188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 183ccb3adbSEd Tanous #include "app.hpp" 193ccb3adbSEd Tanous #include "dbus_utility.hpp" 203ccb3adbSEd Tanous #include "error_messages.hpp" 210ec8b83dSEd Tanous #include "generated/enums/account_service.hpp" 223ccb3adbSEd Tanous #include "openbmc_dbus_rest.hpp" 233ccb3adbSEd Tanous #include "persistent_data.hpp" 243ccb3adbSEd Tanous #include "query.hpp" 250ec8b83dSEd Tanous #include "registries/privilege_registry.hpp" 263ccb3adbSEd Tanous #include "utils/dbus_utils.hpp" 273ccb3adbSEd Tanous #include "utils/json_utils.hpp" 280ec8b83dSEd Tanous 291e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 30d1bde9e5SKrzysztof Grobelny #include <sdbusplus/unpack_properties.hpp> 311214b7e7SGunnar Mills 322b73119cSGeorge Liu #include <array> 33c7229815SAbhishek Patel #include <optional> 34c7229815SAbhishek Patel #include <string> 352b73119cSGeorge Liu #include <string_view> 36c7229815SAbhishek Patel #include <vector> 37c7229815SAbhishek Patel 381abe55efSEd Tanous namespace redfish 391abe55efSEd Tanous { 4088d16c9aSLewanczyk, Dawid 4123a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 426973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 432c70f800SEd Tanous constexpr const char* adConfigObject = 44ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 45ab828d7cSRatan Gupta 46b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 476973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 486973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 496973a582SRatan Gupta constexpr const char* ldapConfigInterface = 506973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 516973a582SRatan Gupta constexpr const char* ldapCreateInterface = 526973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 536973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 5406785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 5506785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 566973a582SRatan Gupta constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager"; 576973a582SRatan Gupta constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties"; 586973a582SRatan Gupta 5954fc587aSNagaraju Goruganti struct LDAPRoleMapData 6054fc587aSNagaraju Goruganti { 6154fc587aSNagaraju Goruganti std::string groupName; 6254fc587aSNagaraju Goruganti std::string privilege; 6354fc587aSNagaraju Goruganti }; 6454fc587aSNagaraju Goruganti 656973a582SRatan Gupta struct LDAPConfigData 666973a582SRatan Gupta { 676973a582SRatan Gupta std::string uri{}; 686973a582SRatan Gupta std::string bindDN{}; 696973a582SRatan Gupta std::string baseDN{}; 706973a582SRatan Gupta std::string searchScope{}; 716973a582SRatan Gupta std::string serverType{}; 726973a582SRatan Gupta bool serviceEnabled = false; 736973a582SRatan Gupta std::string userNameAttribute{}; 746973a582SRatan Gupta std::string groupAttribute{}; 7554fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 766973a582SRatan Gupta }; 776973a582SRatan Gupta 7854fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 7984e12cb7SAppaRao Puli { 8084e12cb7SAppaRao Puli if (role == "priv-admin") 8184e12cb7SAppaRao Puli { 8284e12cb7SAppaRao Puli return "Administrator"; 8384e12cb7SAppaRao Puli } 843174e4dfSEd Tanous if (role == "priv-user") 8584e12cb7SAppaRao Puli { 86c80fee55SAppaRao Puli return "ReadOnly"; 8784e12cb7SAppaRao Puli } 883174e4dfSEd Tanous if (role == "priv-operator") 8984e12cb7SAppaRao Puli { 9084e12cb7SAppaRao Puli return "Operator"; 9184e12cb7SAppaRao Puli } 9284e12cb7SAppaRao Puli return ""; 9384e12cb7SAppaRao Puli } 9454fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 9584e12cb7SAppaRao Puli { 9684e12cb7SAppaRao Puli if (role == "Administrator") 9784e12cb7SAppaRao Puli { 9884e12cb7SAppaRao Puli return "priv-admin"; 9984e12cb7SAppaRao Puli } 1003174e4dfSEd Tanous if (role == "ReadOnly") 10184e12cb7SAppaRao Puli { 10284e12cb7SAppaRao Puli return "priv-user"; 10384e12cb7SAppaRao Puli } 1043174e4dfSEd Tanous if (role == "Operator") 10584e12cb7SAppaRao Puli { 10684e12cb7SAppaRao Puli return "priv-operator"; 10784e12cb7SAppaRao Puli } 10884e12cb7SAppaRao Puli return ""; 10984e12cb7SAppaRao Puli } 110b9b2e0b2SEd Tanous 111c7229815SAbhishek Patel /** 112c7229815SAbhishek Patel * @brief Maps user group names retrieved from D-Bus object to 113c7229815SAbhishek Patel * Account Types. 114c7229815SAbhishek Patel * 115c7229815SAbhishek Patel * @param[in] userGroups List of User groups 116c7229815SAbhishek Patel * @param[out] res AccountTypes populated 117c7229815SAbhishek Patel * 118c7229815SAbhishek Patel * @return true in case of success, false if UserGroups contains 119c7229815SAbhishek Patel * invalid group name(s). 120c7229815SAbhishek Patel */ 121c7229815SAbhishek Patel inline bool translateUserGroup(const std::vector<std::string>& userGroups, 122c7229815SAbhishek Patel crow::Response& res) 123c7229815SAbhishek Patel { 124c7229815SAbhishek Patel std::vector<std::string> accountTypes; 125c7229815SAbhishek Patel for (const auto& userGroup : userGroups) 126c7229815SAbhishek Patel { 127c7229815SAbhishek Patel if (userGroup == "redfish") 128c7229815SAbhishek Patel { 129c7229815SAbhishek Patel accountTypes.emplace_back("Redfish"); 130c7229815SAbhishek Patel accountTypes.emplace_back("WebUI"); 131c7229815SAbhishek Patel } 132c7229815SAbhishek Patel else if (userGroup == "ipmi") 133c7229815SAbhishek Patel { 134c7229815SAbhishek Patel accountTypes.emplace_back("IPMI"); 135c7229815SAbhishek Patel } 136c7229815SAbhishek Patel else if (userGroup == "ssh") 137c7229815SAbhishek Patel { 138c7229815SAbhishek Patel accountTypes.emplace_back("ManagerConsole"); 139c7229815SAbhishek Patel } 1403e72c202SNinad Palsule else if (userGroup == "hostconsole") 1413e72c202SNinad Palsule { 1423e72c202SNinad Palsule // The hostconsole group controls who can access the host console 1433e72c202SNinad Palsule // port via ssh and websocket. 1443e72c202SNinad Palsule accountTypes.emplace_back("HostConsole"); 1453e72c202SNinad Palsule } 146c7229815SAbhishek Patel else if (userGroup == "web") 147c7229815SAbhishek Patel { 148c7229815SAbhishek Patel // 'web' is one of the valid groups in the UserGroups property of 149c7229815SAbhishek Patel // the user account in the D-Bus object. This group is currently not 150c7229815SAbhishek Patel // doing anything, and is considered to be equivalent to 'redfish'. 151c7229815SAbhishek Patel // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 152c7229815SAbhishek Patel // AccountTypes, so do nothing here... 153c7229815SAbhishek Patel } 154c7229815SAbhishek Patel else 155c7229815SAbhishek Patel { 156c7229815SAbhishek Patel // Invalid user group name. Caller throws an excption. 157c7229815SAbhishek Patel return false; 158c7229815SAbhishek Patel } 159c7229815SAbhishek Patel } 160c7229815SAbhishek Patel 161c7229815SAbhishek Patel res.jsonValue["AccountTypes"] = std::move(accountTypes); 162c7229815SAbhishek Patel return true; 163c7229815SAbhishek Patel } 164c7229815SAbhishek Patel 16558345856SAbhishek Patel /** 16658345856SAbhishek Patel * @brief Builds User Groups from the Account Types 16758345856SAbhishek Patel * 16858345856SAbhishek Patel * @param[in] asyncResp Async Response 16958345856SAbhishek Patel * @param[in] accountTypes List of Account Types 17058345856SAbhishek Patel * @param[out] userGroups List of User Groups mapped from Account Types 17158345856SAbhishek Patel * 17258345856SAbhishek Patel * @return true if Account Types mapped to User Groups, false otherwise. 17358345856SAbhishek Patel */ 17458345856SAbhishek Patel inline bool 17558345856SAbhishek Patel getUserGroupFromAccountType(crow::Response& res, 17658345856SAbhishek Patel const std::vector<std::string>& accountTypes, 17758345856SAbhishek Patel std::vector<std::string>& userGroups) 17858345856SAbhishek Patel { 17958345856SAbhishek Patel // Need both Redfish and WebUI Account Types to map to 'redfish' User Group 18058345856SAbhishek Patel bool redfishType = false; 18158345856SAbhishek Patel bool webUIType = false; 18258345856SAbhishek Patel 18358345856SAbhishek Patel for (const auto& accountType : accountTypes) 18458345856SAbhishek Patel { 18558345856SAbhishek Patel if (accountType == "Redfish") 18658345856SAbhishek Patel { 18758345856SAbhishek Patel redfishType = true; 18858345856SAbhishek Patel } 18958345856SAbhishek Patel else if (accountType == "WebUI") 19058345856SAbhishek Patel { 19158345856SAbhishek Patel webUIType = true; 19258345856SAbhishek Patel } 19358345856SAbhishek Patel else if (accountType == "IPMI") 19458345856SAbhishek Patel { 19558345856SAbhishek Patel userGroups.emplace_back("ipmi"); 19658345856SAbhishek Patel } 19758345856SAbhishek Patel else if (accountType == "HostConsole") 19858345856SAbhishek Patel { 19958345856SAbhishek Patel userGroups.emplace_back("hostconsole"); 20058345856SAbhishek Patel } 20158345856SAbhishek Patel else if (accountType == "ManagerConsole") 20258345856SAbhishek Patel { 20358345856SAbhishek Patel userGroups.emplace_back("ssh"); 20458345856SAbhishek Patel } 20558345856SAbhishek Patel else 20658345856SAbhishek Patel { 20758345856SAbhishek Patel // Invalid Account Type 20858345856SAbhishek Patel messages::propertyValueNotInList(res, "AccountTypes", accountType); 20958345856SAbhishek Patel return false; 21058345856SAbhishek Patel } 21158345856SAbhishek Patel } 21258345856SAbhishek Patel 21358345856SAbhishek Patel // Both Redfish and WebUI Account Types are needed to PATCH 21458345856SAbhishek Patel if (redfishType ^ webUIType) 21558345856SAbhishek Patel { 21658345856SAbhishek Patel BMCWEB_LOG_ERROR 21758345856SAbhishek Patel << "Missing Redfish or WebUI Account Type to set redfish User Group"; 21858345856SAbhishek Patel messages::strictAccountTypes(res, "AccountTypes"); 21958345856SAbhishek Patel return false; 22058345856SAbhishek Patel } 22158345856SAbhishek Patel 22258345856SAbhishek Patel if (redfishType && webUIType) 22358345856SAbhishek Patel { 22458345856SAbhishek Patel userGroups.emplace_back("redfish"); 22558345856SAbhishek Patel } 22658345856SAbhishek Patel 22758345856SAbhishek Patel return true; 22858345856SAbhishek Patel } 22958345856SAbhishek Patel 23058345856SAbhishek Patel /** 23158345856SAbhishek Patel * @brief Sets UserGroups property of the user based on the Account Types 23258345856SAbhishek Patel * 23358345856SAbhishek Patel * @param[in] accountTypes List of User Account Types 23458345856SAbhishek Patel * @param[in] asyncResp Async Response 23558345856SAbhishek Patel * @param[in] dbusObjectPath D-Bus Object Path 23658345856SAbhishek Patel * @param[in] userSelf true if User is updating OWN Account Types 23758345856SAbhishek Patel */ 23858345856SAbhishek Patel inline void 23958345856SAbhishek Patel patchAccountTypes(const std::vector<std::string>& accountTypes, 24058345856SAbhishek Patel const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 24158345856SAbhishek Patel const std::string& dbusObjectPath, bool userSelf) 24258345856SAbhishek Patel { 24358345856SAbhishek Patel // Check if User is disabling own Redfish Account Type 24458345856SAbhishek Patel if (userSelf && 24558345856SAbhishek Patel (accountTypes.cend() == 24658345856SAbhishek Patel std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish"))) 24758345856SAbhishek Patel { 24858345856SAbhishek Patel BMCWEB_LOG_ERROR 24958345856SAbhishek Patel << "User disabling OWN Redfish Account Type is not allowed"; 25058345856SAbhishek Patel messages::strictAccountTypes(asyncResp->res, "AccountTypes"); 25158345856SAbhishek Patel return; 25258345856SAbhishek Patel } 25358345856SAbhishek Patel 25458345856SAbhishek Patel std::vector<std::string> updatedUserGroups; 25558345856SAbhishek Patel if (!getUserGroupFromAccountType(asyncResp->res, accountTypes, 25658345856SAbhishek Patel updatedUserGroups)) 25758345856SAbhishek Patel { 25858345856SAbhishek Patel // Problem in mapping Account Types to User Groups, Error already 25958345856SAbhishek Patel // logged. 26058345856SAbhishek Patel return; 26158345856SAbhishek Patel } 26258345856SAbhishek Patel 26358345856SAbhishek Patel crow::connections::systemBus->async_method_call( 26458345856SAbhishek Patel [asyncResp](const boost::system::error_code ec) { 26558345856SAbhishek Patel if (ec) 26658345856SAbhishek Patel { 26758345856SAbhishek Patel BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 26858345856SAbhishek Patel messages::internalError(asyncResp->res); 26958345856SAbhishek Patel return; 27058345856SAbhishek Patel } 27158345856SAbhishek Patel messages::success(asyncResp->res); 27258345856SAbhishek Patel }, 27358345856SAbhishek Patel "xyz.openbmc_project.User.Manager", dbusObjectPath, 27458345856SAbhishek Patel "org.freedesktop.DBus.Properties", "Set", 27558345856SAbhishek Patel "xyz.openbmc_project.User.Attributes", "UserGroups", 27658345856SAbhishek Patel dbus::utility::DbusVariantType{updatedUserGroups}); 27758345856SAbhishek Patel } 27858345856SAbhishek Patel 2798d1b46d7Szhanghch05 inline void userErrorMessageHandler( 2808d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2818d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 28266b5ca76Sjayaprakash Mutyala { 28366b5ca76Sjayaprakash Mutyala if (e == nullptr) 28466b5ca76Sjayaprakash Mutyala { 28566b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 28666b5ca76Sjayaprakash Mutyala return; 28766b5ca76Sjayaprakash Mutyala } 28866b5ca76Sjayaprakash Mutyala 289055806b3SManojkiran Eda const char* errorMessage = e->name; 29066b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 29166b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 29266b5ca76Sjayaprakash Mutyala { 293d8a5d5d8SJiaqing Zhao messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 29466b5ca76Sjayaprakash Mutyala "UserName", newUser); 29566b5ca76Sjayaprakash Mutyala } 29666b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 29766b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 29866b5ca76Sjayaprakash Mutyala { 299d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 30066b5ca76Sjayaprakash Mutyala } 301d4d25793SEd Tanous else if ((strcmp(errorMessage, 302d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 303d4d25793SEd Tanous 0) || 3040fda0f12SGeorge Liu (strcmp( 3050fda0f12SGeorge Liu errorMessage, 3060fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 3070fda0f12SGeorge Liu 0)) 30866b5ca76Sjayaprakash Mutyala { 30966b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 31066b5ca76Sjayaprakash Mutyala } 31166b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 31266b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 31366b5ca76Sjayaprakash Mutyala { 31466b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 31566b5ca76Sjayaprakash Mutyala } 31666b5ca76Sjayaprakash Mutyala else 31766b5ca76Sjayaprakash Mutyala { 31866b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 31966b5ca76Sjayaprakash Mutyala } 32066b5ca76Sjayaprakash Mutyala } 32166b5ca76Sjayaprakash Mutyala 32281ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 323ab828d7cSRatan Gupta const LDAPConfigData& confData, 324ab828d7cSRatan Gupta const std::string& ldapType) 3256973a582SRatan Gupta { 32689492a15SPatrick Williams std::string service = (ldapType == "LDAP") ? "LDAPService" 32789492a15SPatrick Williams : "ActiveDirectoryService"; 32854fc587aSNagaraju Goruganti 3291476687dSEd Tanous nlohmann::json& ldap = jsonResponse[ldapType]; 33054fc587aSNagaraju Goruganti 3311476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 3321476687dSEd Tanous ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri}); 3330ec8b83dSEd Tanous ldap["Authentication"]["AuthenticationType"] = 3340ec8b83dSEd Tanous account_service::AuthenticationTypes::UsernameAndPassword; 3351476687dSEd Tanous ldap["Authentication"]["Username"] = confData.bindDN; 3361476687dSEd Tanous ldap["Authentication"]["Password"] = nullptr; 3371476687dSEd Tanous 3381476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] = 3391476687dSEd Tanous nlohmann::json::array({confData.baseDN}); 3401476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] = 3411476687dSEd Tanous confData.userNameAttribute; 3421476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] = 3431476687dSEd Tanous confData.groupAttribute; 3441476687dSEd Tanous 3451476687dSEd Tanous nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"]; 34654fc587aSNagaraju Goruganti roleMapArray = nlohmann::json::array(); 3479eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 34854fc587aSNagaraju Goruganti { 34954fc587aSNagaraju Goruganti BMCWEB_LOG_DEBUG << "Pushing the data groupName=" 35054fc587aSNagaraju Goruganti << obj.second.groupName << "\n"; 351613dabeaSEd Tanous 352613dabeaSEd Tanous nlohmann::json::object_t remoteGroup; 353613dabeaSEd Tanous remoteGroup["RemoteGroup"] = obj.second.groupName; 354329f0348SJorge Cisneros remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 355329f0348SJorge Cisneros roleMapArray.emplace_back(std::move(remoteGroup)); 35654fc587aSNagaraju Goruganti } 3576973a582SRatan Gupta } 3586973a582SRatan Gupta 3596973a582SRatan Gupta /** 36006785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 36106785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 36206785244SRatan Gupta * 36306785244SRatan Gupta */ 36423a21a1cSEd Tanous inline void handleRoleMapPatch( 3658d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 36606785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 367f23b7296SEd Tanous const std::string& serverType, const std::vector<nlohmann::json>& input) 36806785244SRatan Gupta { 36906785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 37006785244SRatan Gupta { 371f23b7296SEd Tanous const nlohmann::json& thisJson = input[index]; 37206785244SRatan Gupta 37306785244SRatan Gupta if (thisJson.is_null()) 37406785244SRatan Gupta { 37506785244SRatan Gupta // delete the existing object 37606785244SRatan Gupta if (index < roleMapObjData.size()) 37706785244SRatan Gupta { 37806785244SRatan Gupta crow::connections::systemBus->async_method_call( 37906785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 3805e7e2dc5SEd Tanous index](const boost::system::error_code& ec) { 38106785244SRatan Gupta if (ec) 38206785244SRatan Gupta { 38306785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 38406785244SRatan Gupta messages::internalError(asyncResp->res); 38506785244SRatan Gupta return; 38606785244SRatan Gupta } 38789492a15SPatrick Williams asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"] 38889492a15SPatrick Williams [index] = nullptr; 38906785244SRatan Gupta }, 39006785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 39106785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 39206785244SRatan Gupta } 39306785244SRatan Gupta else 39406785244SRatan Gupta { 39506785244SRatan Gupta BMCWEB_LOG_ERROR << "Can't delete the object"; 39606785244SRatan Gupta messages::propertyValueTypeError( 39771f52d96SEd Tanous asyncResp->res, 39871f52d96SEd Tanous thisJson.dump(2, ' ', true, 39971f52d96SEd Tanous nlohmann::json::error_handler_t::replace), 40006785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index)); 40106785244SRatan Gupta return; 40206785244SRatan Gupta } 40306785244SRatan Gupta } 40406785244SRatan Gupta else if (thisJson.empty()) 40506785244SRatan Gupta { 40606785244SRatan Gupta // Don't do anything for the empty objects,parse next json 40706785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 40806785244SRatan Gupta } 40906785244SRatan Gupta else 41006785244SRatan Gupta { 41106785244SRatan Gupta // update/create the object 41206785244SRatan Gupta std::optional<std::string> remoteGroup; 41306785244SRatan Gupta std::optional<std::string> localRole; 41406785244SRatan Gupta 415f23b7296SEd Tanous // This is a copy, but it's required in this case because of how 416f23b7296SEd Tanous // readJson is structured 417f23b7296SEd Tanous nlohmann::json thisJsonCopy = thisJson; 418f23b7296SEd Tanous if (!json_util::readJson(thisJsonCopy, asyncResp->res, 419f23b7296SEd Tanous "RemoteGroup", remoteGroup, "LocalRole", 420f23b7296SEd Tanous localRole)) 42106785244SRatan Gupta { 42206785244SRatan Gupta continue; 42306785244SRatan Gupta } 42406785244SRatan Gupta 42506785244SRatan Gupta // Update existing RoleMapping Object 42606785244SRatan Gupta if (index < roleMapObjData.size()) 42706785244SRatan Gupta { 42806785244SRatan Gupta BMCWEB_LOG_DEBUG << "Update Role Map Object"; 42906785244SRatan Gupta // If "RemoteGroup" info is provided 43006785244SRatan Gupta if (remoteGroup) 43106785244SRatan Gupta { 43206785244SRatan Gupta crow::connections::systemBus->async_method_call( 43306785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 43425e055a3SRavi Teja remoteGroup](const boost::system::error_code& ec, 43525e055a3SRavi Teja const sdbusplus::message::message& msg) { 43606785244SRatan Gupta if (ec) 43706785244SRatan Gupta { 43825e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 43925e055a3SRavi Teja if ((dbusError != nullptr) && 44025e055a3SRavi Teja (dbusError->name == 44125e055a3SRavi Teja std::string_view( 44225e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 44325e055a3SRavi Teja { 44425e055a3SRavi Teja BMCWEB_LOG_WARNING << "DBUS response error: " 44525e055a3SRavi Teja << ec; 44625e055a3SRavi Teja messages::propertyValueIncorrect(asyncResp->res, 44725e055a3SRavi Teja "RemoteGroup", 44825e055a3SRavi Teja *remoteGroup); 44925e055a3SRavi Teja return; 45025e055a3SRavi Teja } 45106785244SRatan Gupta messages::internalError(asyncResp->res); 45206785244SRatan Gupta return; 45306785244SRatan Gupta } 45406785244SRatan Gupta asyncResp->res 455002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 456002d39b4SEd Tanous ["RemoteGroup"] = *remoteGroup; 45706785244SRatan Gupta }, 45806785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 45906785244SRatan Gupta propertyInterface, "Set", 46006785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 46106785244SRatan Gupta "GroupName", 462168e20c1SEd Tanous dbus::utility::DbusVariantType( 463168e20c1SEd Tanous std::move(*remoteGroup))); 46406785244SRatan Gupta } 46506785244SRatan Gupta 46606785244SRatan Gupta // If "LocalRole" info is provided 46706785244SRatan Gupta if (localRole) 46806785244SRatan Gupta { 46906785244SRatan Gupta crow::connections::systemBus->async_method_call( 47006785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 47125e055a3SRavi Teja localRole](const boost::system::error_code& ec, 47225e055a3SRavi Teja const sdbusplus::message::message& msg) { 47306785244SRatan Gupta if (ec) 47406785244SRatan Gupta { 47525e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 47625e055a3SRavi Teja if ((dbusError != nullptr) && 47725e055a3SRavi Teja (dbusError->name == 47825e055a3SRavi Teja std::string_view( 47925e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 48025e055a3SRavi Teja { 48125e055a3SRavi Teja BMCWEB_LOG_WARNING << "DBUS response error: " 48225e055a3SRavi Teja << ec; 48325e055a3SRavi Teja messages::propertyValueIncorrect( 48425e055a3SRavi Teja asyncResp->res, "LocalRole", *localRole); 48525e055a3SRavi Teja return; 48625e055a3SRavi Teja } 48706785244SRatan Gupta messages::internalError(asyncResp->res); 48806785244SRatan Gupta return; 48906785244SRatan Gupta } 49006785244SRatan Gupta asyncResp->res 491002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 492002d39b4SEd Tanous ["LocalRole"] = *localRole; 49306785244SRatan Gupta }, 49406785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 49506785244SRatan Gupta propertyInterface, "Set", 49606785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 49706785244SRatan Gupta "Privilege", 498168e20c1SEd Tanous dbus::utility::DbusVariantType( 49906785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole)))); 50006785244SRatan Gupta } 50106785244SRatan Gupta } 50206785244SRatan Gupta // Create a new RoleMapping Object. 50306785244SRatan Gupta else 50406785244SRatan Gupta { 50506785244SRatan Gupta BMCWEB_LOG_DEBUG 50606785244SRatan Gupta << "setRoleMappingProperties: Creating new Object"; 50789492a15SPatrick Williams std::string pathString = "RemoteRoleMapping/" + 50889492a15SPatrick Williams std::to_string(index); 50906785244SRatan Gupta 51006785244SRatan Gupta if (!localRole) 51106785244SRatan Gupta { 51206785244SRatan Gupta messages::propertyMissing(asyncResp->res, 51306785244SRatan Gupta pathString + "/LocalRole"); 51406785244SRatan Gupta continue; 51506785244SRatan Gupta } 51606785244SRatan Gupta if (!remoteGroup) 51706785244SRatan Gupta { 51806785244SRatan Gupta messages::propertyMissing(asyncResp->res, 51906785244SRatan Gupta pathString + "/RemoteGroup"); 52006785244SRatan Gupta continue; 52106785244SRatan Gupta } 52206785244SRatan Gupta 52306785244SRatan Gupta std::string dbusObjectPath; 52406785244SRatan Gupta if (serverType == "ActiveDirectory") 52506785244SRatan Gupta { 5262c70f800SEd Tanous dbusObjectPath = adConfigObject; 52706785244SRatan Gupta } 52806785244SRatan Gupta else if (serverType == "LDAP") 52906785244SRatan Gupta { 53023a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 53106785244SRatan Gupta } 53206785244SRatan Gupta 53306785244SRatan Gupta BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup 53406785244SRatan Gupta << ",LocalRole=" << *localRole; 53506785244SRatan Gupta 53606785244SRatan Gupta crow::connections::systemBus->async_method_call( 537271584abSEd Tanous [asyncResp, serverType, localRole, 5385e7e2dc5SEd Tanous remoteGroup](const boost::system::error_code& ec) { 53906785244SRatan Gupta if (ec) 54006785244SRatan Gupta { 54106785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 54206785244SRatan Gupta messages::internalError(asyncResp->res); 54306785244SRatan Gupta return; 54406785244SRatan Gupta } 54506785244SRatan Gupta nlohmann::json& remoteRoleJson = 54606785244SRatan Gupta asyncResp->res 54706785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 5481476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 5491476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 5501476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 551b2ba3072SPatrick Williams remoteRoleJson.emplace_back(std::move(roleMapEntry)); 55206785244SRatan Gupta }, 55306785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 5543174e4dfSEd Tanous "Create", *remoteGroup, 55506785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 55606785244SRatan Gupta } 55706785244SRatan Gupta } 55806785244SRatan Gupta } 55906785244SRatan Gupta } 56006785244SRatan Gupta 56106785244SRatan Gupta /** 5626973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 5636973a582SRatan Gupta * into JSON 5646973a582SRatan Gupta */ 5656973a582SRatan Gupta template <typename CallbackFunc> 5666973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 5676973a582SRatan Gupta CallbackFunc&& callback) 5686973a582SRatan Gupta { 5692b73119cSGeorge Liu constexpr std::array<std::string_view, 2> interfaces = { 5702b73119cSGeorge Liu ldapEnableInterface, ldapConfigInterface}; 57154fc587aSNagaraju Goruganti 5722b73119cSGeorge Liu dbus::utility::getDbusObject( 5732b73119cSGeorge Liu ldapConfigObjectName, interfaces, 5742b73119cSGeorge Liu [callback, ldapType](const boost::system::error_code& ec, 575b9d36b47SEd Tanous const dbus::utility::MapperGetObject& resp) { 57654fc587aSNagaraju Goruganti if (ec || resp.empty()) 57754fc587aSNagaraju Goruganti { 5780fda0f12SGeorge Liu BMCWEB_LOG_ERROR 579002d39b4SEd Tanous << "DBUS response error during getting of service name: " << ec; 58023a21a1cSEd Tanous LDAPConfigData empty{}; 58123a21a1cSEd Tanous callback(false, empty, ldapType); 58254fc587aSNagaraju Goruganti return; 58354fc587aSNagaraju Goruganti } 58454fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 58554fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 586002d39b4SEd Tanous [callback, 5875e7e2dc5SEd Tanous ldapType](const boost::system::error_code& errorCode, 588711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) { 5896973a582SRatan Gupta LDAPConfigData confData{}; 59081ce609eSEd Tanous if (errorCode) 5916973a582SRatan Gupta { 592ab828d7cSRatan Gupta callback(false, confData, ldapType); 593002d39b4SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << errorCode; 5946973a582SRatan Gupta return; 5956973a582SRatan Gupta } 596ab828d7cSRatan Gupta 597ab828d7cSRatan Gupta std::string ldapDbusType; 59854fc587aSNagaraju Goruganti std::string searchString; 59954fc587aSNagaraju Goruganti 600ab828d7cSRatan Gupta if (ldapType == "LDAP") 601ab828d7cSRatan Gupta { 6020fda0f12SGeorge Liu ldapDbusType = 6030fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 60454fc587aSNagaraju Goruganti searchString = "openldap"; 605ab828d7cSRatan Gupta } 606ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 607ab828d7cSRatan Gupta { 60854fc587aSNagaraju Goruganti ldapDbusType = 6090fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 61054fc587aSNagaraju Goruganti searchString = "active_directory"; 611ab828d7cSRatan Gupta } 612ab828d7cSRatan Gupta else 613ab828d7cSRatan Gupta { 614002d39b4SEd Tanous BMCWEB_LOG_ERROR << "Can't get the DbusType for the given type=" 615ab828d7cSRatan Gupta << ldapType; 616ab828d7cSRatan Gupta callback(false, confData, ldapType); 617ab828d7cSRatan Gupta return; 618ab828d7cSRatan Gupta } 619ab828d7cSRatan Gupta 620ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 621ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 622ab828d7cSRatan Gupta 6236973a582SRatan Gupta for (const auto& object : ldapObjects) 6246973a582SRatan Gupta { 62554fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 62654fc587aSNagaraju Goruganti // given type 627002d39b4SEd Tanous if (object.first.str.find(searchString) == std::string::npos) 6286973a582SRatan Gupta { 629ab828d7cSRatan Gupta continue; 630ab828d7cSRatan Gupta } 631ab828d7cSRatan Gupta 6326973a582SRatan Gupta for (const auto& interface : object.second) 6336973a582SRatan Gupta { 6346973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 6356973a582SRatan Gupta { 6366973a582SRatan Gupta // rest of the properties are string. 6376973a582SRatan Gupta for (const auto& property : interface.second) 6386973a582SRatan Gupta { 6396973a582SRatan Gupta if (property.first == "Enabled") 6406973a582SRatan Gupta { 6416973a582SRatan Gupta const bool* value = 6426973a582SRatan Gupta std::get_if<bool>(&property.second); 6436973a582SRatan Gupta if (value == nullptr) 6446973a582SRatan Gupta { 6456973a582SRatan Gupta continue; 6466973a582SRatan Gupta } 6476973a582SRatan Gupta confData.serviceEnabled = *value; 6486973a582SRatan Gupta break; 6496973a582SRatan Gupta } 6506973a582SRatan Gupta } 6516973a582SRatan Gupta } 6526973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 6536973a582SRatan Gupta { 6546973a582SRatan Gupta for (const auto& property : interface.second) 6556973a582SRatan Gupta { 656271584abSEd Tanous const std::string* strValue = 657002d39b4SEd Tanous std::get_if<std::string>(&property.second); 658271584abSEd Tanous if (strValue == nullptr) 6596973a582SRatan Gupta { 6606973a582SRatan Gupta continue; 6616973a582SRatan Gupta } 6626973a582SRatan Gupta if (property.first == "LDAPServerURI") 6636973a582SRatan Gupta { 664271584abSEd Tanous confData.uri = *strValue; 6656973a582SRatan Gupta } 6666973a582SRatan Gupta else if (property.first == "LDAPBindDN") 6676973a582SRatan Gupta { 668271584abSEd Tanous confData.bindDN = *strValue; 6696973a582SRatan Gupta } 6706973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 6716973a582SRatan Gupta { 672271584abSEd Tanous confData.baseDN = *strValue; 6736973a582SRatan Gupta } 674002d39b4SEd Tanous else if (property.first == "LDAPSearchScope") 6756973a582SRatan Gupta { 676271584abSEd Tanous confData.searchScope = *strValue; 6776973a582SRatan Gupta } 678002d39b4SEd Tanous else if (property.first == "GroupNameAttribute") 6796973a582SRatan Gupta { 680271584abSEd Tanous confData.groupAttribute = *strValue; 6816973a582SRatan Gupta } 682002d39b4SEd Tanous else if (property.first == "UserNameAttribute") 6836973a582SRatan Gupta { 684271584abSEd Tanous confData.userNameAttribute = *strValue; 6856973a582SRatan Gupta } 68654fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 687ab828d7cSRatan Gupta { 688271584abSEd Tanous confData.serverType = *strValue; 68954fc587aSNagaraju Goruganti } 69054fc587aSNagaraju Goruganti } 69154fc587aSNagaraju Goruganti } 692002d39b4SEd Tanous else if (interface.first == 6930fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 69454fc587aSNagaraju Goruganti { 69554fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 69654fc587aSNagaraju Goruganti for (const auto& property : interface.second) 69754fc587aSNagaraju Goruganti { 698271584abSEd Tanous const std::string* strValue = 699002d39b4SEd Tanous std::get_if<std::string>(&property.second); 70054fc587aSNagaraju Goruganti 701271584abSEd Tanous if (strValue == nullptr) 70254fc587aSNagaraju Goruganti { 70354fc587aSNagaraju Goruganti continue; 70454fc587aSNagaraju Goruganti } 70554fc587aSNagaraju Goruganti 70654fc587aSNagaraju Goruganti if (property.first == "GroupName") 70754fc587aSNagaraju Goruganti { 708271584abSEd Tanous roleMapData.groupName = *strValue; 70954fc587aSNagaraju Goruganti } 71054fc587aSNagaraju Goruganti else if (property.first == "Privilege") 71154fc587aSNagaraju Goruganti { 712271584abSEd Tanous roleMapData.privilege = *strValue; 71354fc587aSNagaraju Goruganti } 71454fc587aSNagaraju Goruganti } 71554fc587aSNagaraju Goruganti 716002d39b4SEd Tanous confData.groupRoleList.emplace_back(object.first.str, 717002d39b4SEd Tanous roleMapData); 71854fc587aSNagaraju Goruganti } 71954fc587aSNagaraju Goruganti } 72054fc587aSNagaraju Goruganti } 721ab828d7cSRatan Gupta callback(true, confData, ldapType); 72254fc587aSNagaraju Goruganti }, 723002d39b4SEd Tanous service, ldapRootObject, dbusObjManagerIntf, "GetManagedObjects"); 7242b73119cSGeorge Liu }); 7256973a582SRatan Gupta } 7266973a582SRatan Gupta 7278a07d286SRatan Gupta /** 7288a07d286SRatan Gupta * @brief parses the authentication section under the LDAP 7298a07d286SRatan Gupta * @param input JSON data 7308a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7318a07d286SRatan Gupta * @param userName userName to be filled from the given JSON. 7328a07d286SRatan Gupta * @param password password to be filled from the given JSON. 7338a07d286SRatan Gupta */ 7344f48d5f6SEd Tanous inline void parseLDAPAuthenticationJson( 7356c51eab1SEd Tanous nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7366c51eab1SEd Tanous std::optional<std::string>& username, std::optional<std::string>& password) 7378a07d286SRatan Gupta { 7388a07d286SRatan Gupta std::optional<std::string> authType; 7398a07d286SRatan Gupta 7408a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "AuthenticationType", 7418a07d286SRatan Gupta authType, "Username", username, "Password", 7428a07d286SRatan Gupta password)) 7438a07d286SRatan Gupta { 7448a07d286SRatan Gupta return; 7458a07d286SRatan Gupta } 7468a07d286SRatan Gupta if (!authType) 7478a07d286SRatan Gupta { 7488a07d286SRatan Gupta return; 7498a07d286SRatan Gupta } 7508a07d286SRatan Gupta if (*authType != "UsernameAndPassword") 7518a07d286SRatan Gupta { 7528a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, *authType, 7538a07d286SRatan Gupta "AuthenticationType"); 7548a07d286SRatan Gupta return; 7558a07d286SRatan Gupta } 7568a07d286SRatan Gupta } 7578a07d286SRatan Gupta /** 7588a07d286SRatan Gupta * @brief parses the LDAPService section under the LDAP 7598a07d286SRatan Gupta * @param input JSON data 7608a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7618a07d286SRatan Gupta * @param baseDNList baseDN to be filled from the given JSON. 7628a07d286SRatan Gupta * @param userNameAttribute userName to be filled from the given JSON. 7638a07d286SRatan Gupta * @param groupaAttribute password to be filled from the given JSON. 7648a07d286SRatan Gupta */ 7658a07d286SRatan Gupta 7664f48d5f6SEd Tanous inline void 7674f48d5f6SEd Tanous parseLDAPServiceJson(nlohmann::json input, 7688d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7698a07d286SRatan Gupta std::optional<std::vector<std::string>>& baseDNList, 7708a07d286SRatan Gupta std::optional<std::string>& userNameAttribute, 7718a07d286SRatan Gupta std::optional<std::string>& groupsAttribute) 7728a07d286SRatan Gupta { 7738a07d286SRatan Gupta std::optional<nlohmann::json> searchSettings; 7748a07d286SRatan Gupta 7758a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "SearchSettings", 7768a07d286SRatan Gupta searchSettings)) 7778a07d286SRatan Gupta { 7788a07d286SRatan Gupta return; 7798a07d286SRatan Gupta } 7808a07d286SRatan Gupta if (!searchSettings) 7818a07d286SRatan Gupta { 7828a07d286SRatan Gupta return; 7838a07d286SRatan Gupta } 7848a07d286SRatan Gupta if (!json_util::readJson(*searchSettings, asyncResp->res, 7858a07d286SRatan Gupta "BaseDistinguishedNames", baseDNList, 7868a07d286SRatan Gupta "UsernameAttribute", userNameAttribute, 7878a07d286SRatan Gupta "GroupsAttribute", groupsAttribute)) 7888a07d286SRatan Gupta { 7898a07d286SRatan Gupta return; 7908a07d286SRatan Gupta } 7918a07d286SRatan Gupta } 7928a07d286SRatan Gupta /** 7938a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 7948a07d286SRatan Gupta json response with the new value. 7958a07d286SRatan Gupta * @param serviceAddressList address to be updated. 7968a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7978a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7988a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7998a07d286SRatan Gupta */ 8008a07d286SRatan Gupta 8014f48d5f6SEd Tanous inline void handleServiceAddressPatch( 8028a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 8038d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8048a07d286SRatan Gupta const std::string& ldapServerElementName, 8058a07d286SRatan Gupta const std::string& ldapConfigObject) 8068a07d286SRatan Gupta { 8078a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8088a07d286SRatan Gupta [asyncResp, ldapServerElementName, 80925e055a3SRavi Teja serviceAddressList](const boost::system::error_code& ec, 81025e055a3SRavi Teja sdbusplus::message::message& msg) { 8118a07d286SRatan Gupta if (ec) 8128a07d286SRatan Gupta { 81325e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 81425e055a3SRavi Teja if ((dbusError != nullptr) && 81525e055a3SRavi Teja (dbusError->name == 81625e055a3SRavi Teja std::string_view( 81725e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 81825e055a3SRavi Teja { 81925e055a3SRavi Teja BMCWEB_LOG_WARNING 820c61704abSGunnar Mills << "Error Occurred in updating the service address"; 82125e055a3SRavi Teja messages::propertyValueIncorrect(asyncResp->res, 82225e055a3SRavi Teja "ServiceAddresses", 82325e055a3SRavi Teja serviceAddressList.front()); 82425e055a3SRavi Teja return; 82525e055a3SRavi Teja } 8268a07d286SRatan Gupta messages::internalError(asyncResp->res); 8278a07d286SRatan Gupta return; 8288a07d286SRatan Gupta } 8298a07d286SRatan Gupta std::vector<std::string> modifiedserviceAddressList = { 8308a07d286SRatan Gupta serviceAddressList.front()}; 831002d39b4SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] = 8328a07d286SRatan Gupta modifiedserviceAddressList; 8338a07d286SRatan Gupta if ((serviceAddressList).size() > 1) 8348a07d286SRatan Gupta { 835002d39b4SEd Tanous messages::propertyValueModified(asyncResp->res, "ServiceAddresses", 8368a07d286SRatan Gupta serviceAddressList.front()); 8378a07d286SRatan Gupta } 8388a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the service address"; 8398a07d286SRatan Gupta }, 8408a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8418a07d286SRatan Gupta ldapConfigInterface, "LDAPServerURI", 842168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceAddressList.front())); 8438a07d286SRatan Gupta } 8448a07d286SRatan Gupta /** 8458a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 8468a07d286SRatan Gupta json response with the new value. 8478a07d286SRatan Gupta * @param username name of the user which needs to be updated. 8488a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8498a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8508a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8518a07d286SRatan Gupta */ 8528a07d286SRatan Gupta 8534f48d5f6SEd Tanous inline void 8544f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 8558d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8568a07d286SRatan Gupta const std::string& ldapServerElementName, 8578a07d286SRatan Gupta const std::string& ldapConfigObject) 8588a07d286SRatan Gupta { 8598a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8608a07d286SRatan Gupta [asyncResp, username, 8615e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 8628a07d286SRatan Gupta if (ec) 8638a07d286SRatan Gupta { 8646c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the username"; 8658a07d286SRatan Gupta messages::internalError(asyncResp->res); 8668a07d286SRatan Gupta return; 8678a07d286SRatan Gupta } 86889492a15SPatrick Williams asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 86989492a15SPatrick Williams ["Username"] = username; 8708a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the username"; 8718a07d286SRatan Gupta }, 8728a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 873168e20c1SEd Tanous ldapConfigInterface, "LDAPBindDN", 874168e20c1SEd Tanous dbus::utility::DbusVariantType(username)); 8758a07d286SRatan Gupta } 8768a07d286SRatan Gupta 8778a07d286SRatan Gupta /** 8788a07d286SRatan Gupta * @brief updates the LDAP password 8798a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 8808a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8818a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8828a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 8838a07d286SRatan Gupta */ 8848a07d286SRatan Gupta 8854f48d5f6SEd Tanous inline void 8864f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 8878d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8888a07d286SRatan Gupta const std::string& ldapServerElementName, 8898a07d286SRatan Gupta const std::string& ldapConfigObject) 8908a07d286SRatan Gupta { 8918a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8928a07d286SRatan Gupta [asyncResp, password, 8935e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 8948a07d286SRatan Gupta if (ec) 8958a07d286SRatan Gupta { 8966c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the password"; 8978a07d286SRatan Gupta messages::internalError(asyncResp->res); 8988a07d286SRatan Gupta return; 8998a07d286SRatan Gupta } 90089492a15SPatrick Williams asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 90189492a15SPatrick Williams ["Password"] = ""; 9028a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the password"; 9038a07d286SRatan Gupta }, 9048a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 9058a07d286SRatan Gupta ldapConfigInterface, "LDAPBindDNPassword", 906168e20c1SEd Tanous dbus::utility::DbusVariantType(password)); 9078a07d286SRatan Gupta } 9088a07d286SRatan Gupta 9098a07d286SRatan Gupta /** 9108a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 9118a07d286SRatan Gupta json response with the new value. 9128a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 9138a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9148a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 9158a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 9168a07d286SRatan Gupta */ 9178a07d286SRatan Gupta 9184f48d5f6SEd Tanous inline void 9194f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 9208d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9218a07d286SRatan Gupta const std::string& ldapServerElementName, 9228a07d286SRatan Gupta const std::string& ldapConfigObject) 9238a07d286SRatan Gupta { 9248a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 9258a07d286SRatan Gupta [asyncResp, baseDNList, 92625e055a3SRavi Teja ldapServerElementName](const boost::system::error_code& ec, 92725e055a3SRavi Teja const sdbusplus::message::message& msg) { 9288a07d286SRatan Gupta if (ec) 9298a07d286SRatan Gupta { 9306c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN"; 93125e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 93225e055a3SRavi Teja if ((dbusError != nullptr) && 93325e055a3SRavi Teja (dbusError->name == 93425e055a3SRavi Teja std::string_view( 93525e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 93625e055a3SRavi Teja { 93725e055a3SRavi Teja messages::propertyValueIncorrect(asyncResp->res, 93825e055a3SRavi Teja "BaseDistinguishedNames", 93925e055a3SRavi Teja baseDNList.front()); 94025e055a3SRavi Teja return; 94125e055a3SRavi Teja } 9428a07d286SRatan Gupta messages::internalError(asyncResp->res); 9438a07d286SRatan Gupta return; 9448a07d286SRatan Gupta } 945002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 9468a07d286SRatan Gupta auto& searchSettingsJson = 9478a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 9486c51eab1SEd Tanous std::vector<std::string> modifiedBaseDNList = {baseDNList.front()}; 9496c51eab1SEd Tanous searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList; 9508a07d286SRatan Gupta if (baseDNList.size() > 1) 9518a07d286SRatan Gupta { 952002d39b4SEd Tanous messages::propertyValueModified( 953002d39b4SEd Tanous asyncResp->res, "BaseDistinguishedNames", baseDNList.front()); 9548a07d286SRatan Gupta } 9558a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the base DN"; 9568a07d286SRatan Gupta }, 9578a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 9588a07d286SRatan Gupta ldapConfigInterface, "LDAPBaseDN", 959168e20c1SEd Tanous dbus::utility::DbusVariantType(baseDNList.front())); 9608a07d286SRatan Gupta } 9618a07d286SRatan Gupta /** 9628a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 9638a07d286SRatan Gupta json response with the new value. 9648a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 9658a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9668a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 9678a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 9688a07d286SRatan Gupta */ 9698a07d286SRatan Gupta 9704f48d5f6SEd Tanous inline void 9714f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 9728d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9738a07d286SRatan Gupta const std::string& ldapServerElementName, 9748a07d286SRatan Gupta const std::string& ldapConfigObject) 9758a07d286SRatan Gupta { 9768a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 9778a07d286SRatan Gupta [asyncResp, userNameAttribute, 9785e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 9798a07d286SRatan Gupta if (ec) 9808a07d286SRatan Gupta { 981c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 9828a07d286SRatan Gupta "username attribute"; 9838a07d286SRatan Gupta messages::internalError(asyncResp->res); 9848a07d286SRatan Gupta return; 9858a07d286SRatan Gupta } 986002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 9878a07d286SRatan Gupta auto& searchSettingsJson = 9888a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 9898a07d286SRatan Gupta searchSettingsJson["UsernameAttribute"] = userNameAttribute; 9908a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the user name attr."; 9918a07d286SRatan Gupta }, 9928a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 9938a07d286SRatan Gupta ldapConfigInterface, "UserNameAttribute", 994168e20c1SEd Tanous dbus::utility::DbusVariantType(userNameAttribute)); 9958a07d286SRatan Gupta } 9968a07d286SRatan Gupta /** 9978a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 9988a07d286SRatan Gupta json response with the new value. 9998a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 10008a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 10018a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 10028a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 10038a07d286SRatan Gupta */ 10048a07d286SRatan Gupta 10054f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 10068d1b46d7Szhanghch05 const std::string& groupsAttribute, 10078d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 10088a07d286SRatan Gupta const std::string& ldapServerElementName, 10098a07d286SRatan Gupta const std::string& ldapConfigObject) 10108a07d286SRatan Gupta { 10118a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 10128a07d286SRatan Gupta [asyncResp, groupsAttribute, 10135e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 10148a07d286SRatan Gupta if (ec) 10158a07d286SRatan Gupta { 1016c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 10178a07d286SRatan Gupta "groupname attribute"; 10188a07d286SRatan Gupta messages::internalError(asyncResp->res); 10198a07d286SRatan Gupta return; 10208a07d286SRatan Gupta } 1021002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 10228a07d286SRatan Gupta auto& searchSettingsJson = 10238a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 10248a07d286SRatan Gupta searchSettingsJson["GroupsAttribute"] = groupsAttribute; 10258a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the groupname attr"; 10268a07d286SRatan Gupta }, 10278a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 10288a07d286SRatan Gupta ldapConfigInterface, "GroupNameAttribute", 1029168e20c1SEd Tanous dbus::utility::DbusVariantType(groupsAttribute)); 10308a07d286SRatan Gupta } 10318a07d286SRatan Gupta /** 10328a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 10338a07d286SRatan Gupta json response with the new value. 10348a07d286SRatan Gupta * @param input JSON data. 10358a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 10368a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 10378a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 10388a07d286SRatan Gupta */ 10398a07d286SRatan Gupta 10404f48d5f6SEd Tanous inline void handleServiceEnablePatch( 10416c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 10428a07d286SRatan Gupta const std::string& ldapServerElementName, 10438a07d286SRatan Gupta const std::string& ldapConfigObject) 10448a07d286SRatan Gupta { 10458a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 10468a07d286SRatan Gupta [asyncResp, serviceEnabled, 10475e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 10488a07d286SRatan Gupta if (ec) 10498a07d286SRatan Gupta { 1050002d39b4SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the service enable"; 10518a07d286SRatan Gupta messages::internalError(asyncResp->res); 10528a07d286SRatan Gupta return; 10538a07d286SRatan Gupta } 10546c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] = 10558a07d286SRatan Gupta serviceEnabled; 10566c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled; 10578a07d286SRatan Gupta }, 10588a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 1059168e20c1SEd Tanous ldapEnableInterface, "Enabled", 1060168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceEnabled)); 10618a07d286SRatan Gupta } 10628a07d286SRatan Gupta 10634f48d5f6SEd Tanous inline void 10644f48d5f6SEd Tanous handleAuthMethodsPatch(nlohmann::json& input, 10658d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 106678158631SZbigniew Kurzynski { 106778158631SZbigniew Kurzynski std::optional<bool> basicAuth; 106878158631SZbigniew Kurzynski std::optional<bool> cookie; 106978158631SZbigniew Kurzynski std::optional<bool> sessionToken; 107078158631SZbigniew Kurzynski std::optional<bool> xToken; 1071501f1e58SZbigniew Kurzynski std::optional<bool> tls; 107278158631SZbigniew Kurzynski 107378158631SZbigniew Kurzynski if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, 107478158631SZbigniew Kurzynski "Cookie", cookie, "SessionToken", sessionToken, 1075501f1e58SZbigniew Kurzynski "XToken", xToken, "TLS", tls)) 107678158631SZbigniew Kurzynski { 107778158631SZbigniew Kurzynski BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; 107878158631SZbigniew Kurzynski return; 107978158631SZbigniew Kurzynski } 108078158631SZbigniew Kurzynski 108178158631SZbigniew Kurzynski // Make a copy of methods configuration 108252cc112dSEd Tanous persistent_data::AuthConfigMethods authMethodsConfig = 108352cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 108478158631SZbigniew Kurzynski 108578158631SZbigniew Kurzynski if (basicAuth) 108678158631SZbigniew Kurzynski { 1087f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION 1088f16f6263SAlan Kuo messages::actionNotSupported( 10890fda0f12SGeorge Liu asyncResp->res, 10900fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 1091f16f6263SAlan Kuo return; 1092f16f6263SAlan Kuo #endif 109378158631SZbigniew Kurzynski authMethodsConfig.basic = *basicAuth; 109478158631SZbigniew Kurzynski } 109578158631SZbigniew Kurzynski 109678158631SZbigniew Kurzynski if (cookie) 109778158631SZbigniew Kurzynski { 1098f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 10990fda0f12SGeorge Liu messages::actionNotSupported( 11000fda0f12SGeorge Liu asyncResp->res, 11010fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 1102f16f6263SAlan Kuo return; 1103f16f6263SAlan Kuo #endif 110478158631SZbigniew Kurzynski authMethodsConfig.cookie = *cookie; 110578158631SZbigniew Kurzynski } 110678158631SZbigniew Kurzynski 110778158631SZbigniew Kurzynski if (sessionToken) 110878158631SZbigniew Kurzynski { 1109f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION 1110f16f6263SAlan Kuo messages::actionNotSupported( 11110fda0f12SGeorge Liu asyncResp->res, 11120fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 1113f16f6263SAlan Kuo return; 1114f16f6263SAlan Kuo #endif 111578158631SZbigniew Kurzynski authMethodsConfig.sessionToken = *sessionToken; 111678158631SZbigniew Kurzynski } 111778158631SZbigniew Kurzynski 111878158631SZbigniew Kurzynski if (xToken) 111978158631SZbigniew Kurzynski { 1120f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 11210fda0f12SGeorge Liu messages::actionNotSupported( 11220fda0f12SGeorge Liu asyncResp->res, 11230fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 1124f16f6263SAlan Kuo return; 1125f16f6263SAlan Kuo #endif 112678158631SZbigniew Kurzynski authMethodsConfig.xtoken = *xToken; 112778158631SZbigniew Kurzynski } 112878158631SZbigniew Kurzynski 1129501f1e58SZbigniew Kurzynski if (tls) 1130501f1e58SZbigniew Kurzynski { 1131f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 11320fda0f12SGeorge Liu messages::actionNotSupported( 11330fda0f12SGeorge Liu asyncResp->res, 11340fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 1135f16f6263SAlan Kuo return; 1136f16f6263SAlan Kuo #endif 1137501f1e58SZbigniew Kurzynski authMethodsConfig.tls = *tls; 1138501f1e58SZbigniew Kurzynski } 1139501f1e58SZbigniew Kurzynski 114078158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 1141501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 1142501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 114378158631SZbigniew Kurzynski { 114478158631SZbigniew Kurzynski // Do not allow user to disable everything 114578158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 114678158631SZbigniew Kurzynski "of disabling all available methods"); 114778158631SZbigniew Kurzynski return; 114878158631SZbigniew Kurzynski } 114978158631SZbigniew Kurzynski 115052cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 115152cc112dSEd Tanous authMethodsConfig); 115278158631SZbigniew Kurzynski // Save configuration immediately 115352cc112dSEd Tanous persistent_data::getConfig().writeData(); 115478158631SZbigniew Kurzynski 115578158631SZbigniew Kurzynski messages::success(asyncResp->res); 115678158631SZbigniew Kurzynski } 115778158631SZbigniew Kurzynski 11588a07d286SRatan Gupta /** 11598a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 11608a07d286SRatan Gupta * value and create the LDAP config object. 11618a07d286SRatan Gupta * @param input JSON data 11628a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 11638a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 11648a07d286SRatan Gupta */ 11658a07d286SRatan Gupta 11666c51eab1SEd Tanous inline void handleLDAPPatch(nlohmann::json& input, 11678d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 11688a07d286SRatan Gupta const std::string& serverType) 11698a07d286SRatan Gupta { 1170eb2bbe56SRatan Gupta std::string dbusObjectPath; 1171eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 1172eb2bbe56SRatan Gupta { 11732c70f800SEd Tanous dbusObjectPath = adConfigObject; 1174eb2bbe56SRatan Gupta } 1175eb2bbe56SRatan Gupta else if (serverType == "LDAP") 1176eb2bbe56SRatan Gupta { 117723a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 1178eb2bbe56SRatan Gupta } 1179cb13a392SEd Tanous else 1180cb13a392SEd Tanous { 1181cb13a392SEd Tanous return; 1182cb13a392SEd Tanous } 1183eb2bbe56SRatan Gupta 11848a07d286SRatan Gupta std::optional<nlohmann::json> authentication; 11858a07d286SRatan Gupta std::optional<nlohmann::json> ldapService; 11868a07d286SRatan Gupta std::optional<std::vector<std::string>> serviceAddressList; 11878a07d286SRatan Gupta std::optional<bool> serviceEnabled; 11888a07d286SRatan Gupta std::optional<std::vector<std::string>> baseDNList; 11898a07d286SRatan Gupta std::optional<std::string> userNameAttribute; 11908a07d286SRatan Gupta std::optional<std::string> groupsAttribute; 11918a07d286SRatan Gupta std::optional<std::string> userName; 11928a07d286SRatan Gupta std::optional<std::string> password; 119306785244SRatan Gupta std::optional<std::vector<nlohmann::json>> remoteRoleMapData; 11948a07d286SRatan Gupta 11958a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "Authentication", 11968a07d286SRatan Gupta authentication, "LDAPService", ldapService, 11978a07d286SRatan Gupta "ServiceAddresses", serviceAddressList, 119806785244SRatan Gupta "ServiceEnabled", serviceEnabled, 119906785244SRatan Gupta "RemoteRoleMapping", remoteRoleMapData)) 12008a07d286SRatan Gupta { 12018a07d286SRatan Gupta return; 12028a07d286SRatan Gupta } 12038a07d286SRatan Gupta 12048a07d286SRatan Gupta if (authentication) 12058a07d286SRatan Gupta { 12068a07d286SRatan Gupta parseLDAPAuthenticationJson(*authentication, asyncResp, userName, 12078a07d286SRatan Gupta password); 12088a07d286SRatan Gupta } 12098a07d286SRatan Gupta if (ldapService) 12108a07d286SRatan Gupta { 12118a07d286SRatan Gupta parseLDAPServiceJson(*ldapService, asyncResp, baseDNList, 12128a07d286SRatan Gupta userNameAttribute, groupsAttribute); 12138a07d286SRatan Gupta } 12148a07d286SRatan Gupta if (serviceAddressList) 12158a07d286SRatan Gupta { 121626f6976fSEd Tanous if (serviceAddressList->empty()) 12178a07d286SRatan Gupta { 12188a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 12198a07d286SRatan Gupta "ServiceAddress"); 12208a07d286SRatan Gupta return; 12218a07d286SRatan Gupta } 12228a07d286SRatan Gupta } 12238a07d286SRatan Gupta if (baseDNList) 12248a07d286SRatan Gupta { 122526f6976fSEd Tanous if (baseDNList->empty()) 12268a07d286SRatan Gupta { 12278a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 12288a07d286SRatan Gupta "BaseDistinguishedNames"); 12298a07d286SRatan Gupta return; 12308a07d286SRatan Gupta } 12318a07d286SRatan Gupta } 12328a07d286SRatan Gupta 12338a07d286SRatan Gupta // nothing to update, then return 12348a07d286SRatan Gupta if (!userName && !password && !serviceAddressList && !baseDNList && 123506785244SRatan Gupta !userNameAttribute && !groupsAttribute && !serviceEnabled && 123606785244SRatan Gupta !remoteRoleMapData) 12378a07d286SRatan Gupta { 12388a07d286SRatan Gupta return; 12398a07d286SRatan Gupta } 12408a07d286SRatan Gupta 12418a07d286SRatan Gupta // Get the existing resource first then keep modifying 12428a07d286SRatan Gupta // whenever any property gets updated. 1243002d39b4SEd Tanous getLDAPConfigData( 1244002d39b4SEd Tanous serverType, 1245002d39b4SEd Tanous [asyncResp, userName, password, baseDNList, userNameAttribute, 1246002d39b4SEd Tanous groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath, 1247002d39b4SEd Tanous remoteRoleMapData](bool success, const LDAPConfigData& confData, 124823a21a1cSEd Tanous const std::string& serverT) { 12498a07d286SRatan Gupta if (!success) 12508a07d286SRatan Gupta { 12518a07d286SRatan Gupta messages::internalError(asyncResp->res); 12528a07d286SRatan Gupta return; 12538a07d286SRatan Gupta } 12546c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 12558a07d286SRatan Gupta if (confData.serviceEnabled) 12568a07d286SRatan Gupta { 12578a07d286SRatan Gupta // Disable the service first and update the rest of 12588a07d286SRatan Gupta // the properties. 12596c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 12608a07d286SRatan Gupta } 12618a07d286SRatan Gupta 12628a07d286SRatan Gupta if (serviceAddressList) 12638a07d286SRatan Gupta { 12646c51eab1SEd Tanous handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT, 12656c51eab1SEd Tanous dbusObjectPath); 12668a07d286SRatan Gupta } 12678a07d286SRatan Gupta if (userName) 12688a07d286SRatan Gupta { 12696c51eab1SEd Tanous handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath); 12708a07d286SRatan Gupta } 12718a07d286SRatan Gupta if (password) 12728a07d286SRatan Gupta { 12736c51eab1SEd Tanous handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath); 12748a07d286SRatan Gupta } 12758a07d286SRatan Gupta 12768a07d286SRatan Gupta if (baseDNList) 12778a07d286SRatan Gupta { 12786c51eab1SEd Tanous handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath); 12798a07d286SRatan Gupta } 12808a07d286SRatan Gupta if (userNameAttribute) 12818a07d286SRatan Gupta { 12826c51eab1SEd Tanous handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT, 12836c51eab1SEd Tanous dbusObjectPath); 12848a07d286SRatan Gupta } 12858a07d286SRatan Gupta if (groupsAttribute) 12868a07d286SRatan Gupta { 12876c51eab1SEd Tanous handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT, 12886c51eab1SEd Tanous dbusObjectPath); 12898a07d286SRatan Gupta } 12908a07d286SRatan Gupta if (serviceEnabled) 12918a07d286SRatan Gupta { 12928a07d286SRatan Gupta // if user has given the value as true then enable 12938a07d286SRatan Gupta // the service. if user has given false then no-op 12948a07d286SRatan Gupta // as service is already stopped. 12958a07d286SRatan Gupta if (*serviceEnabled) 12968a07d286SRatan Gupta { 12976c51eab1SEd Tanous handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT, 12986c51eab1SEd Tanous dbusObjectPath); 12998a07d286SRatan Gupta } 13008a07d286SRatan Gupta } 13018a07d286SRatan Gupta else 13028a07d286SRatan Gupta { 13038a07d286SRatan Gupta // if user has not given the service enabled value 13048a07d286SRatan Gupta // then revert it to the same state as it was 13058a07d286SRatan Gupta // before. 13068a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 130723a21a1cSEd Tanous serverT, dbusObjectPath); 13088a07d286SRatan Gupta } 130906785244SRatan Gupta 131006785244SRatan Gupta if (remoteRoleMapData) 131106785244SRatan Gupta { 13126c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 13136c51eab1SEd Tanous *remoteRoleMapData); 131406785244SRatan Gupta } 13158a07d286SRatan Gupta }); 13168a07d286SRatan Gupta } 1317d4b5443fSEd Tanous 131858345856SAbhishek Patel inline void updateUserProperties( 131958345856SAbhishek Patel std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username, 1320618c14b4SEd Tanous const std::optional<std::string>& password, 1321618c14b4SEd Tanous const std::optional<bool>& enabled, 132258345856SAbhishek Patel const std::optional<std::string>& roleId, const std::optional<bool>& locked, 132358345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes, bool userSelf) 13241abe55efSEd Tanous { 1325b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1326b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1327b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 13286c51eab1SEd Tanous 13296c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 1330618c14b4SEd Tanous dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled, 133158345856SAbhishek Patel locked, accountTypes(std::move(accountTypes)), 133258345856SAbhishek Patel userSelf, asyncResp{std::move(asyncResp)}](int rc) { 1333e662eae8SEd Tanous if (rc <= 0) 13346c51eab1SEd Tanous { 1335d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 13366c51eab1SEd Tanous username); 13376c51eab1SEd Tanous return; 13386c51eab1SEd Tanous } 13396c51eab1SEd Tanous 13406c51eab1SEd Tanous if (password) 13416c51eab1SEd Tanous { 13426c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 13436c51eab1SEd Tanous 13446c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 13456c51eab1SEd Tanous { 1346d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 13476c51eab1SEd Tanous username); 13486c51eab1SEd Tanous } 13496c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 13506c51eab1SEd Tanous { 13516c51eab1SEd Tanous // If password is invalid 1352618c14b4SEd Tanous messages::propertyValueFormatError(asyncResp->res, 1353618c14b4SEd Tanous *password, "Password"); 13546c51eab1SEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 13556c51eab1SEd Tanous } 13566c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 13576c51eab1SEd Tanous { 13586c51eab1SEd Tanous messages::internalError(asyncResp->res); 13596c51eab1SEd Tanous return; 13606c51eab1SEd Tanous } 1361e7b1b62bSEd Tanous else 1362e7b1b62bSEd Tanous { 1363e7b1b62bSEd Tanous messages::success(asyncResp->res); 1364e7b1b62bSEd Tanous } 13656c51eab1SEd Tanous } 13666c51eab1SEd Tanous 13676c51eab1SEd Tanous if (enabled) 13686c51eab1SEd Tanous { 13696c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 13705e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 13716c51eab1SEd Tanous if (ec) 13726c51eab1SEd Tanous { 13736c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 13746c51eab1SEd Tanous messages::internalError(asyncResp->res); 13756c51eab1SEd Tanous return; 13766c51eab1SEd Tanous } 13776c51eab1SEd Tanous messages::success(asyncResp->res); 13786c51eab1SEd Tanous return; 13796c51eab1SEd Tanous }, 1380e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 13816c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 13826c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserEnabled", 1383168e20c1SEd Tanous dbus::utility::DbusVariantType{*enabled}); 13846c51eab1SEd Tanous } 13856c51eab1SEd Tanous 13866c51eab1SEd Tanous if (roleId) 13876c51eab1SEd Tanous { 13886c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 13896c51eab1SEd Tanous if (priv.empty()) 13906c51eab1SEd Tanous { 13916c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 13926c51eab1SEd Tanous "RoleId"); 13936c51eab1SEd Tanous return; 13946c51eab1SEd Tanous } 13956c51eab1SEd Tanous 13966c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 13975e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 13986c51eab1SEd Tanous if (ec) 13996c51eab1SEd Tanous { 14006c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 14016c51eab1SEd Tanous messages::internalError(asyncResp->res); 14026c51eab1SEd Tanous return; 14036c51eab1SEd Tanous } 14046c51eab1SEd Tanous messages::success(asyncResp->res); 14056c51eab1SEd Tanous }, 1406e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 14076c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 14086c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserPrivilege", 1409168e20c1SEd Tanous dbus::utility::DbusVariantType{priv}); 14106c51eab1SEd Tanous } 14116c51eab1SEd Tanous 14126c51eab1SEd Tanous if (locked) 14136c51eab1SEd Tanous { 14146c51eab1SEd Tanous // admin can unlock the account which is locked by 14156c51eab1SEd Tanous // successive authentication failures but admin should 14166c51eab1SEd Tanous // not be allowed to lock an account. 14176c51eab1SEd Tanous if (*locked) 14186c51eab1SEd Tanous { 14196c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 14206c51eab1SEd Tanous "Locked"); 14216c51eab1SEd Tanous return; 14226c51eab1SEd Tanous } 14236c51eab1SEd Tanous 14246c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 14255e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 14266c51eab1SEd Tanous if (ec) 14276c51eab1SEd Tanous { 14286c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 14296c51eab1SEd Tanous messages::internalError(asyncResp->res); 14306c51eab1SEd Tanous return; 14316c51eab1SEd Tanous } 14326c51eab1SEd Tanous messages::success(asyncResp->res); 14336c51eab1SEd Tanous return; 14346c51eab1SEd Tanous }, 1435e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 14366c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 14376c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", 1438168e20c1SEd Tanous "UserLockedForFailedAttempt", 1439168e20c1SEd Tanous dbus::utility::DbusVariantType{*locked}); 14406c51eab1SEd Tanous } 144158345856SAbhishek Patel 144258345856SAbhishek Patel if (accountTypes) 144358345856SAbhishek Patel { 144458345856SAbhishek Patel patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath, 144558345856SAbhishek Patel userSelf); 144658345856SAbhishek Patel } 14476c51eab1SEd Tanous }); 14486c51eab1SEd Tanous } 14496c51eab1SEd Tanous 14504c7d4d33SEd Tanous inline void handleAccountServiceHead( 14514c7d4d33SEd Tanous App& app, const crow::Request& req, 14521ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14536c51eab1SEd Tanous { 14543ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 145545ca1b86SEd Tanous { 145645ca1b86SEd Tanous return; 145745ca1b86SEd Tanous } 14584c7d4d33SEd Tanous asyncResp->res.addHeader( 14594c7d4d33SEd Tanous boost::beast::http::field::link, 14604c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 14614c7d4d33SEd Tanous } 14624c7d4d33SEd Tanous 14634c7d4d33SEd Tanous inline void 14644c7d4d33SEd Tanous handleAccountServiceGet(App& app, const crow::Request& req, 14654c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14664c7d4d33SEd Tanous { 1467afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1468afd369c6SJiaqing Zhao { 1469afd369c6SJiaqing Zhao return; 1470afd369c6SJiaqing Zhao } 14713e72c202SNinad Palsule 14723e72c202SNinad Palsule if (req.session == nullptr) 14733e72c202SNinad Palsule { 14743e72c202SNinad Palsule messages::internalError(asyncResp->res); 14753e72c202SNinad Palsule return; 14763e72c202SNinad Palsule } 14773e72c202SNinad Palsule 1478afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1479afd369c6SJiaqing Zhao boost::beast::http::field::link, 1480afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1481afd369c6SJiaqing Zhao 148252cc112dSEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 14831ef4c342SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 148478158631SZbigniew Kurzynski 14851476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 14861476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 14871476687dSEd Tanous json["@odata.type"] = "#AccountService." 14881476687dSEd Tanous "v1_10_0.AccountService"; 14891476687dSEd Tanous json["Id"] = "AccountService"; 14901476687dSEd Tanous json["Name"] = "Account Service"; 14911476687dSEd Tanous json["Description"] = "Account Service"; 14921476687dSEd Tanous json["ServiceEnabled"] = true; 14931476687dSEd Tanous json["MaxPasswordLength"] = 20; 14941ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 14951476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 14961476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 14975b5574acSEd Tanous "#OpenBMCAccountService.v1_0_0.AccountService"; 14981476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 14991476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 15001476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 15011476687dSEd Tanous authMethodsConfig.basic; 15021476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 15031476687dSEd Tanous authMethodsConfig.sessionToken; 15041ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 15051ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 15061ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 15071476687dSEd Tanous 15081ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 15091ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 15101ef4c342SEd Tanous // permissions ConfigureManager 151172048780SAbhishek Patel Privileges effectiveUserPrivileges = 15123e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 151372048780SAbhishek Patel 151472048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 151572048780SAbhishek Patel effectiveUserPrivileges)) 151672048780SAbhishek Patel { 15171ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 15181476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 151972048780SAbhishek Patel } 1520d1bde9e5SKrzysztof Grobelny sdbusplus::asio::getAllProperties( 1521d1bde9e5SKrzysztof Grobelny *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1522d1bde9e5SKrzysztof Grobelny "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy", 15235e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec, 15241ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 15253d958bbcSAppaRao Puli if (ec) 15263d958bbcSAppaRao Puli { 15273d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 15283d958bbcSAppaRao Puli return; 15293d958bbcSAppaRao Puli } 1530d1bde9e5SKrzysztof Grobelny 15313d958bbcSAppaRao Puli BMCWEB_LOG_DEBUG << "Got " << propertiesList.size() 15323d958bbcSAppaRao Puli << "properties for AccountService"; 1533d1bde9e5SKrzysztof Grobelny 1534d1bde9e5SKrzysztof Grobelny const uint8_t* minPasswordLength = nullptr; 1535d1bde9e5SKrzysztof Grobelny const uint32_t* accountUnlockTimeout = nullptr; 1536d1bde9e5SKrzysztof Grobelny const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1537d1bde9e5SKrzysztof Grobelny 1538d1bde9e5SKrzysztof Grobelny const bool success = sdbusplus::unpackPropertiesNoThrow( 1539d1bde9e5SKrzysztof Grobelny dbus_utils::UnpackErrorPrinter(), propertiesList, 1540d1bde9e5SKrzysztof Grobelny "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1541d1bde9e5SKrzysztof Grobelny accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1542d1bde9e5SKrzysztof Grobelny maxLoginAttemptBeforeLockout); 1543d1bde9e5SKrzysztof Grobelny 1544d1bde9e5SKrzysztof Grobelny if (!success) 15453d958bbcSAppaRao Puli { 1546d1bde9e5SKrzysztof Grobelny messages::internalError(asyncResp->res); 1547d1bde9e5SKrzysztof Grobelny return; 15483d958bbcSAppaRao Puli } 1549d1bde9e5SKrzysztof Grobelny 1550d1bde9e5SKrzysztof Grobelny if (minPasswordLength != nullptr) 15513d958bbcSAppaRao Puli { 1552d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength; 15533d958bbcSAppaRao Puli } 1554d1bde9e5SKrzysztof Grobelny 1555d1bde9e5SKrzysztof Grobelny if (accountUnlockTimeout != nullptr) 15563d958bbcSAppaRao Puli { 1557d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["AccountLockoutDuration"] = 1558d1bde9e5SKrzysztof Grobelny *accountUnlockTimeout; 1559d1bde9e5SKrzysztof Grobelny } 1560d1bde9e5SKrzysztof Grobelny 1561d1bde9e5SKrzysztof Grobelny if (maxLoginAttemptBeforeLockout != nullptr) 15623d958bbcSAppaRao Puli { 1563002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1564d1bde9e5SKrzysztof Grobelny *maxLoginAttemptBeforeLockout; 15653d958bbcSAppaRao Puli } 1566d1bde9e5SKrzysztof Grobelny }); 15676973a582SRatan Gupta 156802cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1569ab828d7cSRatan Gupta const std::string& ldapType) { 1570cb13a392SEd Tanous if (!success) 1571cb13a392SEd Tanous { 1572cb13a392SEd Tanous return; 1573cb13a392SEd Tanous } 1574002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1575ab828d7cSRatan Gupta }; 1576ab828d7cSRatan Gupta 1577ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1578ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 15791ef4c342SEd Tanous } 15806973a582SRatan Gupta 15811ef4c342SEd Tanous inline void handleAccountServicePatch( 15821ef4c342SEd Tanous App& app, const crow::Request& req, 15831ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15841ef4c342SEd Tanous { 15853ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 158645ca1b86SEd Tanous { 158745ca1b86SEd Tanous return; 158845ca1b86SEd Tanous } 1589f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1590f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1591ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1592f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 1593f5ffd806SEd Tanous std::optional<nlohmann::json> ldapObject; 1594f5ffd806SEd Tanous std::optional<nlohmann::json> activeDirectoryObject; 1595f5ffd806SEd Tanous std::optional<nlohmann::json> oemObject; 1596f5ffd806SEd Tanous 159715ed6780SWilly Tu if (!json_util::readJsonPatch( 15981ef4c342SEd Tanous req, asyncResp->res, "AccountLockoutDuration", unlockTimeout, 15991ef4c342SEd Tanous "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength", 16001ef4c342SEd Tanous maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP", 16011ef4c342SEd Tanous ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem", 1602f5ffd806SEd Tanous oemObject)) 1603f5ffd806SEd Tanous { 1604f5ffd806SEd Tanous return; 1605f5ffd806SEd Tanous } 1606f5ffd806SEd Tanous 1607f5ffd806SEd Tanous if (minPasswordLength) 1608f5ffd806SEd Tanous { 1609ef73ad0dSPaul Fertser crow::connections::systemBus->async_method_call( 16105e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 1611ef73ad0dSPaul Fertser if (ec) 1612ef73ad0dSPaul Fertser { 1613ef73ad0dSPaul Fertser messages::internalError(asyncResp->res); 1614ef73ad0dSPaul Fertser return; 1615ef73ad0dSPaul Fertser } 1616ef73ad0dSPaul Fertser messages::success(asyncResp->res); 1617ef73ad0dSPaul Fertser }, 16181ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1619ef73ad0dSPaul Fertser "org.freedesktop.DBus.Properties", "Set", 16201ef4c342SEd Tanous "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1621ef73ad0dSPaul Fertser dbus::utility::DbusVariantType(*minPasswordLength)); 1622f5ffd806SEd Tanous } 1623f5ffd806SEd Tanous 1624f5ffd806SEd Tanous if (maxPasswordLength) 1625f5ffd806SEd Tanous { 16261ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1627f5ffd806SEd Tanous } 1628f5ffd806SEd Tanous 1629f5ffd806SEd Tanous if (ldapObject) 1630f5ffd806SEd Tanous { 1631f5ffd806SEd Tanous handleLDAPPatch(*ldapObject, asyncResp, "LDAP"); 1632f5ffd806SEd Tanous } 1633f5ffd806SEd Tanous 1634f5ffd806SEd Tanous if (std::optional<nlohmann::json> oemOpenBMCObject; 16351ef4c342SEd Tanous oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", 1636f5ffd806SEd Tanous oemOpenBMCObject)) 1637f5ffd806SEd Tanous { 1638f5ffd806SEd Tanous if (std::optional<nlohmann::json> authMethodsObject; 1639f5ffd806SEd Tanous oemOpenBMCObject && 1640f5ffd806SEd Tanous json_util::readJson(*oemOpenBMCObject, asyncResp->res, 1641f5ffd806SEd Tanous "AuthMethods", authMethodsObject)) 1642f5ffd806SEd Tanous { 1643f5ffd806SEd Tanous if (authMethodsObject) 1644f5ffd806SEd Tanous { 16451ef4c342SEd Tanous handleAuthMethodsPatch(*authMethodsObject, asyncResp); 1646f5ffd806SEd Tanous } 1647f5ffd806SEd Tanous } 1648f5ffd806SEd Tanous } 1649f5ffd806SEd Tanous 1650f5ffd806SEd Tanous if (activeDirectoryObject) 1651f5ffd806SEd Tanous { 16521ef4c342SEd Tanous handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory"); 1653f5ffd806SEd Tanous } 1654f5ffd806SEd Tanous 1655f5ffd806SEd Tanous if (unlockTimeout) 1656f5ffd806SEd Tanous { 1657f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 16585e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 1659f5ffd806SEd Tanous if (ec) 1660f5ffd806SEd Tanous { 1661f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1662f5ffd806SEd Tanous return; 1663f5ffd806SEd Tanous } 1664f5ffd806SEd Tanous messages::success(asyncResp->res); 1665f5ffd806SEd Tanous }, 16661ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1667f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 16681ef4c342SEd Tanous "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1669168e20c1SEd Tanous dbus::utility::DbusVariantType(*unlockTimeout)); 1670f5ffd806SEd Tanous } 1671f5ffd806SEd Tanous if (lockoutThreshold) 1672f5ffd806SEd Tanous { 1673f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 16745e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 1675f5ffd806SEd Tanous if (ec) 1676f5ffd806SEd Tanous { 1677f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1678f5ffd806SEd Tanous return; 1679f5ffd806SEd Tanous } 1680f5ffd806SEd Tanous messages::success(asyncResp->res); 1681f5ffd806SEd Tanous }, 16821ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1683f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1684f5ffd806SEd Tanous "xyz.openbmc_project.User.AccountPolicy", 1685f5ffd806SEd Tanous "MaxLoginAttemptBeforeLockout", 1686168e20c1SEd Tanous dbus::utility::DbusVariantType(*lockoutThreshold)); 1687f5ffd806SEd Tanous } 16881ef4c342SEd Tanous } 1689f5ffd806SEd Tanous 16904c7d4d33SEd Tanous inline void handleAccountCollectionHead( 16911ef4c342SEd Tanous App& app, const crow::Request& req, 16921ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 16931ef4c342SEd Tanous { 16943ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 169545ca1b86SEd Tanous { 169645ca1b86SEd Tanous return; 169745ca1b86SEd Tanous } 16984c7d4d33SEd Tanous asyncResp->res.addHeader( 16994c7d4d33SEd Tanous boost::beast::http::field::link, 17004c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 17014c7d4d33SEd Tanous } 17024c7d4d33SEd Tanous 17034c7d4d33SEd Tanous inline void handleAccountCollectionGet( 17044c7d4d33SEd Tanous App& app, const crow::Request& req, 17054c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 17064c7d4d33SEd Tanous { 1707afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1708afd369c6SJiaqing Zhao { 1709afd369c6SJiaqing Zhao return; 1710afd369c6SJiaqing Zhao } 17113e72c202SNinad Palsule 17123e72c202SNinad Palsule if (req.session == nullptr) 17133e72c202SNinad Palsule { 17143e72c202SNinad Palsule messages::internalError(asyncResp->res); 17153e72c202SNinad Palsule return; 17163e72c202SNinad Palsule } 17173e72c202SNinad Palsule 1718afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1719afd369c6SJiaqing Zhao boost::beast::http::field::link, 1720afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 17211476687dSEd Tanous 17221476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 17231476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 17241ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 17251476687dSEd Tanous "ManagerAccountCollection"; 17261476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 17271476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 17280f74e643SEd Tanous 17296c51eab1SEd Tanous Privileges effectiveUserPrivileges = 17303e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 17316c51eab1SEd Tanous 1732f5e29f33SJunLin Chen std::string thisUser; 1733f5e29f33SJunLin Chen if (req.session) 1734f5e29f33SJunLin Chen { 1735f5e29f33SJunLin Chen thisUser = req.session->username; 1736f5e29f33SJunLin Chen } 1737b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1738cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 17395e7e2dc5SEd Tanous const boost::system::error_code& ec, 1740711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1741b9b2e0b2SEd Tanous if (ec) 1742b9b2e0b2SEd Tanous { 1743f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1744b9b2e0b2SEd Tanous return; 1745b9b2e0b2SEd Tanous } 1746b9b2e0b2SEd Tanous 1747cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1748002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1749cef1ddfbSEd Tanous 1750cef1ddfbSEd Tanous bool userCanSeeSelf = 1751002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1752cef1ddfbSEd Tanous 1753002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1754b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1755b9b2e0b2SEd Tanous 17569eb808c1SEd Tanous for (const auto& userpath : users) 1757b9b2e0b2SEd Tanous { 17582dfd18efSEd Tanous std::string user = userpath.first.filename(); 17592dfd18efSEd Tanous if (user.empty()) 1760b9b2e0b2SEd Tanous { 17612dfd18efSEd Tanous messages::internalError(asyncResp->res); 17622dfd18efSEd Tanous BMCWEB_LOG_ERROR << "Invalid firmware ID"; 17632dfd18efSEd Tanous 17642dfd18efSEd Tanous return; 1765b9b2e0b2SEd Tanous } 1766f365910cSGunnar Mills 1767f365910cSGunnar Mills // As clarified by Redfish here: 1768f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 17696c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 17706c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 17716c51eab1SEd Tanous // accounts. 17721ef4c342SEd Tanous if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1773f365910cSGunnar Mills { 17741476687dSEd Tanous nlohmann::json::object_t member; 177589492a15SPatrick Williams member["@odata.id"] = "/redfish/v1/AccountService/Accounts/" + 177689492a15SPatrick Williams user; 1777b2ba3072SPatrick Williams memberArray.emplace_back(std::move(member)); 1778b9b2e0b2SEd Tanous } 1779f365910cSGunnar Mills } 17801ef4c342SEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 1781b9b2e0b2SEd Tanous }, 17821ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1783b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 17841ef4c342SEd Tanous } 17856c51eab1SEd Tanous 178697e90da3SNinad Palsule inline void processAfterCreateUser( 178797e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 178897e90da3SNinad Palsule const std::string& username, const std::string& password, 178997e90da3SNinad Palsule const boost::system::error_code& ec, sdbusplus::message_t& m) 179097e90da3SNinad Palsule { 179197e90da3SNinad Palsule if (ec) 179297e90da3SNinad Palsule { 179397e90da3SNinad Palsule userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 179497e90da3SNinad Palsule return; 179597e90da3SNinad Palsule } 179697e90da3SNinad Palsule 179797e90da3SNinad Palsule if (pamUpdatePassword(username, password) != PAM_SUCCESS) 179897e90da3SNinad Palsule { 179997e90da3SNinad Palsule // At this point we have a user that's been 180097e90da3SNinad Palsule // created, but the password set 180197e90da3SNinad Palsule // failed.Something is wrong, so delete the user 180297e90da3SNinad Palsule // that we've already created 180397e90da3SNinad Palsule sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 180497e90da3SNinad Palsule tempObjPath /= username; 180597e90da3SNinad Palsule const std::string userPath(tempObjPath); 180697e90da3SNinad Palsule 180797e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 180897e90da3SNinad Palsule [asyncResp, password](const boost::system::error_code& ec3) { 180997e90da3SNinad Palsule if (ec3) 181097e90da3SNinad Palsule { 181197e90da3SNinad Palsule messages::internalError(asyncResp->res); 181297e90da3SNinad Palsule return; 181397e90da3SNinad Palsule } 181497e90da3SNinad Palsule 181597e90da3SNinad Palsule // If password is invalid 181697e90da3SNinad Palsule messages::propertyValueFormatError(asyncResp->res, password, 181797e90da3SNinad Palsule "Password"); 181897e90da3SNinad Palsule }, 181997e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", userPath, 182097e90da3SNinad Palsule "xyz.openbmc_project.Object.Delete", "Delete"); 182197e90da3SNinad Palsule 182297e90da3SNinad Palsule BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 182397e90da3SNinad Palsule return; 182497e90da3SNinad Palsule } 182597e90da3SNinad Palsule 182697e90da3SNinad Palsule messages::created(asyncResp->res); 182797e90da3SNinad Palsule asyncResp->res.addHeader("Location", 182897e90da3SNinad Palsule "/redfish/v1/AccountService/Accounts/" + username); 182997e90da3SNinad Palsule } 183097e90da3SNinad Palsule 183197e90da3SNinad Palsule inline void processAfterGetAllGroups( 183297e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 183397e90da3SNinad Palsule const std::string& username, const std::string& password, 183497e90da3SNinad Palsule const std::optional<std::string>& roleId, std::optional<bool> enabled, 1835*9ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes, 183697e90da3SNinad Palsule const std::vector<std::string>& allGroupsList) 183797e90da3SNinad Palsule { 18383e72c202SNinad Palsule std::vector<std::string> userGroups; 1839*9ba73934SNinad Palsule std::vector<std::string> accountTypeUserGroups; 1840*9ba73934SNinad Palsule 1841*9ba73934SNinad Palsule // If user specified account types then convert them to unix user groups 1842*9ba73934SNinad Palsule if (accountTypes) 1843*9ba73934SNinad Palsule { 1844*9ba73934SNinad Palsule if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes, 1845*9ba73934SNinad Palsule accountTypeUserGroups)) 1846*9ba73934SNinad Palsule { 1847*9ba73934SNinad Palsule // Problem in mapping Account Types to User Groups, Error already 1848*9ba73934SNinad Palsule // logged. 1849*9ba73934SNinad Palsule return; 1850*9ba73934SNinad Palsule } 1851*9ba73934SNinad Palsule } 1852*9ba73934SNinad Palsule 18533e72c202SNinad Palsule for (const auto& grp : allGroupsList) 18543e72c202SNinad Palsule { 1855*9ba73934SNinad Palsule // If user specified the account type then only accept groups which are 1856*9ba73934SNinad Palsule // in the account types group list. 1857*9ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 1858*9ba73934SNinad Palsule { 1859*9ba73934SNinad Palsule bool found = false; 1860*9ba73934SNinad Palsule for (const auto& grp1 : accountTypeUserGroups) 1861*9ba73934SNinad Palsule { 1862*9ba73934SNinad Palsule if (grp == grp1) 1863*9ba73934SNinad Palsule { 1864*9ba73934SNinad Palsule found = true; 1865*9ba73934SNinad Palsule break; 1866*9ba73934SNinad Palsule } 1867*9ba73934SNinad Palsule } 1868*9ba73934SNinad Palsule if (!found) 1869*9ba73934SNinad Palsule { 1870*9ba73934SNinad Palsule continue; 1871*9ba73934SNinad Palsule } 1872*9ba73934SNinad Palsule } 1873*9ba73934SNinad Palsule 18743e72c202SNinad Palsule // Console access is provided to the user who is a member of 18753e72c202SNinad Palsule // hostconsole group and has a administrator role. So, set 18763e72c202SNinad Palsule // hostconsole group only for the administrator. 1877*9ba73934SNinad Palsule if ((grp == "hostconsole") && (roleId != "priv-admin")) 18783e72c202SNinad Palsule { 1879*9ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 1880*9ba73934SNinad Palsule { 1881*9ba73934SNinad Palsule BMCWEB_LOG_ERROR 1882*9ba73934SNinad Palsule << "Only administrator can get HostConsole access"; 1883*9ba73934SNinad Palsule asyncResp->res.result(boost::beast::http::status::bad_request); 1884*9ba73934SNinad Palsule return; 1885*9ba73934SNinad Palsule } 1886*9ba73934SNinad Palsule continue; 1887*9ba73934SNinad Palsule } 18883e72c202SNinad Palsule userGroups.emplace_back(grp); 18893e72c202SNinad Palsule } 1890*9ba73934SNinad Palsule 1891*9ba73934SNinad Palsule // Make sure user specified groups are valid. This is internal error because 1892*9ba73934SNinad Palsule // it some inconsistencies between user manager and bmcweb. 1893*9ba73934SNinad Palsule if (!accountTypeUserGroups.empty() && 1894*9ba73934SNinad Palsule accountTypeUserGroups.size() != userGroups.size()) 1895*9ba73934SNinad Palsule { 1896*9ba73934SNinad Palsule messages::internalError(asyncResp->res); 1897*9ba73934SNinad Palsule return; 18983e72c202SNinad Palsule } 18993e72c202SNinad Palsule 190097e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 190197e90da3SNinad Palsule [asyncResp, username, password](const boost::system::error_code& ec2, 190297e90da3SNinad Palsule sdbusplus::message_t& m) { 190397e90da3SNinad Palsule processAfterCreateUser(asyncResp, username, password, ec2, m); 190497e90da3SNinad Palsule }, 190597e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 19063e72c202SNinad Palsule "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups, 19073e72c202SNinad Palsule *roleId, *enabled); 190897e90da3SNinad Palsule } 190997e90da3SNinad Palsule 19101ef4c342SEd Tanous inline void handleAccountCollectionPost( 19111ef4c342SEd Tanous App& app, const crow::Request& req, 19121ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 19131ef4c342SEd Tanous { 19143ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 191545ca1b86SEd Tanous { 191645ca1b86SEd Tanous return; 191745ca1b86SEd Tanous } 19189712f8acSEd Tanous std::string username; 19199712f8acSEd Tanous std::string password; 1920a24526dcSEd Tanous std::optional<std::string> roleId("User"); 1921a24526dcSEd Tanous std::optional<bool> enabled = true; 1922*9ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes; 1923*9ba73934SNinad Palsule if (!json_util::readJsonPatch( 1924*9ba73934SNinad Palsule req, asyncResp->res, "UserName", username, "Password", password, 1925*9ba73934SNinad Palsule "RoleId", roleId, "Enabled", enabled, "AccountTypes", accountTypes)) 192604ae99ecSEd Tanous { 192704ae99ecSEd Tanous return; 192804ae99ecSEd Tanous } 192904ae99ecSEd Tanous 193054fc587aSNagaraju Goruganti std::string priv = getPrivilegeFromRoleId(*roleId); 193184e12cb7SAppaRao Puli if (priv.empty()) 193204ae99ecSEd Tanous { 19331ef4c342SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId"); 193404ae99ecSEd Tanous return; 193504ae99ecSEd Tanous } 19369712f8acSEd Tanous roleId = priv; 193704ae99ecSEd Tanous 1938599c71d8SAyushi Smriti // Reading AllGroups property 19391e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 19401ef4c342SEd Tanous *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 19411ef4c342SEd Tanous "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 19421ef4c342SEd Tanous "AllGroups", 1943*9ba73934SNinad Palsule [asyncResp, username, password{std::move(password)}, roleId, enabled, 1944*9ba73934SNinad Palsule accountTypes](const boost::system::error_code& ec, 19451e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1946599c71d8SAyushi Smriti if (ec) 1947599c71d8SAyushi Smriti { 1948599c71d8SAyushi Smriti BMCWEB_LOG_DEBUG << "ERROR with async_method_call"; 1949599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1950599c71d8SAyushi Smriti return; 1951599c71d8SAyushi Smriti } 1952599c71d8SAyushi Smriti 19531e1e598dSJonathan Doman if (allGroupsList.empty()) 1954599c71d8SAyushi Smriti { 1955599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1956599c71d8SAyushi Smriti return; 1957599c71d8SAyushi Smriti } 1958599c71d8SAyushi Smriti 195997e90da3SNinad Palsule processAfterGetAllGroups(asyncResp, username, password, roleId, enabled, 1960*9ba73934SNinad Palsule accountTypes, allGroupsList); 19611e1e598dSJonathan Doman }); 19621ef4c342SEd Tanous } 1963b9b2e0b2SEd Tanous 19641ef4c342SEd Tanous inline void 19654c7d4d33SEd Tanous handleAccountHead(App& app, const crow::Request& req, 19666c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19674c7d4d33SEd Tanous const std::string& /*accountName*/) 19681ef4c342SEd Tanous { 19693ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 197045ca1b86SEd Tanous { 197145ca1b86SEd Tanous return; 197245ca1b86SEd Tanous } 19734c7d4d33SEd Tanous asyncResp->res.addHeader( 19744c7d4d33SEd Tanous boost::beast::http::field::link, 19754c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 19764c7d4d33SEd Tanous } 1977afd369c6SJiaqing Zhao 19784c7d4d33SEd Tanous inline void 19794c7d4d33SEd Tanous handleAccountGet(App& app, const crow::Request& req, 19804c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19814c7d4d33SEd Tanous const std::string& accountName) 19824c7d4d33SEd Tanous { 1983afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1984afd369c6SJiaqing Zhao { 1985afd369c6SJiaqing Zhao return; 1986afd369c6SJiaqing Zhao } 1987afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1988afd369c6SJiaqing Zhao boost::beast::http::field::link, 1989afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1990afd369c6SJiaqing Zhao 19911ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1992031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1993d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName); 1994031514fbSJunLin Chen return; 19951ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1996afd369c6SJiaqing Zhao 1997031514fbSJunLin Chen if (req.session == nullptr) 1998031514fbSJunLin Chen { 1999031514fbSJunLin Chen messages::internalError(asyncResp->res); 2000031514fbSJunLin Chen return; 2001031514fbSJunLin Chen } 20026c51eab1SEd Tanous if (req.session->username != accountName) 2003b9b2e0b2SEd Tanous { 20046c51eab1SEd Tanous // At this point we've determined that the user is trying to 20051ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 20061ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 20071ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 20086c51eab1SEd Tanous Privileges effectiveUserPrivileges = 20093e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 20101ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 20111ef4c342SEd Tanous "ConfigureManager"}; 20126c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 20136c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 2014900f9497SJoseph Reynolds { 2015900f9497SJoseph Reynolds BMCWEB_LOG_DEBUG << "GET Account denied access"; 2016900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2017900f9497SJoseph Reynolds return; 2018900f9497SJoseph Reynolds } 2019900f9497SJoseph Reynolds } 2020900f9497SJoseph Reynolds 2021b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 20221ef4c342SEd Tanous [asyncResp, 20235e7e2dc5SEd Tanous accountName](const boost::system::error_code& ec, 2024711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 2025b9b2e0b2SEd Tanous if (ec) 2026b9b2e0b2SEd Tanous { 2027f12894f8SJason M. Bills messages::internalError(asyncResp->res); 2028b9b2e0b2SEd Tanous return; 2029b9b2e0b2SEd Tanous } 2030711ac7a9SEd Tanous const auto userIt = std::find_if( 2031b477fd44SP Dheeraj Srujan Kumar users.begin(), users.end(), 2032b477fd44SP Dheeraj Srujan Kumar [accountName]( 2033b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 2034002d39b4SEd Tanous dbus::utility::DBusInteracesMap>& user) { 203555f79e6fSEd Tanous return accountName == user.first.filename(); 2036b477fd44SP Dheeraj Srujan Kumar }); 2037b9b2e0b2SEd Tanous 203884e12cb7SAppaRao Puli if (userIt == users.end()) 2039b9b2e0b2SEd Tanous { 2040002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 2041002d39b4SEd Tanous accountName); 204284e12cb7SAppaRao Puli return; 204384e12cb7SAppaRao Puli } 20444e68c45bSAyushi Smriti 20451476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 204658345856SAbhishek Patel "#ManagerAccount.v1_7_0.ManagerAccount"; 20471476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 20481476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 20491476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 205058345856SAbhishek Patel asyncResp->res.jsonValue["StrictAccountTypes"] = true; 20514e68c45bSAyushi Smriti 205284e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 205365b0dc32SEd Tanous { 2054002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 205565b0dc32SEd Tanous { 205665b0dc32SEd Tanous for (const auto& property : interface.second) 205765b0dc32SEd Tanous { 205865b0dc32SEd Tanous if (property.first == "UserEnabled") 205965b0dc32SEd Tanous { 206065b0dc32SEd Tanous const bool* userEnabled = 2061abf2add6SEd Tanous std::get_if<bool>(&property.second); 206265b0dc32SEd Tanous if (userEnabled == nullptr) 206365b0dc32SEd Tanous { 2064002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserEnabled wasn't a bool"; 206584e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 206684e12cb7SAppaRao Puli return; 206765b0dc32SEd Tanous } 2068002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 206965b0dc32SEd Tanous } 2070002d39b4SEd Tanous else if (property.first == "UserLockedForFailedAttempt") 207165b0dc32SEd Tanous { 207265b0dc32SEd Tanous const bool* userLocked = 2073abf2add6SEd Tanous std::get_if<bool>(&property.second); 207465b0dc32SEd Tanous if (userLocked == nullptr) 207565b0dc32SEd Tanous { 207684e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "UserLockedForF" 207784e12cb7SAppaRao Puli "ailedAttempt " 207884e12cb7SAppaRao Puli "wasn't a bool"; 207984e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 208084e12cb7SAppaRao Puli return; 208165b0dc32SEd Tanous } 2082002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 2083002d39b4SEd Tanous asyncResp->res 2084002d39b4SEd Tanous .jsonValue["Locked@Redfish.AllowableValues"] = { 20853bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 208665b0dc32SEd Tanous } 208784e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 208884e12cb7SAppaRao Puli { 208954fc587aSNagaraju Goruganti const std::string* userPrivPtr = 2090002d39b4SEd Tanous std::get_if<std::string>(&property.second); 209154fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 209284e12cb7SAppaRao Puli { 2093002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserPrivilege wasn't a " 209484e12cb7SAppaRao Puli "string"; 209584e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 209684e12cb7SAppaRao Puli return; 209784e12cb7SAppaRao Puli } 20981ef4c342SEd Tanous std::string role = getRoleIdFromPrivilege(*userPrivPtr); 209954fc587aSNagaraju Goruganti if (role.empty()) 210084e12cb7SAppaRao Puli { 210184e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "Invalid user role"; 210284e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 210384e12cb7SAppaRao Puli return; 210484e12cb7SAppaRao Puli } 210554fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 210684e12cb7SAppaRao Puli 21071476687dSEd Tanous nlohmann::json& roleEntry = 2108002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 21091476687dSEd Tanous roleEntry["@odata.id"] = 2110002d39b4SEd Tanous "/redfish/v1/AccountService/Roles/" + role; 211184e12cb7SAppaRao Puli } 2112002d39b4SEd Tanous else if (property.first == "UserPasswordExpired") 21133bf4e632SJoseph Reynolds { 21143bf4e632SJoseph Reynolds const bool* userPasswordExpired = 21153bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 21163bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 21173bf4e632SJoseph Reynolds { 21180fda0f12SGeorge Liu BMCWEB_LOG_ERROR 21190fda0f12SGeorge Liu << "UserPasswordExpired wasn't a bool"; 21203bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 21213bf4e632SJoseph Reynolds return; 21223bf4e632SJoseph Reynolds } 2123002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 21243bf4e632SJoseph Reynolds *userPasswordExpired; 21253bf4e632SJoseph Reynolds } 2126c7229815SAbhishek Patel else if (property.first == "UserGroups") 2127c7229815SAbhishek Patel { 2128c7229815SAbhishek Patel const std::vector<std::string>* userGroups = 2129c7229815SAbhishek Patel std::get_if<std::vector<std::string>>( 2130c7229815SAbhishek Patel &property.second); 2131c7229815SAbhishek Patel if (userGroups == nullptr) 2132c7229815SAbhishek Patel { 2133c7229815SAbhishek Patel BMCWEB_LOG_ERROR 2134c7229815SAbhishek Patel << "userGroups wasn't a string vector"; 2135c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2136c7229815SAbhishek Patel return; 2137c7229815SAbhishek Patel } 2138c7229815SAbhishek Patel if (!translateUserGroup(*userGroups, asyncResp->res)) 2139c7229815SAbhishek Patel { 2140c7229815SAbhishek Patel BMCWEB_LOG_ERROR << "userGroups mapping failed"; 2141c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2142c7229815SAbhishek Patel return; 2143c7229815SAbhishek Patel } 2144c7229815SAbhishek Patel } 214565b0dc32SEd Tanous } 214665b0dc32SEd Tanous } 214765b0dc32SEd Tanous } 214865b0dc32SEd Tanous 2149b9b2e0b2SEd Tanous asyncResp->res.jsonValue["@odata.id"] = 215084e12cb7SAppaRao Puli "/redfish/v1/AccountService/Accounts/" + accountName; 2151b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 2152b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 2153b9b2e0b2SEd Tanous }, 21541ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 2155b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 21561ef4c342SEd Tanous } 2157a840879dSEd Tanous 21581ef4c342SEd Tanous inline void 215920fc307fSGunnar Mills handleAccountDelete(App& app, const crow::Request& req, 21606c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21611ef4c342SEd Tanous const std::string& username) 21621ef4c342SEd Tanous { 21633ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 216445ca1b86SEd Tanous { 216545ca1b86SEd Tanous return; 216645ca1b86SEd Tanous } 21671ef4c342SEd Tanous 21681ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 2169031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 2170d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 2171031514fbSJunLin Chen return; 2172031514fbSJunLin Chen 21731ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 21741ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 21751ef4c342SEd Tanous tempObjPath /= username; 21761ef4c342SEd Tanous const std::string userPath(tempObjPath); 21771ef4c342SEd Tanous 21781ef4c342SEd Tanous crow::connections::systemBus->async_method_call( 21795e7e2dc5SEd Tanous [asyncResp, username](const boost::system::error_code& ec) { 21801ef4c342SEd Tanous if (ec) 21811ef4c342SEd Tanous { 2182d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 21831ef4c342SEd Tanous username); 21841ef4c342SEd Tanous return; 21851ef4c342SEd Tanous } 21861ef4c342SEd Tanous 21871ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 21881ef4c342SEd Tanous }, 21891ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 21901ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 21911ef4c342SEd Tanous } 21921ef4c342SEd Tanous 21931ef4c342SEd Tanous inline void 21941ef4c342SEd Tanous handleAccountPatch(App& app, const crow::Request& req, 21951ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21961ef4c342SEd Tanous const std::string& username) 21971ef4c342SEd Tanous { 21981ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 21991ef4c342SEd Tanous { 22001ef4c342SEd Tanous return; 22011ef4c342SEd Tanous } 22021ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 22031ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 2204d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 22051ef4c342SEd Tanous return; 22061ef4c342SEd Tanous 22071ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 2208a24526dcSEd Tanous std::optional<std::string> newUserName; 2209a24526dcSEd Tanous std::optional<std::string> password; 2210a24526dcSEd Tanous std::optional<bool> enabled; 2211a24526dcSEd Tanous std::optional<std::string> roleId; 221224c8542dSRatan Gupta std::optional<bool> locked; 221358345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes; 221458345856SAbhishek Patel 221558345856SAbhishek Patel bool userSelf = (username == req.session->username); 2216e9cc5172SEd Tanous 2217031514fbSJunLin Chen if (req.session == nullptr) 2218031514fbSJunLin Chen { 2219031514fbSJunLin Chen messages::internalError(asyncResp->res); 2220031514fbSJunLin Chen return; 2221031514fbSJunLin Chen } 2222031514fbSJunLin Chen 2223e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 22243e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 2225e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 2226e9cc5172SEd Tanous bool userHasConfigureUsers = 2227e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 2228e9cc5172SEd Tanous if (userHasConfigureUsers) 2229e9cc5172SEd Tanous { 2230e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 223158345856SAbhishek Patel if (!json_util::readJsonPatch( 223258345856SAbhishek Patel req, asyncResp->res, "UserName", newUserName, "Password", 223358345856SAbhishek Patel password, "RoleId", roleId, "Enabled", enabled, "Locked", 223458345856SAbhishek Patel locked, "AccountTypes", accountTypes)) 2235a840879dSEd Tanous { 2236a840879dSEd Tanous return; 2237a840879dSEd Tanous } 2238e9cc5172SEd Tanous } 2239e9cc5172SEd Tanous else 2240900f9497SJoseph Reynolds { 2241e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 224258345856SAbhishek Patel if (!userSelf) 2243900f9497SJoseph Reynolds { 2244900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2245900f9497SJoseph Reynolds return; 2246900f9497SJoseph Reynolds } 2247031514fbSJunLin Chen 2248e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 22491ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 22501ef4c342SEd Tanous password)) 2251e9cc5172SEd Tanous { 2252e9cc5172SEd Tanous return; 2253e9cc5172SEd Tanous } 2254900f9497SJoseph Reynolds } 2255900f9497SJoseph Reynolds 225666b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 22576c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 22586c51eab1SEd Tanous // updating user properties other then username. If username 22596c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 22606c51eab1SEd Tanous // user rename request. 226166b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 2262a840879dSEd Tanous { 22631ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 226458345856SAbhishek Patel locked, accountTypes, userSelf); 226584e12cb7SAppaRao Puli return; 226684e12cb7SAppaRao Puli } 226784e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 22686c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 22691ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 227058345856SAbhishek Patel locked, userSelf, accountTypes(std::move(accountTypes))]( 227158345856SAbhishek Patel const boost::system::error_code ec, sdbusplus::message_t& m) { 227284e12cb7SAppaRao Puli if (ec) 227384e12cb7SAppaRao Puli { 2274002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2275002d39b4SEd Tanous username); 2276a840879dSEd Tanous return; 2277a840879dSEd Tanous } 2278a840879dSEd Tanous 2279002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 228058345856SAbhishek Patel locked, accountTypes, userSelf); 228184e12cb7SAppaRao Puli }, 22821ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 228384e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 228484e12cb7SAppaRao Puli *newUserName); 22851ef4c342SEd Tanous } 22861ef4c342SEd Tanous 22871ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 22881ef4c342SEd Tanous { 22891ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22904c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 22914c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22924c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 22934c7d4d33SEd Tanous 22944c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22951ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 22961ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 22971ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 22981ef4c342SEd Tanous 22991ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 23001ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 23011ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 23021ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 23031ef4c342SEd Tanous 23041ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 23054c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 23064c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 23074c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 23084c7d4d33SEd Tanous 23094c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 23101ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 23111ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23121ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 23131ef4c342SEd Tanous 23141ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 23151ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 23161ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 23171ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 23181ef4c342SEd Tanous 23191ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23204c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 23214c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 23224c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 23234c7d4d33SEd Tanous 23244c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23251ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 23261ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23271ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 23281ef4c342SEd Tanous 23291ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23301ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 23311ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 23321ef4c342SEd Tanous // yet 23331ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 23341ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 23351ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 233684e12cb7SAppaRao Puli 23376c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2338ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 23396c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 234020fc307fSGunnar Mills std::bind_front(handleAccountDelete, std::ref(app))); 234106e086d9SEd Tanous } 234288d16c9aSLewanczyk, Dawid 234388d16c9aSLewanczyk, Dawid } // namespace redfish 2344