188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 187e860f15SJohn Edward Broadbent #include <app.hpp> 1924c8542dSRatan Gupta #include <dbus_utility.hpp> 2065b0dc32SEd Tanous #include <error_messages.hpp> 21b9b2e0b2SEd Tanous #include <openbmc_dbus_rest.hpp> 2252cc112dSEd Tanous #include <persistent_data.hpp> 2345ca1b86SEd Tanous #include <query.hpp> 24ed398213SEd Tanous #include <registries/privilege_registry.hpp> 251e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 26d1bde9e5SKrzysztof Grobelny #include <sdbusplus/unpack_properties.hpp> 27d1bde9e5SKrzysztof Grobelny #include <utils/dbus_utils.hpp> 28a840879dSEd Tanous #include <utils/json_utils.hpp> 291214b7e7SGunnar Mills 30*c7229815SAbhishek Patel #include <optional> 31*c7229815SAbhishek Patel #include <string> 32*c7229815SAbhishek Patel #include <vector> 33*c7229815SAbhishek Patel 341abe55efSEd Tanous namespace redfish 351abe55efSEd Tanous { 3688d16c9aSLewanczyk, Dawid 3723a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 386973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 392c70f800SEd Tanous constexpr const char* adConfigObject = 40ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 41ab828d7cSRatan Gupta 42b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 436973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 446973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 456973a582SRatan Gupta constexpr const char* ldapConfigInterface = 466973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 476973a582SRatan Gupta constexpr const char* ldapCreateInterface = 486973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 496973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 5006785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 5106785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 526973a582SRatan Gupta constexpr const char* dbusObjManagerIntf = "org.freedesktop.DBus.ObjectManager"; 536973a582SRatan Gupta constexpr const char* propertyInterface = "org.freedesktop.DBus.Properties"; 546973a582SRatan Gupta constexpr const char* mapperBusName = "xyz.openbmc_project.ObjectMapper"; 556973a582SRatan Gupta constexpr const char* mapperObjectPath = "/xyz/openbmc_project/object_mapper"; 566973a582SRatan Gupta constexpr const char* mapperIntf = "xyz.openbmc_project.ObjectMapper"; 576973a582SRatan Gupta 5854fc587aSNagaraju Goruganti struct LDAPRoleMapData 5954fc587aSNagaraju Goruganti { 6054fc587aSNagaraju Goruganti std::string groupName; 6154fc587aSNagaraju Goruganti std::string privilege; 6254fc587aSNagaraju Goruganti }; 6354fc587aSNagaraju Goruganti 646973a582SRatan Gupta struct LDAPConfigData 656973a582SRatan Gupta { 666973a582SRatan Gupta std::string uri{}; 676973a582SRatan Gupta std::string bindDN{}; 686973a582SRatan Gupta std::string baseDN{}; 696973a582SRatan Gupta std::string searchScope{}; 706973a582SRatan Gupta std::string serverType{}; 716973a582SRatan Gupta bool serviceEnabled = false; 726973a582SRatan Gupta std::string userNameAttribute{}; 736973a582SRatan Gupta std::string groupAttribute{}; 7454fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 756973a582SRatan Gupta }; 766973a582SRatan Gupta 7754fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 7884e12cb7SAppaRao Puli { 7984e12cb7SAppaRao Puli if (role == "priv-admin") 8084e12cb7SAppaRao Puli { 8184e12cb7SAppaRao Puli return "Administrator"; 8284e12cb7SAppaRao Puli } 833174e4dfSEd Tanous if (role == "priv-user") 8484e12cb7SAppaRao Puli { 85c80fee55SAppaRao Puli return "ReadOnly"; 8684e12cb7SAppaRao Puli } 873174e4dfSEd Tanous if (role == "priv-operator") 8884e12cb7SAppaRao Puli { 8984e12cb7SAppaRao Puli return "Operator"; 9084e12cb7SAppaRao Puli } 9126f6976fSEd Tanous if (role.empty() || (role == "priv-noaccess")) 92e9e6d240Sjayaprakash Mutyala { 93e9e6d240Sjayaprakash Mutyala return "NoAccess"; 94e9e6d240Sjayaprakash Mutyala } 9584e12cb7SAppaRao Puli return ""; 9684e12cb7SAppaRao Puli } 9754fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 9884e12cb7SAppaRao Puli { 9984e12cb7SAppaRao Puli if (role == "Administrator") 10084e12cb7SAppaRao Puli { 10184e12cb7SAppaRao Puli return "priv-admin"; 10284e12cb7SAppaRao Puli } 1033174e4dfSEd Tanous if (role == "ReadOnly") 10484e12cb7SAppaRao Puli { 10584e12cb7SAppaRao Puli return "priv-user"; 10684e12cb7SAppaRao Puli } 1073174e4dfSEd Tanous if (role == "Operator") 10884e12cb7SAppaRao Puli { 10984e12cb7SAppaRao Puli return "priv-operator"; 11084e12cb7SAppaRao Puli } 11126f6976fSEd Tanous if ((role == "NoAccess") || (role.empty())) 112e9e6d240Sjayaprakash Mutyala { 113e9e6d240Sjayaprakash Mutyala return "priv-noaccess"; 114e9e6d240Sjayaprakash Mutyala } 11584e12cb7SAppaRao Puli return ""; 11684e12cb7SAppaRao Puli } 117b9b2e0b2SEd Tanous 118*c7229815SAbhishek Patel /** 119*c7229815SAbhishek Patel * @brief Maps user group names retrieved from D-Bus object to 120*c7229815SAbhishek Patel * Account Types. 121*c7229815SAbhishek Patel * 122*c7229815SAbhishek Patel * @param[in] userGroups List of User groups 123*c7229815SAbhishek Patel * @param[out] res AccountTypes populated 124*c7229815SAbhishek Patel * 125*c7229815SAbhishek Patel * @return true in case of success, false if UserGroups contains 126*c7229815SAbhishek Patel * invalid group name(s). 127*c7229815SAbhishek Patel */ 128*c7229815SAbhishek Patel inline bool translateUserGroup(const std::vector<std::string>& userGroups, 129*c7229815SAbhishek Patel crow::Response& res) 130*c7229815SAbhishek Patel { 131*c7229815SAbhishek Patel std::vector<std::string> accountTypes; 132*c7229815SAbhishek Patel for (const auto& userGroup : userGroups) 133*c7229815SAbhishek Patel { 134*c7229815SAbhishek Patel if (userGroup == "redfish") 135*c7229815SAbhishek Patel { 136*c7229815SAbhishek Patel accountTypes.emplace_back("Redfish"); 137*c7229815SAbhishek Patel accountTypes.emplace_back("WebUI"); 138*c7229815SAbhishek Patel } 139*c7229815SAbhishek Patel else if (userGroup == "ipmi") 140*c7229815SAbhishek Patel { 141*c7229815SAbhishek Patel accountTypes.emplace_back("IPMI"); 142*c7229815SAbhishek Patel } 143*c7229815SAbhishek Patel else if (userGroup == "ssh") 144*c7229815SAbhishek Patel { 145*c7229815SAbhishek Patel accountTypes.emplace_back("HostConsole"); 146*c7229815SAbhishek Patel accountTypes.emplace_back("ManagerConsole"); 147*c7229815SAbhishek Patel } 148*c7229815SAbhishek Patel else if (userGroup == "web") 149*c7229815SAbhishek Patel { 150*c7229815SAbhishek Patel // 'web' is one of the valid groups in the UserGroups property of 151*c7229815SAbhishek Patel // the user account in the D-Bus object. This group is currently not 152*c7229815SAbhishek Patel // doing anything, and is considered to be equivalent to 'redfish'. 153*c7229815SAbhishek Patel // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 154*c7229815SAbhishek Patel // AccountTypes, so do nothing here... 155*c7229815SAbhishek Patel } 156*c7229815SAbhishek Patel else 157*c7229815SAbhishek Patel { 158*c7229815SAbhishek Patel // Invalid user group name. Caller throws an excption. 159*c7229815SAbhishek Patel return false; 160*c7229815SAbhishek Patel } 161*c7229815SAbhishek Patel } 162*c7229815SAbhishek Patel 163*c7229815SAbhishek Patel res.jsonValue["AccountTypes"] = std::move(accountTypes); 164*c7229815SAbhishek Patel return true; 165*c7229815SAbhishek Patel } 166*c7229815SAbhishek Patel 1678d1b46d7Szhanghch05 inline void userErrorMessageHandler( 1688d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 1698d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 17066b5ca76Sjayaprakash Mutyala { 17166b5ca76Sjayaprakash Mutyala if (e == nullptr) 17266b5ca76Sjayaprakash Mutyala { 17366b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 17466b5ca76Sjayaprakash Mutyala return; 17566b5ca76Sjayaprakash Mutyala } 17666b5ca76Sjayaprakash Mutyala 177055806b3SManojkiran Eda const char* errorMessage = e->name; 17866b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 17966b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 18066b5ca76Sjayaprakash Mutyala { 181d8a5d5d8SJiaqing Zhao messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 18266b5ca76Sjayaprakash Mutyala "UserName", newUser); 18366b5ca76Sjayaprakash Mutyala } 18466b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 18566b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 18666b5ca76Sjayaprakash Mutyala { 187d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 18866b5ca76Sjayaprakash Mutyala } 189d4d25793SEd Tanous else if ((strcmp(errorMessage, 190d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 191d4d25793SEd Tanous 0) || 1920fda0f12SGeorge Liu (strcmp( 1930fda0f12SGeorge Liu errorMessage, 1940fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 1950fda0f12SGeorge Liu 0)) 19666b5ca76Sjayaprakash Mutyala { 19766b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 19866b5ca76Sjayaprakash Mutyala } 19966b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 20066b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 20166b5ca76Sjayaprakash Mutyala { 20266b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 20366b5ca76Sjayaprakash Mutyala } 20466b5ca76Sjayaprakash Mutyala else 20566b5ca76Sjayaprakash Mutyala { 20666b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 20766b5ca76Sjayaprakash Mutyala } 20866b5ca76Sjayaprakash Mutyala } 20966b5ca76Sjayaprakash Mutyala 21081ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 211ab828d7cSRatan Gupta const LDAPConfigData& confData, 212ab828d7cSRatan Gupta const std::string& ldapType) 2136973a582SRatan Gupta { 214ab828d7cSRatan Gupta std::string service = 215ab828d7cSRatan Gupta (ldapType == "LDAP") ? "LDAPService" : "ActiveDirectoryService"; 21654fc587aSNagaraju Goruganti 2171476687dSEd Tanous nlohmann::json& ldap = jsonResponse[ldapType]; 21854fc587aSNagaraju Goruganti 2191476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 2201476687dSEd Tanous ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri}); 2211476687dSEd Tanous ldap["Authentication"]["AuthenticationType"] = "UsernameAndPassword"; 2221476687dSEd Tanous ldap["Authentication"]["Username"] = confData.bindDN; 2231476687dSEd Tanous ldap["Authentication"]["Password"] = nullptr; 2241476687dSEd Tanous 2251476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] = 2261476687dSEd Tanous nlohmann::json::array({confData.baseDN}); 2271476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] = 2281476687dSEd Tanous confData.userNameAttribute; 2291476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] = 2301476687dSEd Tanous confData.groupAttribute; 2311476687dSEd Tanous 2321476687dSEd Tanous nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"]; 23354fc587aSNagaraju Goruganti roleMapArray = nlohmann::json::array(); 2349eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 23554fc587aSNagaraju Goruganti { 23654fc587aSNagaraju Goruganti BMCWEB_LOG_DEBUG << "Pushing the data groupName=" 23754fc587aSNagaraju Goruganti << obj.second.groupName << "\n"; 238613dabeaSEd Tanous 239613dabeaSEd Tanous nlohmann::json::array_t remoteGroupArray; 240613dabeaSEd Tanous nlohmann::json::object_t remoteGroup; 241613dabeaSEd Tanous remoteGroup["RemoteGroup"] = obj.second.groupName; 242613dabeaSEd Tanous remoteGroupArray.emplace_back(std::move(remoteGroup)); 243613dabeaSEd Tanous roleMapArray.emplace_back(std::move(remoteGroupArray)); 244613dabeaSEd Tanous 245613dabeaSEd Tanous nlohmann::json::array_t localRoleArray; 246613dabeaSEd Tanous nlohmann::json::object_t localRole; 247613dabeaSEd Tanous localRole["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 248613dabeaSEd Tanous localRoleArray.emplace_back(std::move(localRole)); 249613dabeaSEd Tanous roleMapArray.emplace_back(std::move(localRoleArray)); 25054fc587aSNagaraju Goruganti } 2516973a582SRatan Gupta } 2526973a582SRatan Gupta 2536973a582SRatan Gupta /** 25406785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 25506785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 25606785244SRatan Gupta * 25706785244SRatan Gupta */ 25823a21a1cSEd Tanous inline void handleRoleMapPatch( 2598d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 26006785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 261f23b7296SEd Tanous const std::string& serverType, const std::vector<nlohmann::json>& input) 26206785244SRatan Gupta { 26306785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 26406785244SRatan Gupta { 265f23b7296SEd Tanous const nlohmann::json& thisJson = input[index]; 26606785244SRatan Gupta 26706785244SRatan Gupta if (thisJson.is_null()) 26806785244SRatan Gupta { 26906785244SRatan Gupta // delete the existing object 27006785244SRatan Gupta if (index < roleMapObjData.size()) 27106785244SRatan Gupta { 27206785244SRatan Gupta crow::connections::systemBus->async_method_call( 27306785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 27406785244SRatan Gupta index](const boost::system::error_code ec) { 27506785244SRatan Gupta if (ec) 27606785244SRatan Gupta { 27706785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 27806785244SRatan Gupta messages::internalError(asyncResp->res); 27906785244SRatan Gupta return; 28006785244SRatan Gupta } 28106785244SRatan Gupta asyncResp->res 28206785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"][index] = 28306785244SRatan Gupta nullptr; 28406785244SRatan Gupta }, 28506785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 28606785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 28706785244SRatan Gupta } 28806785244SRatan Gupta else 28906785244SRatan Gupta { 29006785244SRatan Gupta BMCWEB_LOG_ERROR << "Can't delete the object"; 29106785244SRatan Gupta messages::propertyValueTypeError( 29271f52d96SEd Tanous asyncResp->res, 29371f52d96SEd Tanous thisJson.dump(2, ' ', true, 29471f52d96SEd Tanous nlohmann::json::error_handler_t::replace), 29506785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index)); 29606785244SRatan Gupta return; 29706785244SRatan Gupta } 29806785244SRatan Gupta } 29906785244SRatan Gupta else if (thisJson.empty()) 30006785244SRatan Gupta { 30106785244SRatan Gupta // Don't do anything for the empty objects,parse next json 30206785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 30306785244SRatan Gupta } 30406785244SRatan Gupta else 30506785244SRatan Gupta { 30606785244SRatan Gupta // update/create the object 30706785244SRatan Gupta std::optional<std::string> remoteGroup; 30806785244SRatan Gupta std::optional<std::string> localRole; 30906785244SRatan Gupta 310f23b7296SEd Tanous // This is a copy, but it's required in this case because of how 311f23b7296SEd Tanous // readJson is structured 312f23b7296SEd Tanous nlohmann::json thisJsonCopy = thisJson; 313f23b7296SEd Tanous if (!json_util::readJson(thisJsonCopy, asyncResp->res, 314f23b7296SEd Tanous "RemoteGroup", remoteGroup, "LocalRole", 315f23b7296SEd Tanous localRole)) 31606785244SRatan Gupta { 31706785244SRatan Gupta continue; 31806785244SRatan Gupta } 31906785244SRatan Gupta 32006785244SRatan Gupta // Update existing RoleMapping Object 32106785244SRatan Gupta if (index < roleMapObjData.size()) 32206785244SRatan Gupta { 32306785244SRatan Gupta BMCWEB_LOG_DEBUG << "Update Role Map Object"; 32406785244SRatan Gupta // If "RemoteGroup" info is provided 32506785244SRatan Gupta if (remoteGroup) 32606785244SRatan Gupta { 32706785244SRatan Gupta crow::connections::systemBus->async_method_call( 32806785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 32906785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 33006785244SRatan Gupta if (ec) 33106785244SRatan Gupta { 332002d39b4SEd Tanous BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 33306785244SRatan Gupta messages::internalError(asyncResp->res); 33406785244SRatan Gupta return; 33506785244SRatan Gupta } 33606785244SRatan Gupta asyncResp->res 337002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 338002d39b4SEd Tanous ["RemoteGroup"] = *remoteGroup; 33906785244SRatan Gupta }, 34006785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 34106785244SRatan Gupta propertyInterface, "Set", 34206785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 34306785244SRatan Gupta "GroupName", 344168e20c1SEd Tanous dbus::utility::DbusVariantType( 345168e20c1SEd Tanous std::move(*remoteGroup))); 34606785244SRatan Gupta } 34706785244SRatan Gupta 34806785244SRatan Gupta // If "LocalRole" info is provided 34906785244SRatan Gupta if (localRole) 35006785244SRatan Gupta { 35106785244SRatan Gupta crow::connections::systemBus->async_method_call( 35206785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 35306785244SRatan Gupta localRole](const boost::system::error_code ec) { 35406785244SRatan Gupta if (ec) 35506785244SRatan Gupta { 356002d39b4SEd Tanous BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 35706785244SRatan Gupta messages::internalError(asyncResp->res); 35806785244SRatan Gupta return; 35906785244SRatan Gupta } 36006785244SRatan Gupta asyncResp->res 361002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 362002d39b4SEd Tanous ["LocalRole"] = *localRole; 36306785244SRatan Gupta }, 36406785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 36506785244SRatan Gupta propertyInterface, "Set", 36606785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapperEntry", 36706785244SRatan Gupta "Privilege", 368168e20c1SEd Tanous dbus::utility::DbusVariantType( 36906785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole)))); 37006785244SRatan Gupta } 37106785244SRatan Gupta } 37206785244SRatan Gupta // Create a new RoleMapping Object. 37306785244SRatan Gupta else 37406785244SRatan Gupta { 37506785244SRatan Gupta BMCWEB_LOG_DEBUG 37606785244SRatan Gupta << "setRoleMappingProperties: Creating new Object"; 37706785244SRatan Gupta std::string pathString = 37806785244SRatan Gupta "RemoteRoleMapping/" + std::to_string(index); 37906785244SRatan Gupta 38006785244SRatan Gupta if (!localRole) 38106785244SRatan Gupta { 38206785244SRatan Gupta messages::propertyMissing(asyncResp->res, 38306785244SRatan Gupta pathString + "/LocalRole"); 38406785244SRatan Gupta continue; 38506785244SRatan Gupta } 38606785244SRatan Gupta if (!remoteGroup) 38706785244SRatan Gupta { 38806785244SRatan Gupta messages::propertyMissing(asyncResp->res, 38906785244SRatan Gupta pathString + "/RemoteGroup"); 39006785244SRatan Gupta continue; 39106785244SRatan Gupta } 39206785244SRatan Gupta 39306785244SRatan Gupta std::string dbusObjectPath; 39406785244SRatan Gupta if (serverType == "ActiveDirectory") 39506785244SRatan Gupta { 3962c70f800SEd Tanous dbusObjectPath = adConfigObject; 39706785244SRatan Gupta } 39806785244SRatan Gupta else if (serverType == "LDAP") 39906785244SRatan Gupta { 40023a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 40106785244SRatan Gupta } 40206785244SRatan Gupta 40306785244SRatan Gupta BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup 40406785244SRatan Gupta << ",LocalRole=" << *localRole; 40506785244SRatan Gupta 40606785244SRatan Gupta crow::connections::systemBus->async_method_call( 407271584abSEd Tanous [asyncResp, serverType, localRole, 40806785244SRatan Gupta remoteGroup](const boost::system::error_code ec) { 40906785244SRatan Gupta if (ec) 41006785244SRatan Gupta { 41106785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 41206785244SRatan Gupta messages::internalError(asyncResp->res); 41306785244SRatan Gupta return; 41406785244SRatan Gupta } 41506785244SRatan Gupta nlohmann::json& remoteRoleJson = 41606785244SRatan Gupta asyncResp->res 41706785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 4181476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 4191476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 4201476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 4211476687dSEd Tanous remoteRoleJson.push_back(std::move(roleMapEntry)); 42206785244SRatan Gupta }, 42306785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 4243174e4dfSEd Tanous "Create", *remoteGroup, 42506785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 42606785244SRatan Gupta } 42706785244SRatan Gupta } 42806785244SRatan Gupta } 42906785244SRatan Gupta } 43006785244SRatan Gupta 43106785244SRatan Gupta /** 4326973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 4336973a582SRatan Gupta * into JSON 4346973a582SRatan Gupta */ 4356973a582SRatan Gupta template <typename CallbackFunc> 4366973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 4376973a582SRatan Gupta CallbackFunc&& callback) 4386973a582SRatan Gupta { 43954fc587aSNagaraju Goruganti 44054fc587aSNagaraju Goruganti const std::array<const char*, 2> interfaces = {ldapEnableInterface, 44154fc587aSNagaraju Goruganti ldapConfigInterface}; 44254fc587aSNagaraju Goruganti 44354fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 44454fc587aSNagaraju Goruganti [callback, ldapType](const boost::system::error_code ec, 445b9d36b47SEd Tanous const dbus::utility::MapperGetObject& resp) { 44654fc587aSNagaraju Goruganti if (ec || resp.empty()) 44754fc587aSNagaraju Goruganti { 4480fda0f12SGeorge Liu BMCWEB_LOG_ERROR 449002d39b4SEd Tanous << "DBUS response error during getting of service name: " << ec; 45023a21a1cSEd Tanous LDAPConfigData empty{}; 45123a21a1cSEd Tanous callback(false, empty, ldapType); 45254fc587aSNagaraju Goruganti return; 45354fc587aSNagaraju Goruganti } 45454fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 45554fc587aSNagaraju Goruganti crow::connections::systemBus->async_method_call( 456002d39b4SEd Tanous [callback, 457002d39b4SEd Tanous ldapType](const boost::system::error_code errorCode, 458711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) { 4596973a582SRatan Gupta LDAPConfigData confData{}; 46081ce609eSEd Tanous if (errorCode) 4616973a582SRatan Gupta { 462ab828d7cSRatan Gupta callback(false, confData, ldapType); 463002d39b4SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << errorCode; 4646973a582SRatan Gupta return; 4656973a582SRatan Gupta } 466ab828d7cSRatan Gupta 467ab828d7cSRatan Gupta std::string ldapDbusType; 46854fc587aSNagaraju Goruganti std::string searchString; 46954fc587aSNagaraju Goruganti 470ab828d7cSRatan Gupta if (ldapType == "LDAP") 471ab828d7cSRatan Gupta { 4720fda0f12SGeorge Liu ldapDbusType = 4730fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 47454fc587aSNagaraju Goruganti searchString = "openldap"; 475ab828d7cSRatan Gupta } 476ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 477ab828d7cSRatan Gupta { 47854fc587aSNagaraju Goruganti ldapDbusType = 4790fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 48054fc587aSNagaraju Goruganti searchString = "active_directory"; 481ab828d7cSRatan Gupta } 482ab828d7cSRatan Gupta else 483ab828d7cSRatan Gupta { 484002d39b4SEd Tanous BMCWEB_LOG_ERROR << "Can't get the DbusType for the given type=" 485ab828d7cSRatan Gupta << ldapType; 486ab828d7cSRatan Gupta callback(false, confData, ldapType); 487ab828d7cSRatan Gupta return; 488ab828d7cSRatan Gupta } 489ab828d7cSRatan Gupta 490ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 491ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 492ab828d7cSRatan Gupta 4936973a582SRatan Gupta for (const auto& object : ldapObjects) 4946973a582SRatan Gupta { 49554fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 49654fc587aSNagaraju Goruganti // given type 497002d39b4SEd Tanous if (object.first.str.find(searchString) == std::string::npos) 4986973a582SRatan Gupta { 499ab828d7cSRatan Gupta continue; 500ab828d7cSRatan Gupta } 501ab828d7cSRatan Gupta 5026973a582SRatan Gupta for (const auto& interface : object.second) 5036973a582SRatan Gupta { 5046973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 5056973a582SRatan Gupta { 5066973a582SRatan Gupta // rest of the properties are string. 5076973a582SRatan Gupta for (const auto& property : interface.second) 5086973a582SRatan Gupta { 5096973a582SRatan Gupta if (property.first == "Enabled") 5106973a582SRatan Gupta { 5116973a582SRatan Gupta const bool* value = 5126973a582SRatan Gupta std::get_if<bool>(&property.second); 5136973a582SRatan Gupta if (value == nullptr) 5146973a582SRatan Gupta { 5156973a582SRatan Gupta continue; 5166973a582SRatan Gupta } 5176973a582SRatan Gupta confData.serviceEnabled = *value; 5186973a582SRatan Gupta break; 5196973a582SRatan Gupta } 5206973a582SRatan Gupta } 5216973a582SRatan Gupta } 5226973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 5236973a582SRatan Gupta { 5246973a582SRatan Gupta 5256973a582SRatan Gupta for (const auto& property : interface.second) 5266973a582SRatan Gupta { 527271584abSEd Tanous const std::string* strValue = 528002d39b4SEd Tanous std::get_if<std::string>(&property.second); 529271584abSEd Tanous if (strValue == nullptr) 5306973a582SRatan Gupta { 5316973a582SRatan Gupta continue; 5326973a582SRatan Gupta } 5336973a582SRatan Gupta if (property.first == "LDAPServerURI") 5346973a582SRatan Gupta { 535271584abSEd Tanous confData.uri = *strValue; 5366973a582SRatan Gupta } 5376973a582SRatan Gupta else if (property.first == "LDAPBindDN") 5386973a582SRatan Gupta { 539271584abSEd Tanous confData.bindDN = *strValue; 5406973a582SRatan Gupta } 5416973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 5426973a582SRatan Gupta { 543271584abSEd Tanous confData.baseDN = *strValue; 5446973a582SRatan Gupta } 545002d39b4SEd Tanous else if (property.first == "LDAPSearchScope") 5466973a582SRatan Gupta { 547271584abSEd Tanous confData.searchScope = *strValue; 5486973a582SRatan Gupta } 549002d39b4SEd Tanous else if (property.first == "GroupNameAttribute") 5506973a582SRatan Gupta { 551271584abSEd Tanous confData.groupAttribute = *strValue; 5526973a582SRatan Gupta } 553002d39b4SEd Tanous else if (property.first == "UserNameAttribute") 5546973a582SRatan Gupta { 555271584abSEd Tanous confData.userNameAttribute = *strValue; 5566973a582SRatan Gupta } 55754fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 558ab828d7cSRatan Gupta { 559271584abSEd Tanous confData.serverType = *strValue; 56054fc587aSNagaraju Goruganti } 56154fc587aSNagaraju Goruganti } 56254fc587aSNagaraju Goruganti } 563002d39b4SEd Tanous else if (interface.first == 5640fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 56554fc587aSNagaraju Goruganti { 56654fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 56754fc587aSNagaraju Goruganti for (const auto& property : interface.second) 56854fc587aSNagaraju Goruganti { 569271584abSEd Tanous const std::string* strValue = 570002d39b4SEd Tanous std::get_if<std::string>(&property.second); 57154fc587aSNagaraju Goruganti 572271584abSEd Tanous if (strValue == nullptr) 57354fc587aSNagaraju Goruganti { 57454fc587aSNagaraju Goruganti continue; 57554fc587aSNagaraju Goruganti } 57654fc587aSNagaraju Goruganti 57754fc587aSNagaraju Goruganti if (property.first == "GroupName") 57854fc587aSNagaraju Goruganti { 579271584abSEd Tanous roleMapData.groupName = *strValue; 58054fc587aSNagaraju Goruganti } 58154fc587aSNagaraju Goruganti else if (property.first == "Privilege") 58254fc587aSNagaraju Goruganti { 583271584abSEd Tanous roleMapData.privilege = *strValue; 58454fc587aSNagaraju Goruganti } 58554fc587aSNagaraju Goruganti } 58654fc587aSNagaraju Goruganti 587002d39b4SEd Tanous confData.groupRoleList.emplace_back(object.first.str, 588002d39b4SEd Tanous roleMapData); 58954fc587aSNagaraju Goruganti } 59054fc587aSNagaraju Goruganti } 59154fc587aSNagaraju Goruganti } 592ab828d7cSRatan Gupta callback(true, confData, ldapType); 59354fc587aSNagaraju Goruganti }, 594002d39b4SEd Tanous service, ldapRootObject, dbusObjManagerIntf, "GetManagedObjects"); 59554fc587aSNagaraju Goruganti }, 59654fc587aSNagaraju Goruganti mapperBusName, mapperObjectPath, mapperIntf, "GetObject", 59723a21a1cSEd Tanous ldapConfigObjectName, interfaces); 5986973a582SRatan Gupta } 5996973a582SRatan Gupta 6008a07d286SRatan Gupta /** 6018a07d286SRatan Gupta * @brief parses the authentication section under the LDAP 6028a07d286SRatan Gupta * @param input JSON data 6038a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6048a07d286SRatan Gupta * @param userName userName to be filled from the given JSON. 6058a07d286SRatan Gupta * @param password password to be filled from the given JSON. 6068a07d286SRatan Gupta */ 6074f48d5f6SEd Tanous inline void parseLDAPAuthenticationJson( 6086c51eab1SEd Tanous nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6096c51eab1SEd Tanous std::optional<std::string>& username, std::optional<std::string>& password) 6108a07d286SRatan Gupta { 6118a07d286SRatan Gupta std::optional<std::string> authType; 6128a07d286SRatan Gupta 6138a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "AuthenticationType", 6148a07d286SRatan Gupta authType, "Username", username, "Password", 6158a07d286SRatan Gupta password)) 6168a07d286SRatan Gupta { 6178a07d286SRatan Gupta return; 6188a07d286SRatan Gupta } 6198a07d286SRatan Gupta if (!authType) 6208a07d286SRatan Gupta { 6218a07d286SRatan Gupta return; 6228a07d286SRatan Gupta } 6238a07d286SRatan Gupta if (*authType != "UsernameAndPassword") 6248a07d286SRatan Gupta { 6258a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, *authType, 6268a07d286SRatan Gupta "AuthenticationType"); 6278a07d286SRatan Gupta return; 6288a07d286SRatan Gupta } 6298a07d286SRatan Gupta } 6308a07d286SRatan Gupta /** 6318a07d286SRatan Gupta * @brief parses the LDAPService section under the LDAP 6328a07d286SRatan Gupta * @param input JSON data 6338a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6348a07d286SRatan Gupta * @param baseDNList baseDN to be filled from the given JSON. 6358a07d286SRatan Gupta * @param userNameAttribute userName to be filled from the given JSON. 6368a07d286SRatan Gupta * @param groupaAttribute password to be filled from the given JSON. 6378a07d286SRatan Gupta */ 6388a07d286SRatan Gupta 6394f48d5f6SEd Tanous inline void 6404f48d5f6SEd Tanous parseLDAPServiceJson(nlohmann::json input, 6418d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6428a07d286SRatan Gupta std::optional<std::vector<std::string>>& baseDNList, 6438a07d286SRatan Gupta std::optional<std::string>& userNameAttribute, 6448a07d286SRatan Gupta std::optional<std::string>& groupsAttribute) 6458a07d286SRatan Gupta { 6468a07d286SRatan Gupta std::optional<nlohmann::json> searchSettings; 6478a07d286SRatan Gupta 6488a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "SearchSettings", 6498a07d286SRatan Gupta searchSettings)) 6508a07d286SRatan Gupta { 6518a07d286SRatan Gupta return; 6528a07d286SRatan Gupta } 6538a07d286SRatan Gupta if (!searchSettings) 6548a07d286SRatan Gupta { 6558a07d286SRatan Gupta return; 6568a07d286SRatan Gupta } 6578a07d286SRatan Gupta if (!json_util::readJson(*searchSettings, asyncResp->res, 6588a07d286SRatan Gupta "BaseDistinguishedNames", baseDNList, 6598a07d286SRatan Gupta "UsernameAttribute", userNameAttribute, 6608a07d286SRatan Gupta "GroupsAttribute", groupsAttribute)) 6618a07d286SRatan Gupta { 6628a07d286SRatan Gupta return; 6638a07d286SRatan Gupta } 6648a07d286SRatan Gupta } 6658a07d286SRatan Gupta /** 6668a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 6678a07d286SRatan Gupta json response with the new value. 6688a07d286SRatan Gupta * @param serviceAddressList address to be updated. 6698a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 6708a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 6718a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 6728a07d286SRatan Gupta */ 6738a07d286SRatan Gupta 6744f48d5f6SEd Tanous inline void handleServiceAddressPatch( 6758a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 6768d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 6778a07d286SRatan Gupta const std::string& ldapServerElementName, 6788a07d286SRatan Gupta const std::string& ldapConfigObject) 6798a07d286SRatan Gupta { 6808a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 6818a07d286SRatan Gupta [asyncResp, ldapServerElementName, 6828a07d286SRatan Gupta serviceAddressList](const boost::system::error_code ec) { 6838a07d286SRatan Gupta if (ec) 6848a07d286SRatan Gupta { 6858a07d286SRatan Gupta BMCWEB_LOG_DEBUG 686c61704abSGunnar Mills << "Error Occurred in updating the service address"; 6878a07d286SRatan Gupta messages::internalError(asyncResp->res); 6888a07d286SRatan Gupta return; 6898a07d286SRatan Gupta } 6908a07d286SRatan Gupta std::vector<std::string> modifiedserviceAddressList = { 6918a07d286SRatan Gupta serviceAddressList.front()}; 692002d39b4SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] = 6938a07d286SRatan Gupta modifiedserviceAddressList; 6948a07d286SRatan Gupta if ((serviceAddressList).size() > 1) 6958a07d286SRatan Gupta { 696002d39b4SEd Tanous messages::propertyValueModified(asyncResp->res, "ServiceAddresses", 6978a07d286SRatan Gupta serviceAddressList.front()); 6988a07d286SRatan Gupta } 6998a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the service address"; 7008a07d286SRatan Gupta }, 7018a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7028a07d286SRatan Gupta ldapConfigInterface, "LDAPServerURI", 703168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceAddressList.front())); 7048a07d286SRatan Gupta } 7058a07d286SRatan Gupta /** 7068a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 7078a07d286SRatan Gupta json response with the new value. 7088a07d286SRatan Gupta * @param username name of the user which needs to be updated. 7098a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7108a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7118a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7128a07d286SRatan Gupta */ 7138a07d286SRatan Gupta 7144f48d5f6SEd Tanous inline void 7154f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 7168d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7178a07d286SRatan Gupta const std::string& ldapServerElementName, 7188a07d286SRatan Gupta const std::string& ldapConfigObject) 7198a07d286SRatan Gupta { 7208a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7218a07d286SRatan Gupta [asyncResp, username, 7228a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7238a07d286SRatan Gupta if (ec) 7248a07d286SRatan Gupta { 7256c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the username"; 7268a07d286SRatan Gupta messages::internalError(asyncResp->res); 7278a07d286SRatan Gupta return; 7288a07d286SRatan Gupta } 729002d39b4SEd Tanous asyncResp->res 730002d39b4SEd Tanous .jsonValue[ldapServerElementName]["Authentication"]["Username"] = 731002d39b4SEd Tanous username; 7328a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the username"; 7338a07d286SRatan Gupta }, 7348a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 735168e20c1SEd Tanous ldapConfigInterface, "LDAPBindDN", 736168e20c1SEd Tanous dbus::utility::DbusVariantType(username)); 7378a07d286SRatan Gupta } 7388a07d286SRatan Gupta 7398a07d286SRatan Gupta /** 7408a07d286SRatan Gupta * @brief updates the LDAP password 7418a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 7428a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7438a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7448a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 7458a07d286SRatan Gupta */ 7468a07d286SRatan Gupta 7474f48d5f6SEd Tanous inline void 7484f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 7498d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7508a07d286SRatan Gupta const std::string& ldapServerElementName, 7518a07d286SRatan Gupta const std::string& ldapConfigObject) 7528a07d286SRatan Gupta { 7538a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7548a07d286SRatan Gupta [asyncResp, password, 7558a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7568a07d286SRatan Gupta if (ec) 7578a07d286SRatan Gupta { 7586c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the password"; 7598a07d286SRatan Gupta messages::internalError(asyncResp->res); 7608a07d286SRatan Gupta return; 7618a07d286SRatan Gupta } 762002d39b4SEd Tanous asyncResp->res 763002d39b4SEd Tanous .jsonValue[ldapServerElementName]["Authentication"]["Password"] = 764002d39b4SEd Tanous ""; 7658a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the password"; 7668a07d286SRatan Gupta }, 7678a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 7688a07d286SRatan Gupta ldapConfigInterface, "LDAPBindDNPassword", 769168e20c1SEd Tanous dbus::utility::DbusVariantType(password)); 7708a07d286SRatan Gupta } 7718a07d286SRatan Gupta 7728a07d286SRatan Gupta /** 7738a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 7748a07d286SRatan Gupta json response with the new value. 7758a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 7768a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7778a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7788a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7798a07d286SRatan Gupta */ 7808a07d286SRatan Gupta 7814f48d5f6SEd Tanous inline void 7824f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 7838d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7848a07d286SRatan Gupta const std::string& ldapServerElementName, 7858a07d286SRatan Gupta const std::string& ldapConfigObject) 7868a07d286SRatan Gupta { 7878a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 7888a07d286SRatan Gupta [asyncResp, baseDNList, 7898a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 7908a07d286SRatan Gupta if (ec) 7918a07d286SRatan Gupta { 7926c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN"; 7938a07d286SRatan Gupta messages::internalError(asyncResp->res); 7948a07d286SRatan Gupta return; 7958a07d286SRatan Gupta } 796002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 7978a07d286SRatan Gupta auto& searchSettingsJson = 7988a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 7996c51eab1SEd Tanous std::vector<std::string> modifiedBaseDNList = {baseDNList.front()}; 8006c51eab1SEd Tanous searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList; 8018a07d286SRatan Gupta if (baseDNList.size() > 1) 8028a07d286SRatan Gupta { 803002d39b4SEd Tanous messages::propertyValueModified( 804002d39b4SEd Tanous asyncResp->res, "BaseDistinguishedNames", baseDNList.front()); 8058a07d286SRatan Gupta } 8068a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the base DN"; 8078a07d286SRatan Gupta }, 8088a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8098a07d286SRatan Gupta ldapConfigInterface, "LDAPBaseDN", 810168e20c1SEd Tanous dbus::utility::DbusVariantType(baseDNList.front())); 8118a07d286SRatan Gupta } 8128a07d286SRatan Gupta /** 8138a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 8148a07d286SRatan Gupta json response with the new value. 8158a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 8168a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8178a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8188a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8198a07d286SRatan Gupta */ 8208a07d286SRatan Gupta 8214f48d5f6SEd Tanous inline void 8224f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 8238d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8248a07d286SRatan Gupta const std::string& ldapServerElementName, 8258a07d286SRatan Gupta const std::string& ldapConfigObject) 8268a07d286SRatan Gupta { 8278a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8288a07d286SRatan Gupta [asyncResp, userNameAttribute, 8298a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8308a07d286SRatan Gupta if (ec) 8318a07d286SRatan Gupta { 832c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 8338a07d286SRatan Gupta "username attribute"; 8348a07d286SRatan Gupta messages::internalError(asyncResp->res); 8358a07d286SRatan Gupta return; 8368a07d286SRatan Gupta } 837002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 8388a07d286SRatan Gupta auto& searchSettingsJson = 8398a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 8408a07d286SRatan Gupta searchSettingsJson["UsernameAttribute"] = userNameAttribute; 8418a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the user name attr."; 8428a07d286SRatan Gupta }, 8438a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8448a07d286SRatan Gupta ldapConfigInterface, "UserNameAttribute", 845168e20c1SEd Tanous dbus::utility::DbusVariantType(userNameAttribute)); 8468a07d286SRatan Gupta } 8478a07d286SRatan Gupta /** 8488a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 8498a07d286SRatan Gupta json response with the new value. 8508a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 8518a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8528a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8538a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8548a07d286SRatan Gupta */ 8558a07d286SRatan Gupta 8564f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 8578d1b46d7Szhanghch05 const std::string& groupsAttribute, 8588d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8598a07d286SRatan Gupta const std::string& ldapServerElementName, 8608a07d286SRatan Gupta const std::string& ldapConfigObject) 8618a07d286SRatan Gupta { 8628a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8638a07d286SRatan Gupta [asyncResp, groupsAttribute, 8648a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8658a07d286SRatan Gupta if (ec) 8668a07d286SRatan Gupta { 867c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 8688a07d286SRatan Gupta "groupname attribute"; 8698a07d286SRatan Gupta messages::internalError(asyncResp->res); 8708a07d286SRatan Gupta return; 8718a07d286SRatan Gupta } 872002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 8738a07d286SRatan Gupta auto& searchSettingsJson = 8748a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 8758a07d286SRatan Gupta searchSettingsJson["GroupsAttribute"] = groupsAttribute; 8768a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the groupname attr"; 8778a07d286SRatan Gupta }, 8788a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 8798a07d286SRatan Gupta ldapConfigInterface, "GroupNameAttribute", 880168e20c1SEd Tanous dbus::utility::DbusVariantType(groupsAttribute)); 8818a07d286SRatan Gupta } 8828a07d286SRatan Gupta /** 8838a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 8848a07d286SRatan Gupta json response with the new value. 8858a07d286SRatan Gupta * @param input JSON data. 8868a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8878a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8888a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8898a07d286SRatan Gupta */ 8908a07d286SRatan Gupta 8914f48d5f6SEd Tanous inline void handleServiceEnablePatch( 8926c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8938a07d286SRatan Gupta const std::string& ldapServerElementName, 8948a07d286SRatan Gupta const std::string& ldapConfigObject) 8958a07d286SRatan Gupta { 8968a07d286SRatan Gupta crow::connections::systemBus->async_method_call( 8978a07d286SRatan Gupta [asyncResp, serviceEnabled, 8988a07d286SRatan Gupta ldapServerElementName](const boost::system::error_code ec) { 8998a07d286SRatan Gupta if (ec) 9008a07d286SRatan Gupta { 901002d39b4SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the service enable"; 9028a07d286SRatan Gupta messages::internalError(asyncResp->res); 9038a07d286SRatan Gupta return; 9048a07d286SRatan Gupta } 9056c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] = 9068a07d286SRatan Gupta serviceEnabled; 9076c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled; 9088a07d286SRatan Gupta }, 9098a07d286SRatan Gupta ldapDbusService, ldapConfigObject, propertyInterface, "Set", 910168e20c1SEd Tanous ldapEnableInterface, "Enabled", 911168e20c1SEd Tanous dbus::utility::DbusVariantType(serviceEnabled)); 9128a07d286SRatan Gupta } 9138a07d286SRatan Gupta 9144f48d5f6SEd Tanous inline void 9154f48d5f6SEd Tanous handleAuthMethodsPatch(nlohmann::json& input, 9168d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 91778158631SZbigniew Kurzynski { 91878158631SZbigniew Kurzynski std::optional<bool> basicAuth; 91978158631SZbigniew Kurzynski std::optional<bool> cookie; 92078158631SZbigniew Kurzynski std::optional<bool> sessionToken; 92178158631SZbigniew Kurzynski std::optional<bool> xToken; 922501f1e58SZbigniew Kurzynski std::optional<bool> tls; 92378158631SZbigniew Kurzynski 92478158631SZbigniew Kurzynski if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, 92578158631SZbigniew Kurzynski "Cookie", cookie, "SessionToken", sessionToken, 926501f1e58SZbigniew Kurzynski "XToken", xToken, "TLS", tls)) 92778158631SZbigniew Kurzynski { 92878158631SZbigniew Kurzynski BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; 92978158631SZbigniew Kurzynski return; 93078158631SZbigniew Kurzynski } 93178158631SZbigniew Kurzynski 93278158631SZbigniew Kurzynski // Make a copy of methods configuration 93352cc112dSEd Tanous persistent_data::AuthConfigMethods authMethodsConfig = 93452cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 93578158631SZbigniew Kurzynski 93678158631SZbigniew Kurzynski if (basicAuth) 93778158631SZbigniew Kurzynski { 938f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION 939f16f6263SAlan Kuo messages::actionNotSupported( 9400fda0f12SGeorge Liu asyncResp->res, 9410fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 942f16f6263SAlan Kuo return; 943f16f6263SAlan Kuo #endif 94478158631SZbigniew Kurzynski authMethodsConfig.basic = *basicAuth; 94578158631SZbigniew Kurzynski } 94678158631SZbigniew Kurzynski 94778158631SZbigniew Kurzynski if (cookie) 94878158631SZbigniew Kurzynski { 949f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 9500fda0f12SGeorge Liu messages::actionNotSupported( 9510fda0f12SGeorge Liu asyncResp->res, 9520fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 953f16f6263SAlan Kuo return; 954f16f6263SAlan Kuo #endif 95578158631SZbigniew Kurzynski authMethodsConfig.cookie = *cookie; 95678158631SZbigniew Kurzynski } 95778158631SZbigniew Kurzynski 95878158631SZbigniew Kurzynski if (sessionToken) 95978158631SZbigniew Kurzynski { 960f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION 961f16f6263SAlan Kuo messages::actionNotSupported( 9620fda0f12SGeorge Liu asyncResp->res, 9630fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 964f16f6263SAlan Kuo return; 965f16f6263SAlan Kuo #endif 96678158631SZbigniew Kurzynski authMethodsConfig.sessionToken = *sessionToken; 96778158631SZbigniew Kurzynski } 96878158631SZbigniew Kurzynski 96978158631SZbigniew Kurzynski if (xToken) 97078158631SZbigniew Kurzynski { 971f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 9720fda0f12SGeorge Liu messages::actionNotSupported( 9730fda0f12SGeorge Liu asyncResp->res, 9740fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 975f16f6263SAlan Kuo return; 976f16f6263SAlan Kuo #endif 97778158631SZbigniew Kurzynski authMethodsConfig.xtoken = *xToken; 97878158631SZbigniew Kurzynski } 97978158631SZbigniew Kurzynski 980501f1e58SZbigniew Kurzynski if (tls) 981501f1e58SZbigniew Kurzynski { 982f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 9830fda0f12SGeorge Liu messages::actionNotSupported( 9840fda0f12SGeorge Liu asyncResp->res, 9850fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 986f16f6263SAlan Kuo return; 987f16f6263SAlan Kuo #endif 988501f1e58SZbigniew Kurzynski authMethodsConfig.tls = *tls; 989501f1e58SZbigniew Kurzynski } 990501f1e58SZbigniew Kurzynski 99178158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 992501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 993501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 99478158631SZbigniew Kurzynski { 99578158631SZbigniew Kurzynski // Do not allow user to disable everything 99678158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 99778158631SZbigniew Kurzynski "of disabling all available methods"); 99878158631SZbigniew Kurzynski return; 99978158631SZbigniew Kurzynski } 100078158631SZbigniew Kurzynski 100152cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 100252cc112dSEd Tanous authMethodsConfig); 100378158631SZbigniew Kurzynski // Save configuration immediately 100452cc112dSEd Tanous persistent_data::getConfig().writeData(); 100578158631SZbigniew Kurzynski 100678158631SZbigniew Kurzynski messages::success(asyncResp->res); 100778158631SZbigniew Kurzynski } 100878158631SZbigniew Kurzynski 10098a07d286SRatan Gupta /** 10108a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 10118a07d286SRatan Gupta * value and create the LDAP config object. 10128a07d286SRatan Gupta * @param input JSON data 10138a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 10148a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 10158a07d286SRatan Gupta */ 10168a07d286SRatan Gupta 10176c51eab1SEd Tanous inline void handleLDAPPatch(nlohmann::json& input, 10188d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 10198a07d286SRatan Gupta const std::string& serverType) 10208a07d286SRatan Gupta { 1021eb2bbe56SRatan Gupta std::string dbusObjectPath; 1022eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 1023eb2bbe56SRatan Gupta { 10242c70f800SEd Tanous dbusObjectPath = adConfigObject; 1025eb2bbe56SRatan Gupta } 1026eb2bbe56SRatan Gupta else if (serverType == "LDAP") 1027eb2bbe56SRatan Gupta { 102823a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 1029eb2bbe56SRatan Gupta } 1030cb13a392SEd Tanous else 1031cb13a392SEd Tanous { 1032cb13a392SEd Tanous return; 1033cb13a392SEd Tanous } 1034eb2bbe56SRatan Gupta 10358a07d286SRatan Gupta std::optional<nlohmann::json> authentication; 10368a07d286SRatan Gupta std::optional<nlohmann::json> ldapService; 10378a07d286SRatan Gupta std::optional<std::vector<std::string>> serviceAddressList; 10388a07d286SRatan Gupta std::optional<bool> serviceEnabled; 10398a07d286SRatan Gupta std::optional<std::vector<std::string>> baseDNList; 10408a07d286SRatan Gupta std::optional<std::string> userNameAttribute; 10418a07d286SRatan Gupta std::optional<std::string> groupsAttribute; 10428a07d286SRatan Gupta std::optional<std::string> userName; 10438a07d286SRatan Gupta std::optional<std::string> password; 104406785244SRatan Gupta std::optional<std::vector<nlohmann::json>> remoteRoleMapData; 10458a07d286SRatan Gupta 10468a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "Authentication", 10478a07d286SRatan Gupta authentication, "LDAPService", ldapService, 10488a07d286SRatan Gupta "ServiceAddresses", serviceAddressList, 104906785244SRatan Gupta "ServiceEnabled", serviceEnabled, 105006785244SRatan Gupta "RemoteRoleMapping", remoteRoleMapData)) 10518a07d286SRatan Gupta { 10528a07d286SRatan Gupta return; 10538a07d286SRatan Gupta } 10548a07d286SRatan Gupta 10558a07d286SRatan Gupta if (authentication) 10568a07d286SRatan Gupta { 10578a07d286SRatan Gupta parseLDAPAuthenticationJson(*authentication, asyncResp, userName, 10588a07d286SRatan Gupta password); 10598a07d286SRatan Gupta } 10608a07d286SRatan Gupta if (ldapService) 10618a07d286SRatan Gupta { 10628a07d286SRatan Gupta parseLDAPServiceJson(*ldapService, asyncResp, baseDNList, 10638a07d286SRatan Gupta userNameAttribute, groupsAttribute); 10648a07d286SRatan Gupta } 10658a07d286SRatan Gupta if (serviceAddressList) 10668a07d286SRatan Gupta { 106726f6976fSEd Tanous if (serviceAddressList->empty()) 10688a07d286SRatan Gupta { 10698a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10708a07d286SRatan Gupta "ServiceAddress"); 10718a07d286SRatan Gupta return; 10728a07d286SRatan Gupta } 10738a07d286SRatan Gupta } 10748a07d286SRatan Gupta if (baseDNList) 10758a07d286SRatan Gupta { 107626f6976fSEd Tanous if (baseDNList->empty()) 10778a07d286SRatan Gupta { 10788a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, "[]", 10798a07d286SRatan Gupta "BaseDistinguishedNames"); 10808a07d286SRatan Gupta return; 10818a07d286SRatan Gupta } 10828a07d286SRatan Gupta } 10838a07d286SRatan Gupta 10848a07d286SRatan Gupta // nothing to update, then return 10858a07d286SRatan Gupta if (!userName && !password && !serviceAddressList && !baseDNList && 108606785244SRatan Gupta !userNameAttribute && !groupsAttribute && !serviceEnabled && 108706785244SRatan Gupta !remoteRoleMapData) 10888a07d286SRatan Gupta { 10898a07d286SRatan Gupta return; 10908a07d286SRatan Gupta } 10918a07d286SRatan Gupta 10928a07d286SRatan Gupta // Get the existing resource first then keep modifying 10938a07d286SRatan Gupta // whenever any property gets updated. 1094002d39b4SEd Tanous getLDAPConfigData( 1095002d39b4SEd Tanous serverType, 1096002d39b4SEd Tanous [asyncResp, userName, password, baseDNList, userNameAttribute, 1097002d39b4SEd Tanous groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath, 1098002d39b4SEd Tanous remoteRoleMapData](bool success, const LDAPConfigData& confData, 109923a21a1cSEd Tanous const std::string& serverT) { 11008a07d286SRatan Gupta if (!success) 11018a07d286SRatan Gupta { 11028a07d286SRatan Gupta messages::internalError(asyncResp->res); 11038a07d286SRatan Gupta return; 11048a07d286SRatan Gupta } 11056c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 11068a07d286SRatan Gupta if (confData.serviceEnabled) 11078a07d286SRatan Gupta { 11088a07d286SRatan Gupta // Disable the service first and update the rest of 11098a07d286SRatan Gupta // the properties. 11106c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 11118a07d286SRatan Gupta } 11128a07d286SRatan Gupta 11138a07d286SRatan Gupta if (serviceAddressList) 11148a07d286SRatan Gupta { 11156c51eab1SEd Tanous handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT, 11166c51eab1SEd Tanous dbusObjectPath); 11178a07d286SRatan Gupta } 11188a07d286SRatan Gupta if (userName) 11198a07d286SRatan Gupta { 11206c51eab1SEd Tanous handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath); 11218a07d286SRatan Gupta } 11228a07d286SRatan Gupta if (password) 11238a07d286SRatan Gupta { 11246c51eab1SEd Tanous handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath); 11258a07d286SRatan Gupta } 11268a07d286SRatan Gupta 11278a07d286SRatan Gupta if (baseDNList) 11288a07d286SRatan Gupta { 11296c51eab1SEd Tanous handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath); 11308a07d286SRatan Gupta } 11318a07d286SRatan Gupta if (userNameAttribute) 11328a07d286SRatan Gupta { 11336c51eab1SEd Tanous handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT, 11346c51eab1SEd Tanous dbusObjectPath); 11358a07d286SRatan Gupta } 11368a07d286SRatan Gupta if (groupsAttribute) 11378a07d286SRatan Gupta { 11386c51eab1SEd Tanous handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT, 11396c51eab1SEd Tanous dbusObjectPath); 11408a07d286SRatan Gupta } 11418a07d286SRatan Gupta if (serviceEnabled) 11428a07d286SRatan Gupta { 11438a07d286SRatan Gupta // if user has given the value as true then enable 11448a07d286SRatan Gupta // the service. if user has given false then no-op 11458a07d286SRatan Gupta // as service is already stopped. 11468a07d286SRatan Gupta if (*serviceEnabled) 11478a07d286SRatan Gupta { 11486c51eab1SEd Tanous handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT, 11496c51eab1SEd Tanous dbusObjectPath); 11508a07d286SRatan Gupta } 11518a07d286SRatan Gupta } 11528a07d286SRatan Gupta else 11538a07d286SRatan Gupta { 11548a07d286SRatan Gupta // if user has not given the service enabled value 11558a07d286SRatan Gupta // then revert it to the same state as it was 11568a07d286SRatan Gupta // before. 11578a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 115823a21a1cSEd Tanous serverT, dbusObjectPath); 11598a07d286SRatan Gupta } 116006785244SRatan Gupta 116106785244SRatan Gupta if (remoteRoleMapData) 116206785244SRatan Gupta { 11636c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 11646c51eab1SEd Tanous *remoteRoleMapData); 116506785244SRatan Gupta } 11668a07d286SRatan Gupta }); 11678a07d286SRatan Gupta } 1168d4b5443fSEd Tanous 11696c51eab1SEd Tanous inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp, 11706c51eab1SEd Tanous const std::string& username, 11716c51eab1SEd Tanous std::optional<std::string> password, 11726c51eab1SEd Tanous std::optional<bool> enabled, 11736c51eab1SEd Tanous std::optional<std::string> roleId, 11746c51eab1SEd Tanous std::optional<bool> locked) 11751abe55efSEd Tanous { 1176b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1177b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1178b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 11796c51eab1SEd Tanous 11806c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 11816c51eab1SEd Tanous dbusObjectPath, 11821106333aSEd Tanous [dbusObjectPath, username, password(std::move(password)), 11831106333aSEd Tanous roleId(std::move(roleId)), enabled, locked, 11841106333aSEd Tanous asyncResp{std::move(asyncResp)}](int rc) { 1185e662eae8SEd Tanous if (rc <= 0) 11866c51eab1SEd Tanous { 1187d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 11886c51eab1SEd Tanous username); 11896c51eab1SEd Tanous return; 11906c51eab1SEd Tanous } 11916c51eab1SEd Tanous 11926c51eab1SEd Tanous if (password) 11936c51eab1SEd Tanous { 11946c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 11956c51eab1SEd Tanous 11966c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 11976c51eab1SEd Tanous { 1198d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 11996c51eab1SEd Tanous username); 12006c51eab1SEd Tanous } 12016c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 12026c51eab1SEd Tanous { 12036c51eab1SEd Tanous // If password is invalid 1204002d39b4SEd Tanous messages::propertyValueFormatError(asyncResp->res, *password, 1205002d39b4SEd Tanous "Password"); 12066c51eab1SEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 12076c51eab1SEd Tanous } 12086c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 12096c51eab1SEd Tanous { 12106c51eab1SEd Tanous messages::internalError(asyncResp->res); 12116c51eab1SEd Tanous return; 12126c51eab1SEd Tanous } 1213e7b1b62bSEd Tanous else 1214e7b1b62bSEd Tanous { 1215e7b1b62bSEd Tanous messages::success(asyncResp->res); 1216e7b1b62bSEd Tanous } 12176c51eab1SEd Tanous } 12186c51eab1SEd Tanous 12196c51eab1SEd Tanous if (enabled) 12206c51eab1SEd Tanous { 12216c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 12226c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 12236c51eab1SEd Tanous if (ec) 12246c51eab1SEd Tanous { 12256c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 12266c51eab1SEd Tanous messages::internalError(asyncResp->res); 12276c51eab1SEd Tanous return; 12286c51eab1SEd Tanous } 12296c51eab1SEd Tanous messages::success(asyncResp->res); 12306c51eab1SEd Tanous return; 12316c51eab1SEd Tanous }, 1232e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12336c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12346c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserEnabled", 1235168e20c1SEd Tanous dbus::utility::DbusVariantType{*enabled}); 12366c51eab1SEd Tanous } 12376c51eab1SEd Tanous 12386c51eab1SEd Tanous if (roleId) 12396c51eab1SEd Tanous { 12406c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 12416c51eab1SEd Tanous if (priv.empty()) 12426c51eab1SEd Tanous { 12436c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, 12446c51eab1SEd Tanous "RoleId"); 12456c51eab1SEd Tanous return; 12466c51eab1SEd Tanous } 12476c51eab1SEd Tanous if (priv == "priv-noaccess") 12486c51eab1SEd Tanous { 12496c51eab1SEd Tanous priv = ""; 12506c51eab1SEd Tanous } 12516c51eab1SEd Tanous 12526c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 12536c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 12546c51eab1SEd Tanous if (ec) 12556c51eab1SEd Tanous { 12566c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 12576c51eab1SEd Tanous messages::internalError(asyncResp->res); 12586c51eab1SEd Tanous return; 12596c51eab1SEd Tanous } 12606c51eab1SEd Tanous messages::success(asyncResp->res); 12616c51eab1SEd Tanous }, 1262e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12636c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12646c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", "UserPrivilege", 1265168e20c1SEd Tanous dbus::utility::DbusVariantType{priv}); 12666c51eab1SEd Tanous } 12676c51eab1SEd Tanous 12686c51eab1SEd Tanous if (locked) 12696c51eab1SEd Tanous { 12706c51eab1SEd Tanous // admin can unlock the account which is locked by 12716c51eab1SEd Tanous // successive authentication failures but admin should 12726c51eab1SEd Tanous // not be allowed to lock an account. 12736c51eab1SEd Tanous if (*locked) 12746c51eab1SEd Tanous { 12756c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 12766c51eab1SEd Tanous "Locked"); 12776c51eab1SEd Tanous return; 12786c51eab1SEd Tanous } 12796c51eab1SEd Tanous 12806c51eab1SEd Tanous crow::connections::systemBus->async_method_call( 12816c51eab1SEd Tanous [asyncResp](const boost::system::error_code ec) { 12826c51eab1SEd Tanous if (ec) 12836c51eab1SEd Tanous { 12846c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 12856c51eab1SEd Tanous messages::internalError(asyncResp->res); 12866c51eab1SEd Tanous return; 12876c51eab1SEd Tanous } 12886c51eab1SEd Tanous messages::success(asyncResp->res); 12896c51eab1SEd Tanous return; 12906c51eab1SEd Tanous }, 1291e05aec50SEd Tanous "xyz.openbmc_project.User.Manager", dbusObjectPath, 12926c51eab1SEd Tanous "org.freedesktop.DBus.Properties", "Set", 12936c51eab1SEd Tanous "xyz.openbmc_project.User.Attributes", 1294168e20c1SEd Tanous "UserLockedForFailedAttempt", 1295168e20c1SEd Tanous dbus::utility::DbusVariantType{*locked}); 12966c51eab1SEd Tanous } 12976c51eab1SEd Tanous }); 12986c51eab1SEd Tanous } 12996c51eab1SEd Tanous 13004c7d4d33SEd Tanous inline void handleAccountServiceHead( 13014c7d4d33SEd Tanous App& app, const crow::Request& req, 13021ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 13036c51eab1SEd Tanous { 13044c7d4d33SEd Tanous 13053ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 130645ca1b86SEd Tanous { 130745ca1b86SEd Tanous return; 130845ca1b86SEd Tanous } 13094c7d4d33SEd Tanous asyncResp->res.addHeader( 13104c7d4d33SEd Tanous boost::beast::http::field::link, 13114c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 13124c7d4d33SEd Tanous } 13134c7d4d33SEd Tanous 13144c7d4d33SEd Tanous inline void 13154c7d4d33SEd Tanous handleAccountServiceGet(App& app, const crow::Request& req, 13164c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 13174c7d4d33SEd Tanous { 13184c7d4d33SEd Tanous handleAccountServiceHead(app, req, asyncResp); 131952cc112dSEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 13201ef4c342SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 132178158631SZbigniew Kurzynski 13221476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 13231476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 13241476687dSEd Tanous json["@odata.type"] = "#AccountService." 13251476687dSEd Tanous "v1_10_0.AccountService"; 13261476687dSEd Tanous json["Id"] = "AccountService"; 13271476687dSEd Tanous json["Name"] = "Account Service"; 13281476687dSEd Tanous json["Description"] = "Account Service"; 13291476687dSEd Tanous json["ServiceEnabled"] = true; 13301476687dSEd Tanous json["MaxPasswordLength"] = 20; 13311ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 13321476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 13331476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 13341476687dSEd Tanous "#OemAccountService.v1_0_0.AccountService"; 13351476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 13361476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 13371476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 13381476687dSEd Tanous authMethodsConfig.basic; 13391476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 13401476687dSEd Tanous authMethodsConfig.sessionToken; 13411ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 13421ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 13431ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 13441476687dSEd Tanous 13451ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 13461ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 13471ef4c342SEd Tanous // permissions ConfigureManager 134872048780SAbhishek Patel Privileges effectiveUserPrivileges = 134972048780SAbhishek Patel redfish::getUserPrivileges(req.userRole); 135072048780SAbhishek Patel 135172048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 135272048780SAbhishek Patel effectiveUserPrivileges)) 135372048780SAbhishek Patel { 13541ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 13551476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 135672048780SAbhishek Patel } 1357d1bde9e5SKrzysztof Grobelny sdbusplus::asio::getAllProperties( 1358d1bde9e5SKrzysztof Grobelny *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1359d1bde9e5SKrzysztof Grobelny "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy", 1360002d39b4SEd Tanous [asyncResp](const boost::system::error_code ec, 13611ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 13623d958bbcSAppaRao Puli if (ec) 13633d958bbcSAppaRao Puli { 13643d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 13653d958bbcSAppaRao Puli return; 13663d958bbcSAppaRao Puli } 1367d1bde9e5SKrzysztof Grobelny 13683d958bbcSAppaRao Puli BMCWEB_LOG_DEBUG << "Got " << propertiesList.size() 13693d958bbcSAppaRao Puli << "properties for AccountService"; 1370d1bde9e5SKrzysztof Grobelny 1371d1bde9e5SKrzysztof Grobelny const uint8_t* minPasswordLength = nullptr; 1372d1bde9e5SKrzysztof Grobelny const uint32_t* accountUnlockTimeout = nullptr; 1373d1bde9e5SKrzysztof Grobelny const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1374d1bde9e5SKrzysztof Grobelny 1375d1bde9e5SKrzysztof Grobelny const bool success = sdbusplus::unpackPropertiesNoThrow( 1376d1bde9e5SKrzysztof Grobelny dbus_utils::UnpackErrorPrinter(), propertiesList, 1377d1bde9e5SKrzysztof Grobelny "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1378d1bde9e5SKrzysztof Grobelny accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1379d1bde9e5SKrzysztof Grobelny maxLoginAttemptBeforeLockout); 1380d1bde9e5SKrzysztof Grobelny 1381d1bde9e5SKrzysztof Grobelny if (!success) 13823d958bbcSAppaRao Puli { 1383d1bde9e5SKrzysztof Grobelny messages::internalError(asyncResp->res); 1384d1bde9e5SKrzysztof Grobelny return; 13853d958bbcSAppaRao Puli } 1386d1bde9e5SKrzysztof Grobelny 1387d1bde9e5SKrzysztof Grobelny if (minPasswordLength != nullptr) 13883d958bbcSAppaRao Puli { 1389d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength; 13903d958bbcSAppaRao Puli } 1391d1bde9e5SKrzysztof Grobelny 1392d1bde9e5SKrzysztof Grobelny if (accountUnlockTimeout != nullptr) 13933d958bbcSAppaRao Puli { 1394d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["AccountLockoutDuration"] = 1395d1bde9e5SKrzysztof Grobelny *accountUnlockTimeout; 1396d1bde9e5SKrzysztof Grobelny } 1397d1bde9e5SKrzysztof Grobelny 1398d1bde9e5SKrzysztof Grobelny if (maxLoginAttemptBeforeLockout != nullptr) 13993d958bbcSAppaRao Puli { 1400002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1401d1bde9e5SKrzysztof Grobelny *maxLoginAttemptBeforeLockout; 14023d958bbcSAppaRao Puli } 1403d1bde9e5SKrzysztof Grobelny }); 14046973a582SRatan Gupta 140502cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1406ab828d7cSRatan Gupta const std::string& ldapType) { 1407cb13a392SEd Tanous if (!success) 1408cb13a392SEd Tanous { 1409cb13a392SEd Tanous return; 1410cb13a392SEd Tanous } 1411002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1412ab828d7cSRatan Gupta }; 1413ab828d7cSRatan Gupta 1414ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1415ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 14161ef4c342SEd Tanous } 14176973a582SRatan Gupta 14181ef4c342SEd Tanous inline void handleAccountServicePatch( 14191ef4c342SEd Tanous App& app, const crow::Request& req, 14201ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14211ef4c342SEd Tanous { 14223ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 142345ca1b86SEd Tanous { 142445ca1b86SEd Tanous return; 142545ca1b86SEd Tanous } 1426f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1427f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1428ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1429f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 1430f5ffd806SEd Tanous std::optional<nlohmann::json> ldapObject; 1431f5ffd806SEd Tanous std::optional<nlohmann::json> activeDirectoryObject; 1432f5ffd806SEd Tanous std::optional<nlohmann::json> oemObject; 1433f5ffd806SEd Tanous 143415ed6780SWilly Tu if (!json_util::readJsonPatch( 14351ef4c342SEd Tanous req, asyncResp->res, "AccountLockoutDuration", unlockTimeout, 14361ef4c342SEd Tanous "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength", 14371ef4c342SEd Tanous maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP", 14381ef4c342SEd Tanous ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem", 1439f5ffd806SEd Tanous oemObject)) 1440f5ffd806SEd Tanous { 1441f5ffd806SEd Tanous return; 1442f5ffd806SEd Tanous } 1443f5ffd806SEd Tanous 1444f5ffd806SEd Tanous if (minPasswordLength) 1445f5ffd806SEd Tanous { 1446ef73ad0dSPaul Fertser crow::connections::systemBus->async_method_call( 1447ef73ad0dSPaul Fertser [asyncResp](const boost::system::error_code ec) { 1448ef73ad0dSPaul Fertser if (ec) 1449ef73ad0dSPaul Fertser { 1450ef73ad0dSPaul Fertser messages::internalError(asyncResp->res); 1451ef73ad0dSPaul Fertser return; 1452ef73ad0dSPaul Fertser } 1453ef73ad0dSPaul Fertser messages::success(asyncResp->res); 1454ef73ad0dSPaul Fertser }, 14551ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1456ef73ad0dSPaul Fertser "org.freedesktop.DBus.Properties", "Set", 14571ef4c342SEd Tanous "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 1458ef73ad0dSPaul Fertser dbus::utility::DbusVariantType(*minPasswordLength)); 1459f5ffd806SEd Tanous } 1460f5ffd806SEd Tanous 1461f5ffd806SEd Tanous if (maxPasswordLength) 1462f5ffd806SEd Tanous { 14631ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1464f5ffd806SEd Tanous } 1465f5ffd806SEd Tanous 1466f5ffd806SEd Tanous if (ldapObject) 1467f5ffd806SEd Tanous { 1468f5ffd806SEd Tanous handleLDAPPatch(*ldapObject, asyncResp, "LDAP"); 1469f5ffd806SEd Tanous } 1470f5ffd806SEd Tanous 1471f5ffd806SEd Tanous if (std::optional<nlohmann::json> oemOpenBMCObject; 14721ef4c342SEd Tanous oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", 1473f5ffd806SEd Tanous oemOpenBMCObject)) 1474f5ffd806SEd Tanous { 1475f5ffd806SEd Tanous if (std::optional<nlohmann::json> authMethodsObject; 1476f5ffd806SEd Tanous oemOpenBMCObject && 1477f5ffd806SEd Tanous json_util::readJson(*oemOpenBMCObject, asyncResp->res, 1478f5ffd806SEd Tanous "AuthMethods", authMethodsObject)) 1479f5ffd806SEd Tanous { 1480f5ffd806SEd Tanous if (authMethodsObject) 1481f5ffd806SEd Tanous { 14821ef4c342SEd Tanous handleAuthMethodsPatch(*authMethodsObject, asyncResp); 1483f5ffd806SEd Tanous } 1484f5ffd806SEd Tanous } 1485f5ffd806SEd Tanous } 1486f5ffd806SEd Tanous 1487f5ffd806SEd Tanous if (activeDirectoryObject) 1488f5ffd806SEd Tanous { 14891ef4c342SEd Tanous handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory"); 1490f5ffd806SEd Tanous } 1491f5ffd806SEd Tanous 1492f5ffd806SEd Tanous if (unlockTimeout) 1493f5ffd806SEd Tanous { 1494f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 1495f5ffd806SEd Tanous [asyncResp](const boost::system::error_code ec) { 1496f5ffd806SEd Tanous if (ec) 1497f5ffd806SEd Tanous { 1498f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1499f5ffd806SEd Tanous return; 1500f5ffd806SEd Tanous } 1501f5ffd806SEd Tanous messages::success(asyncResp->res); 1502f5ffd806SEd Tanous }, 15031ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1504f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 15051ef4c342SEd Tanous "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 1506168e20c1SEd Tanous dbus::utility::DbusVariantType(*unlockTimeout)); 1507f5ffd806SEd Tanous } 1508f5ffd806SEd Tanous if (lockoutThreshold) 1509f5ffd806SEd Tanous { 1510f5ffd806SEd Tanous crow::connections::systemBus->async_method_call( 1511f5ffd806SEd Tanous [asyncResp](const boost::system::error_code ec) { 1512f5ffd806SEd Tanous if (ec) 1513f5ffd806SEd Tanous { 1514f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1515f5ffd806SEd Tanous return; 1516f5ffd806SEd Tanous } 1517f5ffd806SEd Tanous messages::success(asyncResp->res); 1518f5ffd806SEd Tanous }, 15191ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1520f5ffd806SEd Tanous "org.freedesktop.DBus.Properties", "Set", 1521f5ffd806SEd Tanous "xyz.openbmc_project.User.AccountPolicy", 1522f5ffd806SEd Tanous "MaxLoginAttemptBeforeLockout", 1523168e20c1SEd Tanous dbus::utility::DbusVariantType(*lockoutThreshold)); 1524f5ffd806SEd Tanous } 15251ef4c342SEd Tanous } 1526f5ffd806SEd Tanous 15274c7d4d33SEd Tanous inline void handleAccountCollectionHead( 15281ef4c342SEd Tanous App& app, const crow::Request& req, 15291ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15301ef4c342SEd Tanous { 15314c7d4d33SEd Tanous 15323ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 153345ca1b86SEd Tanous { 153445ca1b86SEd Tanous return; 153545ca1b86SEd Tanous } 15364c7d4d33SEd Tanous asyncResp->res.addHeader( 15374c7d4d33SEd Tanous boost::beast::http::field::link, 15384c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 15394c7d4d33SEd Tanous } 15404c7d4d33SEd Tanous 15414c7d4d33SEd Tanous inline void handleAccountCollectionGet( 15424c7d4d33SEd Tanous App& app, const crow::Request& req, 15434c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15444c7d4d33SEd Tanous { 15454c7d4d33SEd Tanous handleAccountCollectionHead(app, req, asyncResp); 15461476687dSEd Tanous 15471476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 15481476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 15491ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 15501476687dSEd Tanous "ManagerAccountCollection"; 15511476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 15521476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 15530f74e643SEd Tanous 15546c51eab1SEd Tanous Privileges effectiveUserPrivileges = 15556c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 15566c51eab1SEd Tanous 1557f5e29f33SJunLin Chen std::string thisUser; 1558f5e29f33SJunLin Chen if (req.session) 1559f5e29f33SJunLin Chen { 1560f5e29f33SJunLin Chen thisUser = req.session->username; 1561f5e29f33SJunLin Chen } 1562b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 1563cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 1564cef1ddfbSEd Tanous const boost::system::error_code ec, 1565711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1566b9b2e0b2SEd Tanous if (ec) 1567b9b2e0b2SEd Tanous { 1568f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1569b9b2e0b2SEd Tanous return; 1570b9b2e0b2SEd Tanous } 1571b9b2e0b2SEd Tanous 1572cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1573002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1574cef1ddfbSEd Tanous 1575cef1ddfbSEd Tanous bool userCanSeeSelf = 1576002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1577cef1ddfbSEd Tanous 1578002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1579b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1580b9b2e0b2SEd Tanous 15819eb808c1SEd Tanous for (const auto& userpath : users) 1582b9b2e0b2SEd Tanous { 15832dfd18efSEd Tanous std::string user = userpath.first.filename(); 15842dfd18efSEd Tanous if (user.empty()) 1585b9b2e0b2SEd Tanous { 15862dfd18efSEd Tanous messages::internalError(asyncResp->res); 15872dfd18efSEd Tanous BMCWEB_LOG_ERROR << "Invalid firmware ID"; 15882dfd18efSEd Tanous 15892dfd18efSEd Tanous return; 1590b9b2e0b2SEd Tanous } 1591f365910cSGunnar Mills 1592f365910cSGunnar Mills // As clarified by Redfish here: 1593f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 15946c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 15956c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 15966c51eab1SEd Tanous // accounts. 15971ef4c342SEd Tanous if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1598f365910cSGunnar Mills { 15991476687dSEd Tanous nlohmann::json::object_t member; 16001476687dSEd Tanous member["@odata.id"] = 1601002d39b4SEd Tanous "/redfish/v1/AccountService/Accounts/" + user; 16021476687dSEd Tanous memberArray.push_back(std::move(member)); 1603b9b2e0b2SEd Tanous } 1604f365910cSGunnar Mills } 16051ef4c342SEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 1606b9b2e0b2SEd Tanous }, 16071ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1608b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 16091ef4c342SEd Tanous } 16106c51eab1SEd Tanous 16111ef4c342SEd Tanous inline void handleAccountCollectionPost( 16121ef4c342SEd Tanous App& app, const crow::Request& req, 16131ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 16141ef4c342SEd Tanous { 16153ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 161645ca1b86SEd Tanous { 161745ca1b86SEd Tanous return; 161845ca1b86SEd Tanous } 16199712f8acSEd Tanous std::string username; 16209712f8acSEd Tanous std::string password; 1621a24526dcSEd Tanous std::optional<std::string> roleId("User"); 1622a24526dcSEd Tanous std::optional<bool> enabled = true; 16231ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username, 16241ef4c342SEd Tanous "Password", password, "RoleId", roleId, 16251ef4c342SEd Tanous "Enabled", enabled)) 162604ae99ecSEd Tanous { 162704ae99ecSEd Tanous return; 162804ae99ecSEd Tanous } 162904ae99ecSEd Tanous 163054fc587aSNagaraju Goruganti std::string priv = getPrivilegeFromRoleId(*roleId); 163184e12cb7SAppaRao Puli if (priv.empty()) 163204ae99ecSEd Tanous { 16331ef4c342SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId"); 163404ae99ecSEd Tanous return; 163504ae99ecSEd Tanous } 163696200606Sjayaprakash Mutyala // TODO: Following override will be reverted once support in 16376c51eab1SEd Tanous // phosphor-user-manager is added. In order to avoid dependency 16386c51eab1SEd Tanous // issues, this is added in bmcweb, which will removed, once 163996200606Sjayaprakash Mutyala // phosphor-user-manager supports priv-noaccess. 164096200606Sjayaprakash Mutyala if (priv == "priv-noaccess") 164196200606Sjayaprakash Mutyala { 164296200606Sjayaprakash Mutyala roleId = ""; 164396200606Sjayaprakash Mutyala } 164496200606Sjayaprakash Mutyala else 164596200606Sjayaprakash Mutyala { 16469712f8acSEd Tanous roleId = priv; 164796200606Sjayaprakash Mutyala } 164804ae99ecSEd Tanous 1649599c71d8SAyushi Smriti // Reading AllGroups property 16501e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 16511ef4c342SEd Tanous *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 16521ef4c342SEd Tanous "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 16531ef4c342SEd Tanous "AllGroups", 1654599c71d8SAyushi Smriti [asyncResp, username, password{std::move(password)}, roleId, 1655168e20c1SEd Tanous enabled](const boost::system::error_code ec, 16561e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1657599c71d8SAyushi Smriti if (ec) 1658599c71d8SAyushi Smriti { 1659599c71d8SAyushi Smriti BMCWEB_LOG_DEBUG << "ERROR with async_method_call"; 1660599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1661599c71d8SAyushi Smriti return; 1662599c71d8SAyushi Smriti } 1663599c71d8SAyushi Smriti 16641e1e598dSJonathan Doman if (allGroupsList.empty()) 1665599c71d8SAyushi Smriti { 1666599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1667599c71d8SAyushi Smriti return; 1668599c71d8SAyushi Smriti } 1669599c71d8SAyushi Smriti 167004ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 16711ef4c342SEd Tanous [asyncResp, username, password](const boost::system::error_code ec2, 167259d494eeSPatrick Williams sdbusplus::message_t& m) { 167323a21a1cSEd Tanous if (ec2) 167404ae99ecSEd Tanous { 16751ef4c342SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 167604ae99ecSEd Tanous return; 167704ae99ecSEd Tanous } 167804ae99ecSEd Tanous 1679002d39b4SEd Tanous if (pamUpdatePassword(username, password) != PAM_SUCCESS) 168004ae99ecSEd Tanous { 16816c51eab1SEd Tanous // At this point we have a user that's been 16826c51eab1SEd Tanous // created, but the password set 16836c51eab1SEd Tanous // failed.Something is wrong, so delete the user 16846c51eab1SEd Tanous // that we've already created 16851ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1686b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1687b477fd44SP Dheeraj Srujan Kumar const std::string userPath(tempObjPath); 1688b477fd44SP Dheeraj Srujan Kumar 168904ae99ecSEd Tanous crow::connections::systemBus->async_method_call( 16901ef4c342SEd Tanous [asyncResp, password](const boost::system::error_code ec3) { 169123a21a1cSEd Tanous if (ec3) 169204ae99ecSEd Tanous { 1693002d39b4SEd Tanous messages::internalError(asyncResp->res); 169404ae99ecSEd Tanous return; 169504ae99ecSEd Tanous } 169604ae99ecSEd Tanous 16970d4197e0Sanil kumar appana // If password is invalid 16981ef4c342SEd Tanous messages::propertyValueFormatError(asyncResp->res, password, 16991ef4c342SEd Tanous "Password"); 170004ae99ecSEd Tanous }, 1701002d39b4SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 1702002d39b4SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 170304ae99ecSEd Tanous 170404ae99ecSEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 170504ae99ecSEd Tanous return; 170604ae99ecSEd Tanous } 170704ae99ecSEd Tanous 1708f12894f8SJason M. Bills messages::created(asyncResp->res); 170904ae99ecSEd Tanous asyncResp->res.addHeader( 17101ef4c342SEd Tanous "Location", "/redfish/v1/AccountService/Accounts/" + username); 171104ae99ecSEd Tanous }, 1712002d39b4SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1713002d39b4SEd Tanous "xyz.openbmc_project.User.Manager", "CreateUser", username, 1714002d39b4SEd Tanous allGroupsList, *roleId, *enabled); 17151e1e598dSJonathan Doman }); 17161ef4c342SEd Tanous } 1717b9b2e0b2SEd Tanous 17181ef4c342SEd Tanous inline void 17194c7d4d33SEd Tanous handleAccountHead(App& app, const crow::Request& req, 17206c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 17214c7d4d33SEd Tanous const std::string& /*accountName*/) 17221ef4c342SEd Tanous { 17234c7d4d33SEd Tanous 17243ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 172545ca1b86SEd Tanous { 172645ca1b86SEd Tanous return; 172745ca1b86SEd Tanous } 17284c7d4d33SEd Tanous asyncResp->res.addHeader( 17294c7d4d33SEd Tanous boost::beast::http::field::link, 17304c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 17314c7d4d33SEd Tanous } 17324c7d4d33SEd Tanous inline void 17334c7d4d33SEd Tanous handleAccountGet(App& app, const crow::Request& req, 17344c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 17354c7d4d33SEd Tanous const std::string& accountName) 17364c7d4d33SEd Tanous { 17374c7d4d33SEd Tanous handleAccountHead(app, req, asyncResp, accountName); 17381ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1739031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1740d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName); 1741031514fbSJunLin Chen return; 1742031514fbSJunLin Chen 17431ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1744031514fbSJunLin Chen if (req.session == nullptr) 1745031514fbSJunLin Chen { 1746031514fbSJunLin Chen messages::internalError(asyncResp->res); 1747031514fbSJunLin Chen return; 1748031514fbSJunLin Chen } 17496c51eab1SEd Tanous if (req.session->username != accountName) 1750b9b2e0b2SEd Tanous { 17516c51eab1SEd Tanous // At this point we've determined that the user is trying to 17521ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 17531ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 17541ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 17556c51eab1SEd Tanous Privileges effectiveUserPrivileges = 17566c51eab1SEd Tanous redfish::getUserPrivileges(req.userRole); 17571ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 17581ef4c342SEd Tanous "ConfigureManager"}; 17596c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 17606c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1761900f9497SJoseph Reynolds { 1762900f9497SJoseph Reynolds BMCWEB_LOG_DEBUG << "GET Account denied access"; 1763900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1764900f9497SJoseph Reynolds return; 1765900f9497SJoseph Reynolds } 1766900f9497SJoseph Reynolds } 1767900f9497SJoseph Reynolds 1768b9b2e0b2SEd Tanous crow::connections::systemBus->async_method_call( 17691ef4c342SEd Tanous [asyncResp, 17701ef4c342SEd Tanous accountName](const boost::system::error_code ec, 1771711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1772b9b2e0b2SEd Tanous if (ec) 1773b9b2e0b2SEd Tanous { 1774f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1775b9b2e0b2SEd Tanous return; 1776b9b2e0b2SEd Tanous } 1777711ac7a9SEd Tanous const auto userIt = std::find_if( 1778b477fd44SP Dheeraj Srujan Kumar users.begin(), users.end(), 1779b477fd44SP Dheeraj Srujan Kumar [accountName]( 1780b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 1781002d39b4SEd Tanous dbus::utility::DBusInteracesMap>& user) { 178255f79e6fSEd Tanous return accountName == user.first.filename(); 1783b477fd44SP Dheeraj Srujan Kumar }); 1784b9b2e0b2SEd Tanous 178584e12cb7SAppaRao Puli if (userIt == users.end()) 1786b9b2e0b2SEd Tanous { 1787002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 1788002d39b4SEd Tanous accountName); 178984e12cb7SAppaRao Puli return; 179084e12cb7SAppaRao Puli } 17914e68c45bSAyushi Smriti 17921476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 17931476687dSEd Tanous "#ManagerAccount.v1_4_0.ManagerAccount"; 17941476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 17951476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 17961476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 17974e68c45bSAyushi Smriti 179884e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 179965b0dc32SEd Tanous { 1800002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 180165b0dc32SEd Tanous { 180265b0dc32SEd Tanous for (const auto& property : interface.second) 180365b0dc32SEd Tanous { 180465b0dc32SEd Tanous if (property.first == "UserEnabled") 180565b0dc32SEd Tanous { 180665b0dc32SEd Tanous const bool* userEnabled = 1807abf2add6SEd Tanous std::get_if<bool>(&property.second); 180865b0dc32SEd Tanous if (userEnabled == nullptr) 180965b0dc32SEd Tanous { 1810002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserEnabled wasn't a bool"; 181184e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 181284e12cb7SAppaRao Puli return; 181365b0dc32SEd Tanous } 1814002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 181565b0dc32SEd Tanous } 1816002d39b4SEd Tanous else if (property.first == "UserLockedForFailedAttempt") 181765b0dc32SEd Tanous { 181865b0dc32SEd Tanous const bool* userLocked = 1819abf2add6SEd Tanous std::get_if<bool>(&property.second); 182065b0dc32SEd Tanous if (userLocked == nullptr) 182165b0dc32SEd Tanous { 182284e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "UserLockedForF" 182384e12cb7SAppaRao Puli "ailedAttempt " 182484e12cb7SAppaRao Puli "wasn't a bool"; 182584e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 182684e12cb7SAppaRao Puli return; 182765b0dc32SEd Tanous } 1828002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 1829002d39b4SEd Tanous asyncResp->res 1830002d39b4SEd Tanous .jsonValue["Locked@Redfish.AllowableValues"] = { 18313bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 183265b0dc32SEd Tanous } 183384e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 183484e12cb7SAppaRao Puli { 183554fc587aSNagaraju Goruganti const std::string* userPrivPtr = 1836002d39b4SEd Tanous std::get_if<std::string>(&property.second); 183754fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 183884e12cb7SAppaRao Puli { 1839002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserPrivilege wasn't a " 184084e12cb7SAppaRao Puli "string"; 184184e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 184284e12cb7SAppaRao Puli return; 184384e12cb7SAppaRao Puli } 18441ef4c342SEd Tanous std::string role = getRoleIdFromPrivilege(*userPrivPtr); 184554fc587aSNagaraju Goruganti if (role.empty()) 184684e12cb7SAppaRao Puli { 184784e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "Invalid user role"; 184884e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 184984e12cb7SAppaRao Puli return; 185084e12cb7SAppaRao Puli } 185154fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 185284e12cb7SAppaRao Puli 18531476687dSEd Tanous nlohmann::json& roleEntry = 1854002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 18551476687dSEd Tanous roleEntry["@odata.id"] = 1856002d39b4SEd Tanous "/redfish/v1/AccountService/Roles/" + role; 185784e12cb7SAppaRao Puli } 1858002d39b4SEd Tanous else if (property.first == "UserPasswordExpired") 18593bf4e632SJoseph Reynolds { 18603bf4e632SJoseph Reynolds const bool* userPasswordExpired = 18613bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 18623bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 18633bf4e632SJoseph Reynolds { 18640fda0f12SGeorge Liu BMCWEB_LOG_ERROR 18650fda0f12SGeorge Liu << "UserPasswordExpired wasn't a bool"; 18663bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 18673bf4e632SJoseph Reynolds return; 18683bf4e632SJoseph Reynolds } 1869002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 18703bf4e632SJoseph Reynolds *userPasswordExpired; 18713bf4e632SJoseph Reynolds } 1872*c7229815SAbhishek Patel else if (property.first == "UserGroups") 1873*c7229815SAbhishek Patel { 1874*c7229815SAbhishek Patel const std::vector<std::string>* userGroups = 1875*c7229815SAbhishek Patel std::get_if<std::vector<std::string>>( 1876*c7229815SAbhishek Patel &property.second); 1877*c7229815SAbhishek Patel if (userGroups == nullptr) 1878*c7229815SAbhishek Patel { 1879*c7229815SAbhishek Patel BMCWEB_LOG_ERROR 1880*c7229815SAbhishek Patel << "userGroups wasn't a string vector"; 1881*c7229815SAbhishek Patel messages::internalError(asyncResp->res); 1882*c7229815SAbhishek Patel return; 1883*c7229815SAbhishek Patel } 1884*c7229815SAbhishek Patel if (!translateUserGroup(*userGroups, asyncResp->res)) 1885*c7229815SAbhishek Patel { 1886*c7229815SAbhishek Patel BMCWEB_LOG_ERROR << "userGroups mapping failed"; 1887*c7229815SAbhishek Patel messages::internalError(asyncResp->res); 1888*c7229815SAbhishek Patel return; 1889*c7229815SAbhishek Patel } 1890*c7229815SAbhishek Patel } 189165b0dc32SEd Tanous } 189265b0dc32SEd Tanous } 189365b0dc32SEd Tanous } 189465b0dc32SEd Tanous 1895b9b2e0b2SEd Tanous asyncResp->res.jsonValue["@odata.id"] = 189684e12cb7SAppaRao Puli "/redfish/v1/AccountService/Accounts/" + accountName; 1897b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 1898b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 1899b9b2e0b2SEd Tanous }, 19001ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 1901b9b2e0b2SEd Tanous "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 19021ef4c342SEd Tanous } 1903a840879dSEd Tanous 19041ef4c342SEd Tanous inline void 19051ef4c342SEd Tanous handleAccounttDelete(App& app, const crow::Request& req, 19066c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19071ef4c342SEd Tanous const std::string& username) 19081ef4c342SEd Tanous { 19093ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 191045ca1b86SEd Tanous { 191145ca1b86SEd Tanous return; 191245ca1b86SEd Tanous } 19131ef4c342SEd Tanous 19141ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1915031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1916d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 1917031514fbSJunLin Chen return; 1918031514fbSJunLin Chen 19191ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 19201ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 19211ef4c342SEd Tanous tempObjPath /= username; 19221ef4c342SEd Tanous const std::string userPath(tempObjPath); 19231ef4c342SEd Tanous 19241ef4c342SEd Tanous crow::connections::systemBus->async_method_call( 19251ef4c342SEd Tanous [asyncResp, username](const boost::system::error_code ec) { 19261ef4c342SEd Tanous if (ec) 19271ef4c342SEd Tanous { 1928d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 19291ef4c342SEd Tanous username); 19301ef4c342SEd Tanous return; 19311ef4c342SEd Tanous } 19321ef4c342SEd Tanous 19331ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 19341ef4c342SEd Tanous }, 19351ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 19361ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 19371ef4c342SEd Tanous } 19381ef4c342SEd Tanous 19391ef4c342SEd Tanous inline void 19401ef4c342SEd Tanous handleAccountPatch(App& app, const crow::Request& req, 19411ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19421ef4c342SEd Tanous const std::string& username) 19431ef4c342SEd Tanous { 19441ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 19451ef4c342SEd Tanous { 19461ef4c342SEd Tanous return; 19471ef4c342SEd Tanous } 19481ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 19491ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 1950d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 19511ef4c342SEd Tanous return; 19521ef4c342SEd Tanous 19531ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1954a24526dcSEd Tanous std::optional<std::string> newUserName; 1955a24526dcSEd Tanous std::optional<std::string> password; 1956a24526dcSEd Tanous std::optional<bool> enabled; 1957a24526dcSEd Tanous std::optional<std::string> roleId; 195824c8542dSRatan Gupta std::optional<bool> locked; 1959e9cc5172SEd Tanous 1960031514fbSJunLin Chen if (req.session == nullptr) 1961031514fbSJunLin Chen { 1962031514fbSJunLin Chen messages::internalError(asyncResp->res); 1963031514fbSJunLin Chen return; 1964031514fbSJunLin Chen } 1965031514fbSJunLin Chen 1966e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 1967e9cc5172SEd Tanous redfish::getUserPrivileges(req.userRole); 1968e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 1969e9cc5172SEd Tanous bool userHasConfigureUsers = 1970e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 1971e9cc5172SEd Tanous if (userHasConfigureUsers) 1972e9cc5172SEd Tanous { 1973e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 19741ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", 19751ef4c342SEd Tanous newUserName, "Password", password, 19761ef4c342SEd Tanous "RoleId", roleId, "Enabled", enabled, 19771ef4c342SEd Tanous "Locked", locked)) 1978a840879dSEd Tanous { 1979a840879dSEd Tanous return; 1980a840879dSEd Tanous } 1981e9cc5172SEd Tanous } 1982e9cc5172SEd Tanous else 1983900f9497SJoseph Reynolds { 1984e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 1985e9cc5172SEd Tanous if (username != req.session->username) 1986900f9497SJoseph Reynolds { 1987900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1988900f9497SJoseph Reynolds return; 1989900f9497SJoseph Reynolds } 1990031514fbSJunLin Chen 1991e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 19921ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 19931ef4c342SEd Tanous password)) 1994e9cc5172SEd Tanous { 1995e9cc5172SEd Tanous return; 1996e9cc5172SEd Tanous } 1997900f9497SJoseph Reynolds } 1998900f9497SJoseph Reynolds 199966b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 20006c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 20016c51eab1SEd Tanous // updating user properties other then username. If username 20026c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 20036c51eab1SEd Tanous // user rename request. 200466b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 2005a840879dSEd Tanous { 20061ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 20071ef4c342SEd Tanous locked); 200884e12cb7SAppaRao Puli return; 200984e12cb7SAppaRao Puli } 201084e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 20116c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 20121ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 201359d494eeSPatrick Williams locked](const boost::system::error_code ec, sdbusplus::message_t& m) { 201484e12cb7SAppaRao Puli if (ec) 201584e12cb7SAppaRao Puli { 2016002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2017002d39b4SEd Tanous username); 2018a840879dSEd Tanous return; 2019a840879dSEd Tanous } 2020a840879dSEd Tanous 2021002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 2022002d39b4SEd Tanous locked); 202384e12cb7SAppaRao Puli }, 20241ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 202584e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 202684e12cb7SAppaRao Puli *newUserName); 20271ef4c342SEd Tanous } 20281ef4c342SEd Tanous 20291ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 20301ef4c342SEd Tanous { 20311ef4c342SEd Tanous 20321ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 20334c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 20344c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 20354c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 20364c7d4d33SEd Tanous 20374c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 20381ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 20391ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 20401ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 20411ef4c342SEd Tanous 20421ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 20431ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 20441ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 20451ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 20461ef4c342SEd Tanous 20471ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 20484c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 20494c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 20504c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 20514c7d4d33SEd Tanous 20524c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 20531ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 20541ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 20551ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 20561ef4c342SEd Tanous 20571ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 20581ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 20591ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 20601ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 20611ef4c342SEd Tanous 20621ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 20634c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 20644c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 20654c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 20664c7d4d33SEd Tanous 20674c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 20681ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 20691ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 20701ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 20711ef4c342SEd Tanous 20721ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 20731ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 20741ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 20751ef4c342SEd Tanous // yet 20761ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 20771ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 20781ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 207984e12cb7SAppaRao Puli 20806c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2081ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 20826c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 20831ef4c342SEd Tanous std::bind_front(handleAccounttDelete, std::ref(app))); 208406e086d9SEd Tanous } 208588d16c9aSLewanczyk, Dawid 208688d16c9aSLewanczyk, Dawid } // namespace redfish 2087