*6c51eab1SEd Tanous {{"@odata.id", 1684*6c51eab1SEd Tanous "/redfish/v1/AccountService/" 168584e12cb7SAppaRao Puli "Roles/" + 168654fc587aSNagaraju Goruganti role}}; 168784e12cb7SAppaRao Puli } 1688*6c51eab1SEd Tanous else if (property.first == 1689*6c51eab1SEd Tanous "UserPasswordExpired") 16903bf4e632SJoseph Reynolds { 16913bf4e632SJoseph Reynolds const bool* userPasswordExpired = 16923bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 16933bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 16943bf4e632SJoseph Reynolds { 16953bf4e632SJoseph Reynolds BMCWEB_LOG_ERROR << "UserPassword" 16963bf4e632SJoseph Reynolds "Expired " 16973bf4e632SJoseph Reynolds "wasn't a bool"; 16983bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 16993bf4e632SJoseph Reynolds return; 17003bf4e632SJoseph Reynolds } 17013bf4e632SJoseph Reynolds asyncResp->res 17023bf4e632SJoseph Reynolds .jsonValue["PasswordChangeRequired"] = 17033bf4e632SJoseph Reynolds *userPasswordExpired; 17043bf4e632SJoseph Reynolds } 170565b0dc32SEd Tanous } 170665b0dc32SEd Tanous } 170765b0dc32SEd Tanous } 170865b0dc32SEd Tanous 1709b9b2e0b2SEd Tanous asyncResp->res.jsonValue["@odata.id"] = 171084e12cb7SAppaRao Puli "/redfish/v1/AccountService/Accounts/" + accountName; 1711b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 1712b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 1713b9b2e0b2SEd Tanous }, 1714b9b2e0b2SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1715b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 1716*6c51eab1SEd Tanous }); 1717a840879dSEd Tanous 1718*6c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1719*6c51eab1SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 1720*6c51eab1SEd Tanous .methods(boost::beast::http::verb::patch)( 1721*6c51eab1SEd Tanous [](const crow::Request& req, 1722*6c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1723*6c51eab1SEd Tanous const std::string& username) -> void { 1724a24526dcSEd Tanous std::optional<std::string> newUserName; 1725a24526dcSEd Tanous std::optional<std::string> password; 1726a24526dcSEd Tanous std::optional<bool> enabled; 1727a24526dcSEd Tanous std::optional<std::string> roleId; 172824c8542dSRatan Gupta std::optional<bool> locked; 1729*6c51eab1SEd Tanous if (!json_util::readJson(req, asyncResp->res, "UserName", 1730*6c51eab1SEd Tanous newUserName, "Password", password, 1731*6c51eab1SEd Tanous "RoleId", roleId, "Enabled", enabled, 1732*6c51eab1SEd Tanous "Locked", locked)) 1733a840879dSEd Tanous { 1734a840879dSEd Tanous return; 1735a840879dSEd Tanous } 1736a840879dSEd Tanous 1737900f9497SJoseph Reynolds // Perform a proper ConfigureSelf authority check. If the 1738900f9497SJoseph Reynolds // session is being used to PATCH a property other than 1739900f9497SJoseph Reynolds // Password, then the ConfigureSelf privilege does not apply. 1740900f9497SJoseph Reynolds // If the user is operating on an account not their own, then 1741900f9497SJoseph Reynolds // their ConfigureSelf privilege does not apply. In either 1742900f9497SJoseph Reynolds // case, perform the authority check again without the user's 1743900f9497SJoseph Reynolds // ConfigureSelf privilege. 1744*6c51eab1SEd Tanous if ((username != req.session->username)) 1745900f9497SJoseph Reynolds { 1746*6c51eab1SEd Tanous Privileges requiredPermissionsToChangeNonSelf = { 1747*6c51eab1SEd Tanous {"ConfigureUsers"}}; 1748*6c51eab1SEd Tanous Privileges effectiveUserPrivileges = 1749*6c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 1750*6c51eab1SEd Tanous 1751*6c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 1752*6c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1753900f9497SJoseph Reynolds { 1754900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1755900f9497SJoseph Reynolds return; 1756900f9497SJoseph Reynolds } 1757900f9497SJoseph Reynolds } 1758900f9497SJoseph Reynolds 175966b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 1760*6c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 1761*6c51eab1SEd Tanous // updating user properties other then username. If username 1762*6c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 1763*6c51eab1SEd Tanous // user rename request. 176466b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 1765a840879dSEd Tanous { 1766*6c51eab1SEd Tanous updateUserProperties(asyncResp, username, password, enabled, 1767*6c51eab1SEd Tanous roleId, locked); 176884e12cb7SAppaRao Puli return; 176984e12cb7SAppaRao Puli } 177084e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 1771*6c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 1772f23b7296SEd Tanous roleId(std::move(roleId)), enabled, 177366b5ca76Sjayaprakash Mutyala newUser{std::string(*newUserName)}, 1774f23b7296SEd Tanous locked](const boost::system::error_code ec, 177566b5ca76Sjayaprakash Mutyala sdbusplus::message::message& m) { 177684e12cb7SAppaRao Puli if (ec) 177784e12cb7SAppaRao Puli { 1778*6c51eab1SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, 1779*6c51eab1SEd Tanous newUser, username); 1780a840879dSEd Tanous return; 1781a840879dSEd Tanous } 1782a840879dSEd Tanous 1783*6c51eab1SEd Tanous updateUserProperties(asyncResp, newUser, password, 1784*6c51eab1SEd Tanous enabled, roleId, locked); 178584e12cb7SAppaRao Puli }, 1786*6c51eab1SEd Tanous "xyz.openbmc_project.User.Manager", 1787*6c51eab1SEd Tanous "/xyz/openbmc_project/user", 178884e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 178984e12cb7SAppaRao Puli *newUserName); 1790*6c51eab1SEd Tanous }); 179184e12cb7SAppaRao Puli 1792*6c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 1793*6c51eab1SEd Tanous .privileges({{"ConfigureUsers"}}) 1794*6c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 1795*6c51eab1SEd Tanous [](const crow::Request& /*req*/, 1796*6c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1797*6c51eab1SEd Tanous const std::string& username) -> void { 1798*6c51eab1SEd Tanous const std::string userPath = 1799*6c51eab1SEd Tanous "/xyz/openbmc_project/user/" + username; 180024c8542dSRatan Gupta 1801*6c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 1802*6c51eab1SEd Tanous [asyncResp, username](const boost::system::error_code ec) { 1803*6c51eab1SEd Tanous if (ec) 180466b5ca76Sjayaprakash Mutyala { 180566b5ca76Sjayaprakash Mutyala messages::resourceNotFound( 180666b5ca76Sjayaprakash Mutyala asyncResp->res, 1807*6c51eab1SEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount", 1808f12894f8SJason M. Bills username); 180906e086d9SEd Tanous return; 181006e086d9SEd Tanous } 181106e086d9SEd Tanous 1812f12894f8SJason M. Bills messages::accountRemoved(asyncResp->res); 181306e086d9SEd Tanous }, 181406e086d9SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 181506e086d9SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 1816*6c51eab1SEd Tanous }); 181706e086d9SEd Tanous } 181888d16c9aSLewanczyk, Dawid 181988d16c9aSLewanczyk, Dawid } // namespace redfish 1820