188d16c9aSLewanczyk, Dawid /* 288d16c9aSLewanczyk, Dawid // Copyright (c) 2018 Intel Corporation 388d16c9aSLewanczyk, Dawid // 488d16c9aSLewanczyk, Dawid // Licensed under the Apache License, Version 2.0 (the "License"); 588d16c9aSLewanczyk, Dawid // you may not use this file except in compliance with the License. 688d16c9aSLewanczyk, Dawid // You may obtain a copy of the License at 788d16c9aSLewanczyk, Dawid // 888d16c9aSLewanczyk, Dawid // http://www.apache.org/licenses/LICENSE-2.0 988d16c9aSLewanczyk, Dawid // 1088d16c9aSLewanczyk, Dawid // Unless required by applicable law or agreed to in writing, software 1188d16c9aSLewanczyk, Dawid // distributed under the License is distributed on an "AS IS" BASIS, 1288d16c9aSLewanczyk, Dawid // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1388d16c9aSLewanczyk, Dawid // See the License for the specific language governing permissions and 1488d16c9aSLewanczyk, Dawid // limitations under the License. 1588d16c9aSLewanczyk, Dawid */ 1688d16c9aSLewanczyk, Dawid #pragma once 1788d16c9aSLewanczyk, Dawid 183ccb3adbSEd Tanous #include "app.hpp" 193ccb3adbSEd Tanous #include "dbus_utility.hpp" 203ccb3adbSEd Tanous #include "error_messages.hpp" 210ec8b83dSEd Tanous #include "generated/enums/account_service.hpp" 223ccb3adbSEd Tanous #include "openbmc_dbus_rest.hpp" 233ccb3adbSEd Tanous #include "persistent_data.hpp" 243ccb3adbSEd Tanous #include "query.hpp" 250ec8b83dSEd Tanous #include "registries/privilege_registry.hpp" 263ccb3adbSEd Tanous #include "utils/dbus_utils.hpp" 273ccb3adbSEd Tanous #include "utils/json_utils.hpp" 280ec8b83dSEd Tanous 291e1e598dSJonathan Doman #include <sdbusplus/asio/property.hpp> 30d1bde9e5SKrzysztof Grobelny #include <sdbusplus/unpack_properties.hpp> 311214b7e7SGunnar Mills 322b73119cSGeorge Liu #include <array> 33c7229815SAbhishek Patel #include <optional> 34c7229815SAbhishek Patel #include <string> 352b73119cSGeorge Liu #include <string_view> 36c7229815SAbhishek Patel #include <vector> 37c7229815SAbhishek Patel 381abe55efSEd Tanous namespace redfish 391abe55efSEd Tanous { 4088d16c9aSLewanczyk, Dawid 4123a21a1cSEd Tanous constexpr const char* ldapConfigObjectName = 426973a582SRatan Gupta "/xyz/openbmc_project/user/ldap/openldap"; 432c70f800SEd Tanous constexpr const char* adConfigObject = 44ab828d7cSRatan Gupta "/xyz/openbmc_project/user/ldap/active_directory"; 45ab828d7cSRatan Gupta 46b477fd44SP Dheeraj Srujan Kumar constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/"; 476973a582SRatan Gupta constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap"; 486973a582SRatan Gupta constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config"; 496973a582SRatan Gupta constexpr const char* ldapConfigInterface = 506973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Config"; 516973a582SRatan Gupta constexpr const char* ldapCreateInterface = 526973a582SRatan Gupta "xyz.openbmc_project.User.Ldap.Create"; 536973a582SRatan Gupta constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable"; 5406785244SRatan Gupta constexpr const char* ldapPrivMapperInterface = 5506785244SRatan Gupta "xyz.openbmc_project.User.PrivilegeMapper"; 566973a582SRatan Gupta 5754fc587aSNagaraju Goruganti struct LDAPRoleMapData 5854fc587aSNagaraju Goruganti { 5954fc587aSNagaraju Goruganti std::string groupName; 6054fc587aSNagaraju Goruganti std::string privilege; 6154fc587aSNagaraju Goruganti }; 6254fc587aSNagaraju Goruganti 636973a582SRatan Gupta struct LDAPConfigData 646973a582SRatan Gupta { 656973a582SRatan Gupta std::string uri{}; 666973a582SRatan Gupta std::string bindDN{}; 676973a582SRatan Gupta std::string baseDN{}; 686973a582SRatan Gupta std::string searchScope{}; 696973a582SRatan Gupta std::string serverType{}; 706973a582SRatan Gupta bool serviceEnabled = false; 716973a582SRatan Gupta std::string userNameAttribute{}; 726973a582SRatan Gupta std::string groupAttribute{}; 7354fc587aSNagaraju Goruganti std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList; 746973a582SRatan Gupta }; 756973a582SRatan Gupta 7654fc587aSNagaraju Goruganti inline std::string getRoleIdFromPrivilege(std::string_view role) 7784e12cb7SAppaRao Puli { 7884e12cb7SAppaRao Puli if (role == "priv-admin") 7984e12cb7SAppaRao Puli { 8084e12cb7SAppaRao Puli return "Administrator"; 8184e12cb7SAppaRao Puli } 823174e4dfSEd Tanous if (role == "priv-user") 8384e12cb7SAppaRao Puli { 84c80fee55SAppaRao Puli return "ReadOnly"; 8584e12cb7SAppaRao Puli } 863174e4dfSEd Tanous if (role == "priv-operator") 8784e12cb7SAppaRao Puli { 8884e12cb7SAppaRao Puli return "Operator"; 8984e12cb7SAppaRao Puli } 9084e12cb7SAppaRao Puli return ""; 9184e12cb7SAppaRao Puli } 9254fc587aSNagaraju Goruganti inline std::string getPrivilegeFromRoleId(std::string_view role) 9384e12cb7SAppaRao Puli { 9484e12cb7SAppaRao Puli if (role == "Administrator") 9584e12cb7SAppaRao Puli { 9684e12cb7SAppaRao Puli return "priv-admin"; 9784e12cb7SAppaRao Puli } 983174e4dfSEd Tanous if (role == "ReadOnly") 9984e12cb7SAppaRao Puli { 10084e12cb7SAppaRao Puli return "priv-user"; 10184e12cb7SAppaRao Puli } 1023174e4dfSEd Tanous if (role == "Operator") 10384e12cb7SAppaRao Puli { 10484e12cb7SAppaRao Puli return "priv-operator"; 10584e12cb7SAppaRao Puli } 10684e12cb7SAppaRao Puli return ""; 10784e12cb7SAppaRao Puli } 108b9b2e0b2SEd Tanous 109c7229815SAbhishek Patel /** 110c7229815SAbhishek Patel * @brief Maps user group names retrieved from D-Bus object to 111c7229815SAbhishek Patel * Account Types. 112c7229815SAbhishek Patel * 113c7229815SAbhishek Patel * @param[in] userGroups List of User groups 114c7229815SAbhishek Patel * @param[out] res AccountTypes populated 115c7229815SAbhishek Patel * 116c7229815SAbhishek Patel * @return true in case of success, false if UserGroups contains 117c7229815SAbhishek Patel * invalid group name(s). 118c7229815SAbhishek Patel */ 119c7229815SAbhishek Patel inline bool translateUserGroup(const std::vector<std::string>& userGroups, 120c7229815SAbhishek Patel crow::Response& res) 121c7229815SAbhishek Patel { 122c7229815SAbhishek Patel std::vector<std::string> accountTypes; 123c7229815SAbhishek Patel for (const auto& userGroup : userGroups) 124c7229815SAbhishek Patel { 125c7229815SAbhishek Patel if (userGroup == "redfish") 126c7229815SAbhishek Patel { 127c7229815SAbhishek Patel accountTypes.emplace_back("Redfish"); 128c7229815SAbhishek Patel accountTypes.emplace_back("WebUI"); 129c7229815SAbhishek Patel } 130c7229815SAbhishek Patel else if (userGroup == "ipmi") 131c7229815SAbhishek Patel { 132c7229815SAbhishek Patel accountTypes.emplace_back("IPMI"); 133c7229815SAbhishek Patel } 134c7229815SAbhishek Patel else if (userGroup == "ssh") 135c7229815SAbhishek Patel { 136c7229815SAbhishek Patel accountTypes.emplace_back("ManagerConsole"); 137c7229815SAbhishek Patel } 1383e72c202SNinad Palsule else if (userGroup == "hostconsole") 1393e72c202SNinad Palsule { 1403e72c202SNinad Palsule // The hostconsole group controls who can access the host console 1413e72c202SNinad Palsule // port via ssh and websocket. 1423e72c202SNinad Palsule accountTypes.emplace_back("HostConsole"); 1433e72c202SNinad Palsule } 144c7229815SAbhishek Patel else if (userGroup == "web") 145c7229815SAbhishek Patel { 146c7229815SAbhishek Patel // 'web' is one of the valid groups in the UserGroups property of 147c7229815SAbhishek Patel // the user account in the D-Bus object. This group is currently not 148c7229815SAbhishek Patel // doing anything, and is considered to be equivalent to 'redfish'. 149c7229815SAbhishek Patel // 'redfish' user group is mapped to 'Redfish'and 'WebUI' 150c7229815SAbhishek Patel // AccountTypes, so do nothing here... 151c7229815SAbhishek Patel } 152c7229815SAbhishek Patel else 153c7229815SAbhishek Patel { 154c7229815SAbhishek Patel // Invalid user group name. Caller throws an excption. 155c7229815SAbhishek Patel return false; 156c7229815SAbhishek Patel } 157c7229815SAbhishek Patel } 158c7229815SAbhishek Patel 159c7229815SAbhishek Patel res.jsonValue["AccountTypes"] = std::move(accountTypes); 160c7229815SAbhishek Patel return true; 161c7229815SAbhishek Patel } 162c7229815SAbhishek Patel 16358345856SAbhishek Patel /** 16458345856SAbhishek Patel * @brief Builds User Groups from the Account Types 16558345856SAbhishek Patel * 16658345856SAbhishek Patel * @param[in] asyncResp Async Response 16758345856SAbhishek Patel * @param[in] accountTypes List of Account Types 16858345856SAbhishek Patel * @param[out] userGroups List of User Groups mapped from Account Types 16958345856SAbhishek Patel * 17058345856SAbhishek Patel * @return true if Account Types mapped to User Groups, false otherwise. 17158345856SAbhishek Patel */ 17258345856SAbhishek Patel inline bool 17358345856SAbhishek Patel getUserGroupFromAccountType(crow::Response& res, 17458345856SAbhishek Patel const std::vector<std::string>& accountTypes, 17558345856SAbhishek Patel std::vector<std::string>& userGroups) 17658345856SAbhishek Patel { 17758345856SAbhishek Patel // Need both Redfish and WebUI Account Types to map to 'redfish' User Group 17858345856SAbhishek Patel bool redfishType = false; 17958345856SAbhishek Patel bool webUIType = false; 18058345856SAbhishek Patel 18158345856SAbhishek Patel for (const auto& accountType : accountTypes) 18258345856SAbhishek Patel { 18358345856SAbhishek Patel if (accountType == "Redfish") 18458345856SAbhishek Patel { 18558345856SAbhishek Patel redfishType = true; 18658345856SAbhishek Patel } 18758345856SAbhishek Patel else if (accountType == "WebUI") 18858345856SAbhishek Patel { 18958345856SAbhishek Patel webUIType = true; 19058345856SAbhishek Patel } 19158345856SAbhishek Patel else if (accountType == "IPMI") 19258345856SAbhishek Patel { 19358345856SAbhishek Patel userGroups.emplace_back("ipmi"); 19458345856SAbhishek Patel } 19558345856SAbhishek Patel else if (accountType == "HostConsole") 19658345856SAbhishek Patel { 19758345856SAbhishek Patel userGroups.emplace_back("hostconsole"); 19858345856SAbhishek Patel } 19958345856SAbhishek Patel else if (accountType == "ManagerConsole") 20058345856SAbhishek Patel { 20158345856SAbhishek Patel userGroups.emplace_back("ssh"); 20258345856SAbhishek Patel } 20358345856SAbhishek Patel else 20458345856SAbhishek Patel { 20558345856SAbhishek Patel // Invalid Account Type 20658345856SAbhishek Patel messages::propertyValueNotInList(res, "AccountTypes", accountType); 20758345856SAbhishek Patel return false; 20858345856SAbhishek Patel } 20958345856SAbhishek Patel } 21058345856SAbhishek Patel 21158345856SAbhishek Patel // Both Redfish and WebUI Account Types are needed to PATCH 21258345856SAbhishek Patel if (redfishType ^ webUIType) 21358345856SAbhishek Patel { 21458345856SAbhishek Patel BMCWEB_LOG_ERROR 21558345856SAbhishek Patel << "Missing Redfish or WebUI Account Type to set redfish User Group"; 21658345856SAbhishek Patel messages::strictAccountTypes(res, "AccountTypes"); 21758345856SAbhishek Patel return false; 21858345856SAbhishek Patel } 21958345856SAbhishek Patel 22058345856SAbhishek Patel if (redfishType && webUIType) 22158345856SAbhishek Patel { 22258345856SAbhishek Patel userGroups.emplace_back("redfish"); 22358345856SAbhishek Patel } 22458345856SAbhishek Patel 22558345856SAbhishek Patel return true; 22658345856SAbhishek Patel } 22758345856SAbhishek Patel 22858345856SAbhishek Patel /** 22958345856SAbhishek Patel * @brief Sets UserGroups property of the user based on the Account Types 23058345856SAbhishek Patel * 23158345856SAbhishek Patel * @param[in] accountTypes List of User Account Types 23258345856SAbhishek Patel * @param[in] asyncResp Async Response 23358345856SAbhishek Patel * @param[in] dbusObjectPath D-Bus Object Path 23458345856SAbhishek Patel * @param[in] userSelf true if User is updating OWN Account Types 23558345856SAbhishek Patel */ 23658345856SAbhishek Patel inline void 23758345856SAbhishek Patel patchAccountTypes(const std::vector<std::string>& accountTypes, 23858345856SAbhishek Patel const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 23958345856SAbhishek Patel const std::string& dbusObjectPath, bool userSelf) 24058345856SAbhishek Patel { 24158345856SAbhishek Patel // Check if User is disabling own Redfish Account Type 24258345856SAbhishek Patel if (userSelf && 24358345856SAbhishek Patel (accountTypes.cend() == 24458345856SAbhishek Patel std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish"))) 24558345856SAbhishek Patel { 24658345856SAbhishek Patel BMCWEB_LOG_ERROR 24758345856SAbhishek Patel << "User disabling OWN Redfish Account Type is not allowed"; 24858345856SAbhishek Patel messages::strictAccountTypes(asyncResp->res, "AccountTypes"); 24958345856SAbhishek Patel return; 25058345856SAbhishek Patel } 25158345856SAbhishek Patel 25258345856SAbhishek Patel std::vector<std::string> updatedUserGroups; 25358345856SAbhishek Patel if (!getUserGroupFromAccountType(asyncResp->res, accountTypes, 25458345856SAbhishek Patel updatedUserGroups)) 25558345856SAbhishek Patel { 25658345856SAbhishek Patel // Problem in mapping Account Types to User Groups, Error already 25758345856SAbhishek Patel // logged. 25858345856SAbhishek Patel return; 25958345856SAbhishek Patel } 26058345856SAbhishek Patel 2619ae226faSGeorge Liu sdbusplus::asio::setProperty( 2629ae226faSGeorge Liu *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 2639ae226faSGeorge Liu dbusObjectPath, "xyz.openbmc_project.User.Attributes", "UserGroups", 2649ae226faSGeorge Liu updatedUserGroups, [asyncResp](const boost::system::error_code& ec) { 26558345856SAbhishek Patel if (ec) 26658345856SAbhishek Patel { 26758345856SAbhishek Patel BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 26858345856SAbhishek Patel messages::internalError(asyncResp->res); 26958345856SAbhishek Patel return; 27058345856SAbhishek Patel } 27158345856SAbhishek Patel messages::success(asyncResp->res); 2729ae226faSGeorge Liu }); 27358345856SAbhishek Patel } 27458345856SAbhishek Patel 2758d1b46d7Szhanghch05 inline void userErrorMessageHandler( 2768d1b46d7Szhanghch05 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 2778d1b46d7Szhanghch05 const std::string& newUser, const std::string& username) 27866b5ca76Sjayaprakash Mutyala { 27966b5ca76Sjayaprakash Mutyala if (e == nullptr) 28066b5ca76Sjayaprakash Mutyala { 28166b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 28266b5ca76Sjayaprakash Mutyala return; 28366b5ca76Sjayaprakash Mutyala } 28466b5ca76Sjayaprakash Mutyala 285055806b3SManojkiran Eda const char* errorMessage = e->name; 28666b5ca76Sjayaprakash Mutyala if (strcmp(errorMessage, 28766b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0) 28866b5ca76Sjayaprakash Mutyala { 289d8a5d5d8SJiaqing Zhao messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount", 29066b5ca76Sjayaprakash Mutyala "UserName", newUser); 29166b5ca76Sjayaprakash Mutyala } 29266b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error." 29366b5ca76Sjayaprakash Mutyala "UserNameDoesNotExist") == 0) 29466b5ca76Sjayaprakash Mutyala { 295d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 29666b5ca76Sjayaprakash Mutyala } 297d4d25793SEd Tanous else if ((strcmp(errorMessage, 298d4d25793SEd Tanous "xyz.openbmc_project.Common.Error.InvalidArgument") == 299d4d25793SEd Tanous 0) || 3000fda0f12SGeorge Liu (strcmp( 3010fda0f12SGeorge Liu errorMessage, 3020fda0f12SGeorge Liu "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") == 3030fda0f12SGeorge Liu 0)) 30466b5ca76Sjayaprakash Mutyala { 30566b5ca76Sjayaprakash Mutyala messages::propertyValueFormatError(asyncResp->res, newUser, "UserName"); 30666b5ca76Sjayaprakash Mutyala } 30766b5ca76Sjayaprakash Mutyala else if (strcmp(errorMessage, 30866b5ca76Sjayaprakash Mutyala "xyz.openbmc_project.User.Common.Error.NoResource") == 0) 30966b5ca76Sjayaprakash Mutyala { 31066b5ca76Sjayaprakash Mutyala messages::createLimitReachedForResource(asyncResp->res); 31166b5ca76Sjayaprakash Mutyala } 31266b5ca76Sjayaprakash Mutyala else 31366b5ca76Sjayaprakash Mutyala { 31466b5ca76Sjayaprakash Mutyala messages::internalError(asyncResp->res); 31566b5ca76Sjayaprakash Mutyala } 31666b5ca76Sjayaprakash Mutyala } 31766b5ca76Sjayaprakash Mutyala 31881ce609eSEd Tanous inline void parseLDAPConfigData(nlohmann::json& jsonResponse, 319ab828d7cSRatan Gupta const LDAPConfigData& confData, 320ab828d7cSRatan Gupta const std::string& ldapType) 3216973a582SRatan Gupta { 32289492a15SPatrick Williams std::string service = (ldapType == "LDAP") ? "LDAPService" 32389492a15SPatrick Williams : "ActiveDirectoryService"; 32454fc587aSNagaraju Goruganti 3251476687dSEd Tanous nlohmann::json& ldap = jsonResponse[ldapType]; 32654fc587aSNagaraju Goruganti 3271476687dSEd Tanous ldap["ServiceEnabled"] = confData.serviceEnabled; 3281476687dSEd Tanous ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri}); 3290ec8b83dSEd Tanous ldap["Authentication"]["AuthenticationType"] = 3300ec8b83dSEd Tanous account_service::AuthenticationTypes::UsernameAndPassword; 3311476687dSEd Tanous ldap["Authentication"]["Username"] = confData.bindDN; 3321476687dSEd Tanous ldap["Authentication"]["Password"] = nullptr; 3331476687dSEd Tanous 3341476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] = 3351476687dSEd Tanous nlohmann::json::array({confData.baseDN}); 3361476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] = 3371476687dSEd Tanous confData.userNameAttribute; 3381476687dSEd Tanous ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] = 3391476687dSEd Tanous confData.groupAttribute; 3401476687dSEd Tanous 3411476687dSEd Tanous nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"]; 34254fc587aSNagaraju Goruganti roleMapArray = nlohmann::json::array(); 3439eb808c1SEd Tanous for (const auto& obj : confData.groupRoleList) 34454fc587aSNagaraju Goruganti { 34554fc587aSNagaraju Goruganti BMCWEB_LOG_DEBUG << "Pushing the data groupName=" 34654fc587aSNagaraju Goruganti << obj.second.groupName << "\n"; 347613dabeaSEd Tanous 348613dabeaSEd Tanous nlohmann::json::object_t remoteGroup; 349613dabeaSEd Tanous remoteGroup["RemoteGroup"] = obj.second.groupName; 350329f0348SJorge Cisneros remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege); 351329f0348SJorge Cisneros roleMapArray.emplace_back(std::move(remoteGroup)); 35254fc587aSNagaraju Goruganti } 3536973a582SRatan Gupta } 3546973a582SRatan Gupta 3556973a582SRatan Gupta /** 35606785244SRatan Gupta * @brief validates given JSON input and then calls appropriate method to 35706785244SRatan Gupta * create, to delete or to set Rolemapping object based on the given input. 35806785244SRatan Gupta * 35906785244SRatan Gupta */ 36023a21a1cSEd Tanous inline void handleRoleMapPatch( 3618d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 36206785244SRatan Gupta const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData, 363f23b7296SEd Tanous const std::string& serverType, const std::vector<nlohmann::json>& input) 36406785244SRatan Gupta { 36506785244SRatan Gupta for (size_t index = 0; index < input.size(); index++) 36606785244SRatan Gupta { 367f23b7296SEd Tanous const nlohmann::json& thisJson = input[index]; 36806785244SRatan Gupta 36906785244SRatan Gupta if (thisJson.is_null()) 37006785244SRatan Gupta { 37106785244SRatan Gupta // delete the existing object 37206785244SRatan Gupta if (index < roleMapObjData.size()) 37306785244SRatan Gupta { 37406785244SRatan Gupta crow::connections::systemBus->async_method_call( 37506785244SRatan Gupta [asyncResp, roleMapObjData, serverType, 3765e7e2dc5SEd Tanous index](const boost::system::error_code& ec) { 37706785244SRatan Gupta if (ec) 37806785244SRatan Gupta { 37906785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 38006785244SRatan Gupta messages::internalError(asyncResp->res); 38106785244SRatan Gupta return; 38206785244SRatan Gupta } 38389492a15SPatrick Williams asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"] 38489492a15SPatrick Williams [index] = nullptr; 38506785244SRatan Gupta }, 38606785244SRatan Gupta ldapDbusService, roleMapObjData[index].first, 38706785244SRatan Gupta "xyz.openbmc_project.Object.Delete", "Delete"); 38806785244SRatan Gupta } 38906785244SRatan Gupta else 39006785244SRatan Gupta { 39106785244SRatan Gupta BMCWEB_LOG_ERROR << "Can't delete the object"; 3922e8c4bdaSEd Tanous messages::propertyValueTypeError(asyncResp->res, thisJson, 3932e8c4bdaSEd Tanous "RemoteRoleMapping/" + 3942e8c4bdaSEd Tanous std::to_string(index)); 39506785244SRatan Gupta return; 39606785244SRatan Gupta } 39706785244SRatan Gupta } 39806785244SRatan Gupta else if (thisJson.empty()) 39906785244SRatan Gupta { 40006785244SRatan Gupta // Don't do anything for the empty objects,parse next json 40106785244SRatan Gupta // eg {"RemoteRoleMapping",[{}]} 40206785244SRatan Gupta } 40306785244SRatan Gupta else 40406785244SRatan Gupta { 40506785244SRatan Gupta // update/create the object 40606785244SRatan Gupta std::optional<std::string> remoteGroup; 40706785244SRatan Gupta std::optional<std::string> localRole; 40806785244SRatan Gupta 409f23b7296SEd Tanous // This is a copy, but it's required in this case because of how 410f23b7296SEd Tanous // readJson is structured 411f23b7296SEd Tanous nlohmann::json thisJsonCopy = thisJson; 412f23b7296SEd Tanous if (!json_util::readJson(thisJsonCopy, asyncResp->res, 413f23b7296SEd Tanous "RemoteGroup", remoteGroup, "LocalRole", 414f23b7296SEd Tanous localRole)) 41506785244SRatan Gupta { 41606785244SRatan Gupta continue; 41706785244SRatan Gupta } 41806785244SRatan Gupta 41906785244SRatan Gupta // Update existing RoleMapping Object 42006785244SRatan Gupta if (index < roleMapObjData.size()) 42106785244SRatan Gupta { 42206785244SRatan Gupta BMCWEB_LOG_DEBUG << "Update Role Map Object"; 42306785244SRatan Gupta // If "RemoteGroup" info is provided 42406785244SRatan Gupta if (remoteGroup) 42506785244SRatan Gupta { 4269ae226faSGeorge Liu sdbusplus::asio::setProperty( 4279ae226faSGeorge Liu *crow::connections::systemBus, ldapDbusService, 4289ae226faSGeorge Liu roleMapObjData[index].first, 4299ae226faSGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry", 4309ae226faSGeorge Liu "GroupName", *remoteGroup, 43106785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 43225e055a3SRavi Teja remoteGroup](const boost::system::error_code& ec, 4337a543894SPatrick Williams const sdbusplus::message_t& msg) { 43406785244SRatan Gupta if (ec) 43506785244SRatan Gupta { 43625e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 43725e055a3SRavi Teja if ((dbusError != nullptr) && 43825e055a3SRavi Teja (dbusError->name == 43925e055a3SRavi Teja std::string_view( 44025e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 44125e055a3SRavi Teja { 44225e055a3SRavi Teja BMCWEB_LOG_WARNING << "DBUS response error: " 44325e055a3SRavi Teja << ec; 44425e055a3SRavi Teja messages::propertyValueIncorrect(asyncResp->res, 44525e055a3SRavi Teja "RemoteGroup", 44625e055a3SRavi Teja *remoteGroup); 44725e055a3SRavi Teja return; 44825e055a3SRavi Teja } 44906785244SRatan Gupta messages::internalError(asyncResp->res); 45006785244SRatan Gupta return; 45106785244SRatan Gupta } 45206785244SRatan Gupta asyncResp->res 453002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 454002d39b4SEd Tanous ["RemoteGroup"] = *remoteGroup; 4559ae226faSGeorge Liu }); 45606785244SRatan Gupta } 45706785244SRatan Gupta 45806785244SRatan Gupta // If "LocalRole" info is provided 45906785244SRatan Gupta if (localRole) 46006785244SRatan Gupta { 4619ae226faSGeorge Liu sdbusplus::asio::setProperty( 4629ae226faSGeorge Liu *crow::connections::systemBus, ldapDbusService, 4639ae226faSGeorge Liu roleMapObjData[index].first, 4649ae226faSGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry", 4659ae226faSGeorge Liu "Privilege", *localRole, 46606785244SRatan Gupta [asyncResp, roleMapObjData, serverType, index, 46725e055a3SRavi Teja localRole](const boost::system::error_code& ec, 4687a543894SPatrick Williams const sdbusplus::message_t& msg) { 46906785244SRatan Gupta if (ec) 47006785244SRatan Gupta { 47125e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 47225e055a3SRavi Teja if ((dbusError != nullptr) && 47325e055a3SRavi Teja (dbusError->name == 47425e055a3SRavi Teja std::string_view( 47525e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 47625e055a3SRavi Teja { 47725e055a3SRavi Teja BMCWEB_LOG_WARNING << "DBUS response error: " 47825e055a3SRavi Teja << ec; 47925e055a3SRavi Teja messages::propertyValueIncorrect( 48025e055a3SRavi Teja asyncResp->res, "LocalRole", *localRole); 48125e055a3SRavi Teja return; 48225e055a3SRavi Teja } 48306785244SRatan Gupta messages::internalError(asyncResp->res); 48406785244SRatan Gupta return; 48506785244SRatan Gupta } 48606785244SRatan Gupta asyncResp->res 487002d39b4SEd Tanous .jsonValue[serverType]["RemoteRoleMapping"][index] 488002d39b4SEd Tanous ["LocalRole"] = *localRole; 4899ae226faSGeorge Liu }); 49006785244SRatan Gupta } 49106785244SRatan Gupta } 49206785244SRatan Gupta // Create a new RoleMapping Object. 49306785244SRatan Gupta else 49406785244SRatan Gupta { 49506785244SRatan Gupta BMCWEB_LOG_DEBUG 49606785244SRatan Gupta << "setRoleMappingProperties: Creating new Object"; 49789492a15SPatrick Williams std::string pathString = "RemoteRoleMapping/" + 49889492a15SPatrick Williams std::to_string(index); 49906785244SRatan Gupta 50006785244SRatan Gupta if (!localRole) 50106785244SRatan Gupta { 50206785244SRatan Gupta messages::propertyMissing(asyncResp->res, 50306785244SRatan Gupta pathString + "/LocalRole"); 50406785244SRatan Gupta continue; 50506785244SRatan Gupta } 50606785244SRatan Gupta if (!remoteGroup) 50706785244SRatan Gupta { 50806785244SRatan Gupta messages::propertyMissing(asyncResp->res, 50906785244SRatan Gupta pathString + "/RemoteGroup"); 51006785244SRatan Gupta continue; 51106785244SRatan Gupta } 51206785244SRatan Gupta 51306785244SRatan Gupta std::string dbusObjectPath; 51406785244SRatan Gupta if (serverType == "ActiveDirectory") 51506785244SRatan Gupta { 5162c70f800SEd Tanous dbusObjectPath = adConfigObject; 51706785244SRatan Gupta } 51806785244SRatan Gupta else if (serverType == "LDAP") 51906785244SRatan Gupta { 52023a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 52106785244SRatan Gupta } 52206785244SRatan Gupta 52306785244SRatan Gupta BMCWEB_LOG_DEBUG << "Remote Group=" << *remoteGroup 52406785244SRatan Gupta << ",LocalRole=" << *localRole; 52506785244SRatan Gupta 52606785244SRatan Gupta crow::connections::systemBus->async_method_call( 527271584abSEd Tanous [asyncResp, serverType, localRole, 5285e7e2dc5SEd Tanous remoteGroup](const boost::system::error_code& ec) { 52906785244SRatan Gupta if (ec) 53006785244SRatan Gupta { 53106785244SRatan Gupta BMCWEB_LOG_ERROR << "DBUS response error: " << ec; 53206785244SRatan Gupta messages::internalError(asyncResp->res); 53306785244SRatan Gupta return; 53406785244SRatan Gupta } 53506785244SRatan Gupta nlohmann::json& remoteRoleJson = 53606785244SRatan Gupta asyncResp->res 53706785244SRatan Gupta .jsonValue[serverType]["RemoteRoleMapping"]; 5381476687dSEd Tanous nlohmann::json::object_t roleMapEntry; 5391476687dSEd Tanous roleMapEntry["LocalRole"] = *localRole; 5401476687dSEd Tanous roleMapEntry["RemoteGroup"] = *remoteGroup; 541b2ba3072SPatrick Williams remoteRoleJson.emplace_back(std::move(roleMapEntry)); 54206785244SRatan Gupta }, 54306785244SRatan Gupta ldapDbusService, dbusObjectPath, ldapPrivMapperInterface, 5443174e4dfSEd Tanous "Create", *remoteGroup, 54506785244SRatan Gupta getPrivilegeFromRoleId(std::move(*localRole))); 54606785244SRatan Gupta } 54706785244SRatan Gupta } 54806785244SRatan Gupta } 54906785244SRatan Gupta } 55006785244SRatan Gupta 55106785244SRatan Gupta /** 5526973a582SRatan Gupta * Function that retrieves all properties for LDAP config object 5536973a582SRatan Gupta * into JSON 5546973a582SRatan Gupta */ 5556973a582SRatan Gupta template <typename CallbackFunc> 5566973a582SRatan Gupta inline void getLDAPConfigData(const std::string& ldapType, 5576973a582SRatan Gupta CallbackFunc&& callback) 5586973a582SRatan Gupta { 5592b73119cSGeorge Liu constexpr std::array<std::string_view, 2> interfaces = { 5602b73119cSGeorge Liu ldapEnableInterface, ldapConfigInterface}; 56154fc587aSNagaraju Goruganti 5622b73119cSGeorge Liu dbus::utility::getDbusObject( 5632b73119cSGeorge Liu ldapConfigObjectName, interfaces, 5642b73119cSGeorge Liu [callback, ldapType](const boost::system::error_code& ec, 565b9d36b47SEd Tanous const dbus::utility::MapperGetObject& resp) { 56654fc587aSNagaraju Goruganti if (ec || resp.empty()) 56754fc587aSNagaraju Goruganti { 5680fda0f12SGeorge Liu BMCWEB_LOG_ERROR 569002d39b4SEd Tanous << "DBUS response error during getting of service name: " << ec; 57023a21a1cSEd Tanous LDAPConfigData empty{}; 57123a21a1cSEd Tanous callback(false, empty, ldapType); 57254fc587aSNagaraju Goruganti return; 57354fc587aSNagaraju Goruganti } 57454fc587aSNagaraju Goruganti std::string service = resp.begin()->first; 5755eb468daSGeorge Liu sdbusplus::message::object_path path(ldapRootObject); 5765eb468daSGeorge Liu dbus::utility::getManagedObjects( 5775eb468daSGeorge Liu service, path, 578002d39b4SEd Tanous [callback, 5795e7e2dc5SEd Tanous ldapType](const boost::system::error_code& errorCode, 580711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& ldapObjects) { 5816973a582SRatan Gupta LDAPConfigData confData{}; 58281ce609eSEd Tanous if (errorCode) 5836973a582SRatan Gupta { 584ab828d7cSRatan Gupta callback(false, confData, ldapType); 585002d39b4SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << errorCode; 5866973a582SRatan Gupta return; 5876973a582SRatan Gupta } 588ab828d7cSRatan Gupta 589ab828d7cSRatan Gupta std::string ldapDbusType; 59054fc587aSNagaraju Goruganti std::string searchString; 59154fc587aSNagaraju Goruganti 592ab828d7cSRatan Gupta if (ldapType == "LDAP") 593ab828d7cSRatan Gupta { 5940fda0f12SGeorge Liu ldapDbusType = 5950fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"; 59654fc587aSNagaraju Goruganti searchString = "openldap"; 597ab828d7cSRatan Gupta } 598ab828d7cSRatan Gupta else if (ldapType == "ActiveDirectory") 599ab828d7cSRatan Gupta { 60054fc587aSNagaraju Goruganti ldapDbusType = 6010fda0f12SGeorge Liu "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory"; 60254fc587aSNagaraju Goruganti searchString = "active_directory"; 603ab828d7cSRatan Gupta } 604ab828d7cSRatan Gupta else 605ab828d7cSRatan Gupta { 606002d39b4SEd Tanous BMCWEB_LOG_ERROR << "Can't get the DbusType for the given type=" 607ab828d7cSRatan Gupta << ldapType; 608ab828d7cSRatan Gupta callback(false, confData, ldapType); 609ab828d7cSRatan Gupta return; 610ab828d7cSRatan Gupta } 611ab828d7cSRatan Gupta 612ab828d7cSRatan Gupta std::string ldapEnableInterfaceStr = ldapEnableInterface; 613ab828d7cSRatan Gupta std::string ldapConfigInterfaceStr = ldapConfigInterface; 614ab828d7cSRatan Gupta 6156973a582SRatan Gupta for (const auto& object : ldapObjects) 6166973a582SRatan Gupta { 61754fc587aSNagaraju Goruganti // let's find the object whose ldap type is equal to the 61854fc587aSNagaraju Goruganti // given type 619002d39b4SEd Tanous if (object.first.str.find(searchString) == std::string::npos) 6206973a582SRatan Gupta { 621ab828d7cSRatan Gupta continue; 622ab828d7cSRatan Gupta } 623ab828d7cSRatan Gupta 6246973a582SRatan Gupta for (const auto& interface : object.second) 6256973a582SRatan Gupta { 6266973a582SRatan Gupta if (interface.first == ldapEnableInterfaceStr) 6276973a582SRatan Gupta { 6286973a582SRatan Gupta // rest of the properties are string. 6296973a582SRatan Gupta for (const auto& property : interface.second) 6306973a582SRatan Gupta { 6316973a582SRatan Gupta if (property.first == "Enabled") 6326973a582SRatan Gupta { 6336973a582SRatan Gupta const bool* value = 6346973a582SRatan Gupta std::get_if<bool>(&property.second); 6356973a582SRatan Gupta if (value == nullptr) 6366973a582SRatan Gupta { 6376973a582SRatan Gupta continue; 6386973a582SRatan Gupta } 6396973a582SRatan Gupta confData.serviceEnabled = *value; 6406973a582SRatan Gupta break; 6416973a582SRatan Gupta } 6426973a582SRatan Gupta } 6436973a582SRatan Gupta } 6446973a582SRatan Gupta else if (interface.first == ldapConfigInterfaceStr) 6456973a582SRatan Gupta { 6466973a582SRatan Gupta for (const auto& property : interface.second) 6476973a582SRatan Gupta { 648271584abSEd Tanous const std::string* strValue = 649002d39b4SEd Tanous std::get_if<std::string>(&property.second); 650271584abSEd Tanous if (strValue == nullptr) 6516973a582SRatan Gupta { 6526973a582SRatan Gupta continue; 6536973a582SRatan Gupta } 6546973a582SRatan Gupta if (property.first == "LDAPServerURI") 6556973a582SRatan Gupta { 656271584abSEd Tanous confData.uri = *strValue; 6576973a582SRatan Gupta } 6586973a582SRatan Gupta else if (property.first == "LDAPBindDN") 6596973a582SRatan Gupta { 660271584abSEd Tanous confData.bindDN = *strValue; 6616973a582SRatan Gupta } 6626973a582SRatan Gupta else if (property.first == "LDAPBaseDN") 6636973a582SRatan Gupta { 664271584abSEd Tanous confData.baseDN = *strValue; 6656973a582SRatan Gupta } 666002d39b4SEd Tanous else if (property.first == "LDAPSearchScope") 6676973a582SRatan Gupta { 668271584abSEd Tanous confData.searchScope = *strValue; 6696973a582SRatan Gupta } 670002d39b4SEd Tanous else if (property.first == "GroupNameAttribute") 6716973a582SRatan Gupta { 672271584abSEd Tanous confData.groupAttribute = *strValue; 6736973a582SRatan Gupta } 674002d39b4SEd Tanous else if (property.first == "UserNameAttribute") 6756973a582SRatan Gupta { 676271584abSEd Tanous confData.userNameAttribute = *strValue; 6776973a582SRatan Gupta } 67854fc587aSNagaraju Goruganti else if (property.first == "LDAPType") 679ab828d7cSRatan Gupta { 680271584abSEd Tanous confData.serverType = *strValue; 68154fc587aSNagaraju Goruganti } 68254fc587aSNagaraju Goruganti } 68354fc587aSNagaraju Goruganti } 684002d39b4SEd Tanous else if (interface.first == 6850fda0f12SGeorge Liu "xyz.openbmc_project.User.PrivilegeMapperEntry") 68654fc587aSNagaraju Goruganti { 68754fc587aSNagaraju Goruganti LDAPRoleMapData roleMapData{}; 68854fc587aSNagaraju Goruganti for (const auto& property : interface.second) 68954fc587aSNagaraju Goruganti { 690271584abSEd Tanous const std::string* strValue = 691002d39b4SEd Tanous std::get_if<std::string>(&property.second); 69254fc587aSNagaraju Goruganti 693271584abSEd Tanous if (strValue == nullptr) 69454fc587aSNagaraju Goruganti { 69554fc587aSNagaraju Goruganti continue; 69654fc587aSNagaraju Goruganti } 69754fc587aSNagaraju Goruganti 69854fc587aSNagaraju Goruganti if (property.first == "GroupName") 69954fc587aSNagaraju Goruganti { 700271584abSEd Tanous roleMapData.groupName = *strValue; 70154fc587aSNagaraju Goruganti } 70254fc587aSNagaraju Goruganti else if (property.first == "Privilege") 70354fc587aSNagaraju Goruganti { 704271584abSEd Tanous roleMapData.privilege = *strValue; 70554fc587aSNagaraju Goruganti } 70654fc587aSNagaraju Goruganti } 70754fc587aSNagaraju Goruganti 708002d39b4SEd Tanous confData.groupRoleList.emplace_back(object.first.str, 709002d39b4SEd Tanous roleMapData); 71054fc587aSNagaraju Goruganti } 71154fc587aSNagaraju Goruganti } 71254fc587aSNagaraju Goruganti } 713ab828d7cSRatan Gupta callback(true, confData, ldapType); 7145eb468daSGeorge Liu }); 7152b73119cSGeorge Liu }); 7166973a582SRatan Gupta } 7176973a582SRatan Gupta 7188a07d286SRatan Gupta /** 7198a07d286SRatan Gupta * @brief parses the authentication section under the LDAP 7208a07d286SRatan Gupta * @param input JSON data 7218a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7228a07d286SRatan Gupta * @param userName userName to be filled from the given JSON. 7238a07d286SRatan Gupta * @param password password to be filled from the given JSON. 7248a07d286SRatan Gupta */ 7254f48d5f6SEd Tanous inline void parseLDAPAuthenticationJson( 7266c51eab1SEd Tanous nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7276c51eab1SEd Tanous std::optional<std::string>& username, std::optional<std::string>& password) 7288a07d286SRatan Gupta { 7298a07d286SRatan Gupta std::optional<std::string> authType; 7308a07d286SRatan Gupta 7318a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "AuthenticationType", 7328a07d286SRatan Gupta authType, "Username", username, "Password", 7338a07d286SRatan Gupta password)) 7348a07d286SRatan Gupta { 7358a07d286SRatan Gupta return; 7368a07d286SRatan Gupta } 7378a07d286SRatan Gupta if (!authType) 7388a07d286SRatan Gupta { 7398a07d286SRatan Gupta return; 7408a07d286SRatan Gupta } 7418a07d286SRatan Gupta if (*authType != "UsernameAndPassword") 7428a07d286SRatan Gupta { 7438a07d286SRatan Gupta messages::propertyValueNotInList(asyncResp->res, *authType, 7448a07d286SRatan Gupta "AuthenticationType"); 7458a07d286SRatan Gupta return; 7468a07d286SRatan Gupta } 7478a07d286SRatan Gupta } 7488a07d286SRatan Gupta /** 7498a07d286SRatan Gupta * @brief parses the LDAPService section under the LDAP 7508a07d286SRatan Gupta * @param input JSON data 7518a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7528a07d286SRatan Gupta * @param baseDNList baseDN to be filled from the given JSON. 7538a07d286SRatan Gupta * @param userNameAttribute userName to be filled from the given JSON. 7548a07d286SRatan Gupta * @param groupaAttribute password to be filled from the given JSON. 7558a07d286SRatan Gupta */ 7568a07d286SRatan Gupta 7574f48d5f6SEd Tanous inline void 7584f48d5f6SEd Tanous parseLDAPServiceJson(nlohmann::json input, 7598d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7608a07d286SRatan Gupta std::optional<std::vector<std::string>>& baseDNList, 7618a07d286SRatan Gupta std::optional<std::string>& userNameAttribute, 7628a07d286SRatan Gupta std::optional<std::string>& groupsAttribute) 7638a07d286SRatan Gupta { 7648a07d286SRatan Gupta std::optional<nlohmann::json> searchSettings; 7658a07d286SRatan Gupta 7668a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "SearchSettings", 7678a07d286SRatan Gupta searchSettings)) 7688a07d286SRatan Gupta { 7698a07d286SRatan Gupta return; 7708a07d286SRatan Gupta } 7718a07d286SRatan Gupta if (!searchSettings) 7728a07d286SRatan Gupta { 7738a07d286SRatan Gupta return; 7748a07d286SRatan Gupta } 7758a07d286SRatan Gupta if (!json_util::readJson(*searchSettings, asyncResp->res, 7768a07d286SRatan Gupta "BaseDistinguishedNames", baseDNList, 7778a07d286SRatan Gupta "UsernameAttribute", userNameAttribute, 7788a07d286SRatan Gupta "GroupsAttribute", groupsAttribute)) 7798a07d286SRatan Gupta { 7808a07d286SRatan Gupta return; 7818a07d286SRatan Gupta } 7828a07d286SRatan Gupta } 7838a07d286SRatan Gupta /** 7848a07d286SRatan Gupta * @brief updates the LDAP server address and updates the 7858a07d286SRatan Gupta json response with the new value. 7868a07d286SRatan Gupta * @param serviceAddressList address to be updated. 7878a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 7888a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 7898a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 7908a07d286SRatan Gupta */ 7918a07d286SRatan Gupta 7924f48d5f6SEd Tanous inline void handleServiceAddressPatch( 7938a07d286SRatan Gupta const std::vector<std::string>& serviceAddressList, 7948d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 7958a07d286SRatan Gupta const std::string& ldapServerElementName, 7968a07d286SRatan Gupta const std::string& ldapConfigObject) 7978a07d286SRatan Gupta { 7989ae226faSGeorge Liu sdbusplus::asio::setProperty( 7999ae226faSGeorge Liu *crow::connections::systemBus, ldapDbusService, ldapConfigObject, 8009ae226faSGeorge Liu ldapConfigInterface, "LDAPServerURI", serviceAddressList.front(), 8017a543894SPatrick Williams [asyncResp, ldapServerElementName, serviceAddressList]( 8027a543894SPatrick Williams const boost::system::error_code& ec, sdbusplus::message_t& msg) { 8038a07d286SRatan Gupta if (ec) 8048a07d286SRatan Gupta { 80525e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 80625e055a3SRavi Teja if ((dbusError != nullptr) && 80725e055a3SRavi Teja (dbusError->name == 80825e055a3SRavi Teja std::string_view( 80925e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 81025e055a3SRavi Teja { 81125e055a3SRavi Teja BMCWEB_LOG_WARNING 812c61704abSGunnar Mills << "Error Occurred in updating the service address"; 81325e055a3SRavi Teja messages::propertyValueIncorrect(asyncResp->res, 81425e055a3SRavi Teja "ServiceAddresses", 81525e055a3SRavi Teja serviceAddressList.front()); 81625e055a3SRavi Teja return; 81725e055a3SRavi Teja } 8188a07d286SRatan Gupta messages::internalError(asyncResp->res); 8198a07d286SRatan Gupta return; 8208a07d286SRatan Gupta } 8218a07d286SRatan Gupta std::vector<std::string> modifiedserviceAddressList = { 8228a07d286SRatan Gupta serviceAddressList.front()}; 823002d39b4SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] = 8248a07d286SRatan Gupta modifiedserviceAddressList; 8258a07d286SRatan Gupta if ((serviceAddressList).size() > 1) 8268a07d286SRatan Gupta { 827002d39b4SEd Tanous messages::propertyValueModified(asyncResp->res, "ServiceAddresses", 8288a07d286SRatan Gupta serviceAddressList.front()); 8298a07d286SRatan Gupta } 8308a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the service address"; 8319ae226faSGeorge Liu }); 8328a07d286SRatan Gupta } 8338a07d286SRatan Gupta /** 8348a07d286SRatan Gupta * @brief updates the LDAP Bind DN and updates the 8358a07d286SRatan Gupta json response with the new value. 8368a07d286SRatan Gupta * @param username name of the user which needs to be updated. 8378a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8388a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8398a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 8408a07d286SRatan Gupta */ 8418a07d286SRatan Gupta 8424f48d5f6SEd Tanous inline void 8434f48d5f6SEd Tanous handleUserNamePatch(const std::string& username, 8448d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8458a07d286SRatan Gupta const std::string& ldapServerElementName, 8468a07d286SRatan Gupta const std::string& ldapConfigObject) 8478a07d286SRatan Gupta { 8489ae226faSGeorge Liu sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService, 8499ae226faSGeorge Liu ldapConfigObject, ldapConfigInterface, 8509ae226faSGeorge Liu "LDAPBindDN", username, 8519ae226faSGeorge Liu [asyncResp, username, ldapServerElementName]( 8529ae226faSGeorge Liu const boost::system::error_code& ec) { 8538a07d286SRatan Gupta if (ec) 8548a07d286SRatan Gupta { 8556c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the username"; 8568a07d286SRatan Gupta messages::internalError(asyncResp->res); 8578a07d286SRatan Gupta return; 8588a07d286SRatan Gupta } 85989492a15SPatrick Williams asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 86089492a15SPatrick Williams ["Username"] = username; 8618a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the username"; 8629ae226faSGeorge Liu }); 8638a07d286SRatan Gupta } 8648a07d286SRatan Gupta 8658a07d286SRatan Gupta /** 8668a07d286SRatan Gupta * @brief updates the LDAP password 8678a07d286SRatan Gupta * @param password : ldap password which needs to be updated. 8688a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 8698a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 8708a07d286SRatan Gupta * server(openLDAP/ActiveDirectory) 8718a07d286SRatan Gupta */ 8728a07d286SRatan Gupta 8734f48d5f6SEd Tanous inline void 8744f48d5f6SEd Tanous handlePasswordPatch(const std::string& password, 8758d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 8768a07d286SRatan Gupta const std::string& ldapServerElementName, 8778a07d286SRatan Gupta const std::string& ldapConfigObject) 8788a07d286SRatan Gupta { 8799ae226faSGeorge Liu sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService, 8809ae226faSGeorge Liu ldapConfigObject, ldapConfigInterface, 8819ae226faSGeorge Liu "LDAPBindDNPassword", password, 8829ae226faSGeorge Liu [asyncResp, password, ldapServerElementName]( 8839ae226faSGeorge Liu const boost::system::error_code& ec) { 8848a07d286SRatan Gupta if (ec) 8858a07d286SRatan Gupta { 8866c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error occurred in updating the password"; 8878a07d286SRatan Gupta messages::internalError(asyncResp->res); 8888a07d286SRatan Gupta return; 8898a07d286SRatan Gupta } 89089492a15SPatrick Williams asyncResp->res.jsonValue[ldapServerElementName]["Authentication"] 89189492a15SPatrick Williams ["Password"] = ""; 8928a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the password"; 8939ae226faSGeorge Liu }); 8948a07d286SRatan Gupta } 8958a07d286SRatan Gupta 8968a07d286SRatan Gupta /** 8978a07d286SRatan Gupta * @brief updates the LDAP BaseDN and updates the 8988a07d286SRatan Gupta json response with the new value. 8998a07d286SRatan Gupta * @param baseDNList baseDN list which needs to be updated. 9008a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9018a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 9028a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 9038a07d286SRatan Gupta */ 9048a07d286SRatan Gupta 9054f48d5f6SEd Tanous inline void 9064f48d5f6SEd Tanous handleBaseDNPatch(const std::vector<std::string>& baseDNList, 9078d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9088a07d286SRatan Gupta const std::string& ldapServerElementName, 9098a07d286SRatan Gupta const std::string& ldapConfigObject) 9108a07d286SRatan Gupta { 9119ae226faSGeorge Liu sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService, 9129ae226faSGeorge Liu ldapConfigObject, ldapConfigInterface, 9139ae226faSGeorge Liu "LDAPBaseDN", baseDNList.front(), 9149ae226faSGeorge Liu [asyncResp, baseDNList, ldapServerElementName]( 9159ae226faSGeorge Liu const boost::system::error_code& ec, 9167a543894SPatrick Williams const sdbusplus::message_t& msg) { 9178a07d286SRatan Gupta if (ec) 9188a07d286SRatan Gupta { 9196c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the base DN"; 92025e055a3SRavi Teja const sd_bus_error* dbusError = msg.get_error(); 92125e055a3SRavi Teja if ((dbusError != nullptr) && 92225e055a3SRavi Teja (dbusError->name == 92325e055a3SRavi Teja std::string_view( 92425e055a3SRavi Teja "xyz.openbmc_project.Common.Error.InvalidArgument"))) 92525e055a3SRavi Teja { 92625e055a3SRavi Teja messages::propertyValueIncorrect(asyncResp->res, 92725e055a3SRavi Teja "BaseDistinguishedNames", 92825e055a3SRavi Teja baseDNList.front()); 92925e055a3SRavi Teja return; 93025e055a3SRavi Teja } 9318a07d286SRatan Gupta messages::internalError(asyncResp->res); 9328a07d286SRatan Gupta return; 9338a07d286SRatan Gupta } 934002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 9358a07d286SRatan Gupta auto& searchSettingsJson = 9368a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 9376c51eab1SEd Tanous std::vector<std::string> modifiedBaseDNList = {baseDNList.front()}; 9386c51eab1SEd Tanous searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList; 9398a07d286SRatan Gupta if (baseDNList.size() > 1) 9408a07d286SRatan Gupta { 941002d39b4SEd Tanous messages::propertyValueModified( 942002d39b4SEd Tanous asyncResp->res, "BaseDistinguishedNames", baseDNList.front()); 9438a07d286SRatan Gupta } 9448a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the base DN"; 9459ae226faSGeorge Liu }); 9468a07d286SRatan Gupta } 9478a07d286SRatan Gupta /** 9488a07d286SRatan Gupta * @brief updates the LDAP user name attribute and updates the 9498a07d286SRatan Gupta json response with the new value. 9508a07d286SRatan Gupta * @param userNameAttribute attribute to be updated. 9518a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9528a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 9538a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 9548a07d286SRatan Gupta */ 9558a07d286SRatan Gupta 9564f48d5f6SEd Tanous inline void 9574f48d5f6SEd Tanous handleUserNameAttrPatch(const std::string& userNameAttribute, 9588d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9598a07d286SRatan Gupta const std::string& ldapServerElementName, 9608a07d286SRatan Gupta const std::string& ldapConfigObject) 9618a07d286SRatan Gupta { 9629ae226faSGeorge Liu sdbusplus::asio::setProperty( 9639ae226faSGeorge Liu *crow::connections::systemBus, ldapDbusService, ldapConfigObject, 9649ae226faSGeorge Liu ldapConfigInterface, "UserNameAttribute", userNameAttribute, 9658a07d286SRatan Gupta [asyncResp, userNameAttribute, 9665e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 9678a07d286SRatan Gupta if (ec) 9688a07d286SRatan Gupta { 969c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 9708a07d286SRatan Gupta "username attribute"; 9718a07d286SRatan Gupta messages::internalError(asyncResp->res); 9728a07d286SRatan Gupta return; 9738a07d286SRatan Gupta } 974002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 9758a07d286SRatan Gupta auto& searchSettingsJson = 9768a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 9778a07d286SRatan Gupta searchSettingsJson["UsernameAttribute"] = userNameAttribute; 9788a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the user name attr."; 9799ae226faSGeorge Liu }); 9808a07d286SRatan Gupta } 9818a07d286SRatan Gupta /** 9828a07d286SRatan Gupta * @brief updates the LDAP group attribute and updates the 9838a07d286SRatan Gupta json response with the new value. 9848a07d286SRatan Gupta * @param groupsAttribute attribute to be updated. 9858a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 9868a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 9878a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 9888a07d286SRatan Gupta */ 9898a07d286SRatan Gupta 9904f48d5f6SEd Tanous inline void handleGroupNameAttrPatch( 9918d1b46d7Szhanghch05 const std::string& groupsAttribute, 9928d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 9938a07d286SRatan Gupta const std::string& ldapServerElementName, 9948a07d286SRatan Gupta const std::string& ldapConfigObject) 9958a07d286SRatan Gupta { 9969ae226faSGeorge Liu sdbusplus::asio::setProperty( 9979ae226faSGeorge Liu *crow::connections::systemBus, ldapDbusService, ldapConfigObject, 9989ae226faSGeorge Liu ldapConfigInterface, "GroupNameAttribute", groupsAttribute, 9998a07d286SRatan Gupta [asyncResp, groupsAttribute, 10005e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 10018a07d286SRatan Gupta if (ec) 10028a07d286SRatan Gupta { 1003c61704abSGunnar Mills BMCWEB_LOG_DEBUG << "Error Occurred in Updating the " 10048a07d286SRatan Gupta "groupname attribute"; 10058a07d286SRatan Gupta messages::internalError(asyncResp->res); 10068a07d286SRatan Gupta return; 10078a07d286SRatan Gupta } 1008002d39b4SEd Tanous auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName]; 10098a07d286SRatan Gupta auto& searchSettingsJson = 10108a07d286SRatan Gupta serverTypeJson["LDAPService"]["SearchSettings"]; 10118a07d286SRatan Gupta searchSettingsJson["GroupsAttribute"] = groupsAttribute; 10128a07d286SRatan Gupta BMCWEB_LOG_DEBUG << "Updated the groupname attr"; 10139ae226faSGeorge Liu }); 10148a07d286SRatan Gupta } 10158a07d286SRatan Gupta /** 10168a07d286SRatan Gupta * @brief updates the LDAP service enable and updates the 10178a07d286SRatan Gupta json response with the new value. 10188a07d286SRatan Gupta * @param input JSON data. 10198a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 10208a07d286SRatan Gupta * @param ldapServerElementName Type of LDAP 10218a07d286SRatan Gupta server(openLDAP/ActiveDirectory) 10228a07d286SRatan Gupta */ 10238a07d286SRatan Gupta 10244f48d5f6SEd Tanous inline void handleServiceEnablePatch( 10256c51eab1SEd Tanous bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 10268a07d286SRatan Gupta const std::string& ldapServerElementName, 10278a07d286SRatan Gupta const std::string& ldapConfigObject) 10288a07d286SRatan Gupta { 10299ae226faSGeorge Liu sdbusplus::asio::setProperty( 10309ae226faSGeorge Liu *crow::connections::systemBus, ldapDbusService, ldapConfigObject, 10319ae226faSGeorge Liu ldapEnableInterface, "Enabled", serviceEnabled, 10328a07d286SRatan Gupta [asyncResp, serviceEnabled, 10335e7e2dc5SEd Tanous ldapServerElementName](const boost::system::error_code& ec) { 10348a07d286SRatan Gupta if (ec) 10358a07d286SRatan Gupta { 1036002d39b4SEd Tanous BMCWEB_LOG_DEBUG << "Error Occurred in Updating the service enable"; 10378a07d286SRatan Gupta messages::internalError(asyncResp->res); 10388a07d286SRatan Gupta return; 10398a07d286SRatan Gupta } 10406c51eab1SEd Tanous asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] = 10418a07d286SRatan Gupta serviceEnabled; 10426c51eab1SEd Tanous BMCWEB_LOG_DEBUG << "Updated Service enable = " << serviceEnabled; 10439ae226faSGeorge Liu }); 10448a07d286SRatan Gupta } 10458a07d286SRatan Gupta 10464f48d5f6SEd Tanous inline void 10474f48d5f6SEd Tanous handleAuthMethodsPatch(nlohmann::json& input, 10488d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 104978158631SZbigniew Kurzynski { 105078158631SZbigniew Kurzynski std::optional<bool> basicAuth; 105178158631SZbigniew Kurzynski std::optional<bool> cookie; 105278158631SZbigniew Kurzynski std::optional<bool> sessionToken; 105378158631SZbigniew Kurzynski std::optional<bool> xToken; 1054501f1e58SZbigniew Kurzynski std::optional<bool> tls; 105578158631SZbigniew Kurzynski 105678158631SZbigniew Kurzynski if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, 105778158631SZbigniew Kurzynski "Cookie", cookie, "SessionToken", sessionToken, 1058501f1e58SZbigniew Kurzynski "XToken", xToken, "TLS", tls)) 105978158631SZbigniew Kurzynski { 106078158631SZbigniew Kurzynski BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; 106178158631SZbigniew Kurzynski return; 106278158631SZbigniew Kurzynski } 106378158631SZbigniew Kurzynski 106478158631SZbigniew Kurzynski // Make a copy of methods configuration 106552cc112dSEd Tanous persistent_data::AuthConfigMethods authMethodsConfig = 106652cc112dSEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 106778158631SZbigniew Kurzynski 106878158631SZbigniew Kurzynski if (basicAuth) 106978158631SZbigniew Kurzynski { 1070f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION 1071f16f6263SAlan Kuo messages::actionNotSupported( 10720fda0f12SGeorge Liu asyncResp->res, 10730fda0f12SGeorge Liu "Setting BasicAuth when basic-auth feature is disabled"); 1074f16f6263SAlan Kuo return; 1075f16f6263SAlan Kuo #endif 107678158631SZbigniew Kurzynski authMethodsConfig.basic = *basicAuth; 107778158631SZbigniew Kurzynski } 107878158631SZbigniew Kurzynski 107978158631SZbigniew Kurzynski if (cookie) 108078158631SZbigniew Kurzynski { 1081f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 10820fda0f12SGeorge Liu messages::actionNotSupported( 10830fda0f12SGeorge Liu asyncResp->res, 10840fda0f12SGeorge Liu "Setting Cookie when cookie-auth feature is disabled"); 1085f16f6263SAlan Kuo return; 1086f16f6263SAlan Kuo #endif 108778158631SZbigniew Kurzynski authMethodsConfig.cookie = *cookie; 108878158631SZbigniew Kurzynski } 108978158631SZbigniew Kurzynski 109078158631SZbigniew Kurzynski if (sessionToken) 109178158631SZbigniew Kurzynski { 1092f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION 1093f16f6263SAlan Kuo messages::actionNotSupported( 10940fda0f12SGeorge Liu asyncResp->res, 10950fda0f12SGeorge Liu "Setting SessionToken when session-auth feature is disabled"); 1096f16f6263SAlan Kuo return; 1097f16f6263SAlan Kuo #endif 109878158631SZbigniew Kurzynski authMethodsConfig.sessionToken = *sessionToken; 109978158631SZbigniew Kurzynski } 110078158631SZbigniew Kurzynski 110178158631SZbigniew Kurzynski if (xToken) 110278158631SZbigniew Kurzynski { 1103f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 11040fda0f12SGeorge Liu messages::actionNotSupported( 11050fda0f12SGeorge Liu asyncResp->res, 11060fda0f12SGeorge Liu "Setting XToken when xtoken-auth feature is disabled"); 1107f16f6263SAlan Kuo return; 1108f16f6263SAlan Kuo #endif 110978158631SZbigniew Kurzynski authMethodsConfig.xtoken = *xToken; 111078158631SZbigniew Kurzynski } 111178158631SZbigniew Kurzynski 1112501f1e58SZbigniew Kurzynski if (tls) 1113501f1e58SZbigniew Kurzynski { 1114f16f6263SAlan Kuo #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 11150fda0f12SGeorge Liu messages::actionNotSupported( 11160fda0f12SGeorge Liu asyncResp->res, 11170fda0f12SGeorge Liu "Setting TLS when mutual-tls-auth feature is disabled"); 1118f16f6263SAlan Kuo return; 1119f16f6263SAlan Kuo #endif 1120501f1e58SZbigniew Kurzynski authMethodsConfig.tls = *tls; 1121501f1e58SZbigniew Kurzynski } 1122501f1e58SZbigniew Kurzynski 112378158631SZbigniew Kurzynski if (!authMethodsConfig.basic && !authMethodsConfig.cookie && 1124501f1e58SZbigniew Kurzynski !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && 1125501f1e58SZbigniew Kurzynski !authMethodsConfig.tls) 112678158631SZbigniew Kurzynski { 112778158631SZbigniew Kurzynski // Do not allow user to disable everything 112878158631SZbigniew Kurzynski messages::actionNotSupported(asyncResp->res, 112978158631SZbigniew Kurzynski "of disabling all available methods"); 113078158631SZbigniew Kurzynski return; 113178158631SZbigniew Kurzynski } 113278158631SZbigniew Kurzynski 113352cc112dSEd Tanous persistent_data::SessionStore::getInstance().updateAuthMethodsConfig( 113452cc112dSEd Tanous authMethodsConfig); 113578158631SZbigniew Kurzynski // Save configuration immediately 113652cc112dSEd Tanous persistent_data::getConfig().writeData(); 113778158631SZbigniew Kurzynski 113878158631SZbigniew Kurzynski messages::success(asyncResp->res); 113978158631SZbigniew Kurzynski } 114078158631SZbigniew Kurzynski 11418a07d286SRatan Gupta /** 11428a07d286SRatan Gupta * @brief Get the required values from the given JSON, validates the 11438a07d286SRatan Gupta * value and create the LDAP config object. 11448a07d286SRatan Gupta * @param input JSON data 11458a07d286SRatan Gupta * @param asyncResp pointer to the JSON response 11468a07d286SRatan Gupta * @param serverType Type of LDAP server(openLDAP/ActiveDirectory) 11478a07d286SRatan Gupta */ 11488a07d286SRatan Gupta 11496c51eab1SEd Tanous inline void handleLDAPPatch(nlohmann::json& input, 11508d1b46d7Szhanghch05 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 11518a07d286SRatan Gupta const std::string& serverType) 11528a07d286SRatan Gupta { 1153eb2bbe56SRatan Gupta std::string dbusObjectPath; 1154eb2bbe56SRatan Gupta if (serverType == "ActiveDirectory") 1155eb2bbe56SRatan Gupta { 11562c70f800SEd Tanous dbusObjectPath = adConfigObject; 1157eb2bbe56SRatan Gupta } 1158eb2bbe56SRatan Gupta else if (serverType == "LDAP") 1159eb2bbe56SRatan Gupta { 116023a21a1cSEd Tanous dbusObjectPath = ldapConfigObjectName; 1161eb2bbe56SRatan Gupta } 1162cb13a392SEd Tanous else 1163cb13a392SEd Tanous { 1164cb13a392SEd Tanous return; 1165cb13a392SEd Tanous } 1166eb2bbe56SRatan Gupta 11678a07d286SRatan Gupta std::optional<nlohmann::json> authentication; 11688a07d286SRatan Gupta std::optional<nlohmann::json> ldapService; 11698a07d286SRatan Gupta std::optional<std::vector<std::string>> serviceAddressList; 11708a07d286SRatan Gupta std::optional<bool> serviceEnabled; 11718a07d286SRatan Gupta std::optional<std::vector<std::string>> baseDNList; 11728a07d286SRatan Gupta std::optional<std::string> userNameAttribute; 11738a07d286SRatan Gupta std::optional<std::string> groupsAttribute; 11748a07d286SRatan Gupta std::optional<std::string> userName; 11758a07d286SRatan Gupta std::optional<std::string> password; 117606785244SRatan Gupta std::optional<std::vector<nlohmann::json>> remoteRoleMapData; 11778a07d286SRatan Gupta 11788a07d286SRatan Gupta if (!json_util::readJson(input, asyncResp->res, "Authentication", 11798a07d286SRatan Gupta authentication, "LDAPService", ldapService, 11808a07d286SRatan Gupta "ServiceAddresses", serviceAddressList, 118106785244SRatan Gupta "ServiceEnabled", serviceEnabled, 118206785244SRatan Gupta "RemoteRoleMapping", remoteRoleMapData)) 11838a07d286SRatan Gupta { 11848a07d286SRatan Gupta return; 11858a07d286SRatan Gupta } 11868a07d286SRatan Gupta 11878a07d286SRatan Gupta if (authentication) 11888a07d286SRatan Gupta { 11898a07d286SRatan Gupta parseLDAPAuthenticationJson(*authentication, asyncResp, userName, 11908a07d286SRatan Gupta password); 11918a07d286SRatan Gupta } 11928a07d286SRatan Gupta if (ldapService) 11938a07d286SRatan Gupta { 11948a07d286SRatan Gupta parseLDAPServiceJson(*ldapService, asyncResp, baseDNList, 11958a07d286SRatan Gupta userNameAttribute, groupsAttribute); 11968a07d286SRatan Gupta } 11978a07d286SRatan Gupta if (serviceAddressList) 11988a07d286SRatan Gupta { 119926f6976fSEd Tanous if (serviceAddressList->empty()) 12008a07d286SRatan Gupta { 1201e2616cc5SEd Tanous messages::propertyValueNotInList( 1202e2616cc5SEd Tanous asyncResp->res, *serviceAddressList, "ServiceAddress"); 12038a07d286SRatan Gupta return; 12048a07d286SRatan Gupta } 12058a07d286SRatan Gupta } 12068a07d286SRatan Gupta if (baseDNList) 12078a07d286SRatan Gupta { 120826f6976fSEd Tanous if (baseDNList->empty()) 12098a07d286SRatan Gupta { 1210e2616cc5SEd Tanous messages::propertyValueNotInList(asyncResp->res, *baseDNList, 12118a07d286SRatan Gupta "BaseDistinguishedNames"); 12128a07d286SRatan Gupta return; 12138a07d286SRatan Gupta } 12148a07d286SRatan Gupta } 12158a07d286SRatan Gupta 12168a07d286SRatan Gupta // nothing to update, then return 12178a07d286SRatan Gupta if (!userName && !password && !serviceAddressList && !baseDNList && 121806785244SRatan Gupta !userNameAttribute && !groupsAttribute && !serviceEnabled && 121906785244SRatan Gupta !remoteRoleMapData) 12208a07d286SRatan Gupta { 12218a07d286SRatan Gupta return; 12228a07d286SRatan Gupta } 12238a07d286SRatan Gupta 12248a07d286SRatan Gupta // Get the existing resource first then keep modifying 12258a07d286SRatan Gupta // whenever any property gets updated. 1226002d39b4SEd Tanous getLDAPConfigData( 1227002d39b4SEd Tanous serverType, 1228002d39b4SEd Tanous [asyncResp, userName, password, baseDNList, userNameAttribute, 1229002d39b4SEd Tanous groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath, 1230002d39b4SEd Tanous remoteRoleMapData](bool success, const LDAPConfigData& confData, 123123a21a1cSEd Tanous const std::string& serverT) { 12328a07d286SRatan Gupta if (!success) 12338a07d286SRatan Gupta { 12348a07d286SRatan Gupta messages::internalError(asyncResp->res); 12358a07d286SRatan Gupta return; 12368a07d286SRatan Gupta } 12376c51eab1SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT); 12388a07d286SRatan Gupta if (confData.serviceEnabled) 12398a07d286SRatan Gupta { 12408a07d286SRatan Gupta // Disable the service first and update the rest of 12418a07d286SRatan Gupta // the properties. 12426c51eab1SEd Tanous handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath); 12438a07d286SRatan Gupta } 12448a07d286SRatan Gupta 12458a07d286SRatan Gupta if (serviceAddressList) 12468a07d286SRatan Gupta { 12476c51eab1SEd Tanous handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT, 12486c51eab1SEd Tanous dbusObjectPath); 12498a07d286SRatan Gupta } 12508a07d286SRatan Gupta if (userName) 12518a07d286SRatan Gupta { 12526c51eab1SEd Tanous handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath); 12538a07d286SRatan Gupta } 12548a07d286SRatan Gupta if (password) 12558a07d286SRatan Gupta { 12566c51eab1SEd Tanous handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath); 12578a07d286SRatan Gupta } 12588a07d286SRatan Gupta 12598a07d286SRatan Gupta if (baseDNList) 12608a07d286SRatan Gupta { 12616c51eab1SEd Tanous handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath); 12628a07d286SRatan Gupta } 12638a07d286SRatan Gupta if (userNameAttribute) 12648a07d286SRatan Gupta { 12656c51eab1SEd Tanous handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT, 12666c51eab1SEd Tanous dbusObjectPath); 12678a07d286SRatan Gupta } 12688a07d286SRatan Gupta if (groupsAttribute) 12698a07d286SRatan Gupta { 12706c51eab1SEd Tanous handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT, 12716c51eab1SEd Tanous dbusObjectPath); 12728a07d286SRatan Gupta } 12738a07d286SRatan Gupta if (serviceEnabled) 12748a07d286SRatan Gupta { 12758a07d286SRatan Gupta // if user has given the value as true then enable 12768a07d286SRatan Gupta // the service. if user has given false then no-op 12778a07d286SRatan Gupta // as service is already stopped. 12788a07d286SRatan Gupta if (*serviceEnabled) 12798a07d286SRatan Gupta { 12806c51eab1SEd Tanous handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT, 12816c51eab1SEd Tanous dbusObjectPath); 12828a07d286SRatan Gupta } 12838a07d286SRatan Gupta } 12848a07d286SRatan Gupta else 12858a07d286SRatan Gupta { 12868a07d286SRatan Gupta // if user has not given the service enabled value 12878a07d286SRatan Gupta // then revert it to the same state as it was 12888a07d286SRatan Gupta // before. 12898a07d286SRatan Gupta handleServiceEnablePatch(confData.serviceEnabled, asyncResp, 129023a21a1cSEd Tanous serverT, dbusObjectPath); 12918a07d286SRatan Gupta } 129206785244SRatan Gupta 129306785244SRatan Gupta if (remoteRoleMapData) 129406785244SRatan Gupta { 12956c51eab1SEd Tanous handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT, 12966c51eab1SEd Tanous *remoteRoleMapData); 129706785244SRatan Gupta } 12988a07d286SRatan Gupta }); 12998a07d286SRatan Gupta } 1300d4b5443fSEd Tanous 130158345856SAbhishek Patel inline void updateUserProperties( 130258345856SAbhishek Patel std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username, 1303618c14b4SEd Tanous const std::optional<std::string>& password, 1304618c14b4SEd Tanous const std::optional<bool>& enabled, 130558345856SAbhishek Patel const std::optional<std::string>& roleId, const std::optional<bool>& locked, 130658345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes, bool userSelf) 13071abe55efSEd Tanous { 1308b477fd44SP Dheeraj Srujan Kumar sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 1309b477fd44SP Dheeraj Srujan Kumar tempObjPath /= username; 1310b477fd44SP Dheeraj Srujan Kumar std::string dbusObjectPath(tempObjPath); 13116c51eab1SEd Tanous 13126c51eab1SEd Tanous dbus::utility::checkDbusPathExists( 1313618c14b4SEd Tanous dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled, 131458345856SAbhishek Patel locked, accountTypes(std::move(accountTypes)), 131558345856SAbhishek Patel userSelf, asyncResp{std::move(asyncResp)}](int rc) { 1316e662eae8SEd Tanous if (rc <= 0) 13176c51eab1SEd Tanous { 1318d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 13196c51eab1SEd Tanous username); 13206c51eab1SEd Tanous return; 13216c51eab1SEd Tanous } 13226c51eab1SEd Tanous 13236c51eab1SEd Tanous if (password) 13246c51eab1SEd Tanous { 13256c51eab1SEd Tanous int retval = pamUpdatePassword(username, *password); 13266c51eab1SEd Tanous 13276c51eab1SEd Tanous if (retval == PAM_USER_UNKNOWN) 13286c51eab1SEd Tanous { 1329d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 13306c51eab1SEd Tanous username); 13316c51eab1SEd Tanous } 13326c51eab1SEd Tanous else if (retval == PAM_AUTHTOK_ERR) 13336c51eab1SEd Tanous { 13346c51eab1SEd Tanous // If password is invalid 1335618c14b4SEd Tanous messages::propertyValueFormatError(asyncResp->res, 1336618c14b4SEd Tanous *password, "Password"); 13376c51eab1SEd Tanous BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 13386c51eab1SEd Tanous } 13396c51eab1SEd Tanous else if (retval != PAM_SUCCESS) 13406c51eab1SEd Tanous { 13416c51eab1SEd Tanous messages::internalError(asyncResp->res); 13426c51eab1SEd Tanous return; 13436c51eab1SEd Tanous } 1344e7b1b62bSEd Tanous else 1345e7b1b62bSEd Tanous { 1346e7b1b62bSEd Tanous messages::success(asyncResp->res); 1347e7b1b62bSEd Tanous } 13486c51eab1SEd Tanous } 13496c51eab1SEd Tanous 13506c51eab1SEd Tanous if (enabled) 13516c51eab1SEd Tanous { 13529ae226faSGeorge Liu sdbusplus::asio::setProperty( 13539ae226faSGeorge Liu *crow::connections::systemBus, 13549ae226faSGeorge Liu "xyz.openbmc_project.User.Manager", dbusObjectPath, 13559ae226faSGeorge Liu "xyz.openbmc_project.User.Attributes", "UserEnabled", 13569ae226faSGeorge Liu *enabled, [asyncResp](const boost::system::error_code& ec) { 13576c51eab1SEd Tanous if (ec) 13586c51eab1SEd Tanous { 13596c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 13606c51eab1SEd Tanous messages::internalError(asyncResp->res); 13616c51eab1SEd Tanous return; 13626c51eab1SEd Tanous } 13636c51eab1SEd Tanous messages::success(asyncResp->res); 13649ae226faSGeorge Liu }); 13656c51eab1SEd Tanous } 13666c51eab1SEd Tanous 13676c51eab1SEd Tanous if (roleId) 13686c51eab1SEd Tanous { 13696c51eab1SEd Tanous std::string priv = getPrivilegeFromRoleId(*roleId); 13706c51eab1SEd Tanous if (priv.empty()) 13716c51eab1SEd Tanous { 1372e2616cc5SEd Tanous messages::propertyValueNotInList(asyncResp->res, true, 1373e2616cc5SEd Tanous "Locked"); 13746c51eab1SEd Tanous return; 13756c51eab1SEd Tanous } 13766c51eab1SEd Tanous 13779ae226faSGeorge Liu sdbusplus::asio::setProperty( 13789ae226faSGeorge Liu *crow::connections::systemBus, 13799ae226faSGeorge Liu "xyz.openbmc_project.User.Manager", dbusObjectPath, 13809ae226faSGeorge Liu "xyz.openbmc_project.User.Attributes", "UserPrivilege", 13819ae226faSGeorge Liu priv, [asyncResp](const boost::system::error_code& ec) { 13826c51eab1SEd Tanous if (ec) 13836c51eab1SEd Tanous { 13846c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 13856c51eab1SEd Tanous messages::internalError(asyncResp->res); 13866c51eab1SEd Tanous return; 13876c51eab1SEd Tanous } 13886c51eab1SEd Tanous messages::success(asyncResp->res); 13899ae226faSGeorge Liu }); 13906c51eab1SEd Tanous } 13916c51eab1SEd Tanous 13926c51eab1SEd Tanous if (locked) 13936c51eab1SEd Tanous { 13946c51eab1SEd Tanous // admin can unlock the account which is locked by 13956c51eab1SEd Tanous // successive authentication failures but admin should 13966c51eab1SEd Tanous // not be allowed to lock an account. 13976c51eab1SEd Tanous if (*locked) 13986c51eab1SEd Tanous { 13996c51eab1SEd Tanous messages::propertyValueNotInList(asyncResp->res, "true", 14006c51eab1SEd Tanous "Locked"); 14016c51eab1SEd Tanous return; 14026c51eab1SEd Tanous } 14036c51eab1SEd Tanous 14049ae226faSGeorge Liu sdbusplus::asio::setProperty( 14059ae226faSGeorge Liu *crow::connections::systemBus, 14069ae226faSGeorge Liu "xyz.openbmc_project.User.Manager", dbusObjectPath, 14079ae226faSGeorge Liu "xyz.openbmc_project.User.Attributes", 14089ae226faSGeorge Liu "UserLockedForFailedAttempt", *locked, 14095e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 14106c51eab1SEd Tanous if (ec) 14116c51eab1SEd Tanous { 14126c51eab1SEd Tanous BMCWEB_LOG_ERROR << "D-Bus responses error: " << ec; 14136c51eab1SEd Tanous messages::internalError(asyncResp->res); 14146c51eab1SEd Tanous return; 14156c51eab1SEd Tanous } 14166c51eab1SEd Tanous messages::success(asyncResp->res); 14179ae226faSGeorge Liu }); 14186c51eab1SEd Tanous } 141958345856SAbhishek Patel 142058345856SAbhishek Patel if (accountTypes) 142158345856SAbhishek Patel { 142258345856SAbhishek Patel patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath, 142358345856SAbhishek Patel userSelf); 142458345856SAbhishek Patel } 14256c51eab1SEd Tanous }); 14266c51eab1SEd Tanous } 14276c51eab1SEd Tanous 14284c7d4d33SEd Tanous inline void handleAccountServiceHead( 14294c7d4d33SEd Tanous App& app, const crow::Request& req, 14301ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14316c51eab1SEd Tanous { 14323ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 143345ca1b86SEd Tanous { 143445ca1b86SEd Tanous return; 143545ca1b86SEd Tanous } 14364c7d4d33SEd Tanous asyncResp->res.addHeader( 14374c7d4d33SEd Tanous boost::beast::http::field::link, 14384c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 14394c7d4d33SEd Tanous } 14404c7d4d33SEd Tanous 14414c7d4d33SEd Tanous inline void 14424c7d4d33SEd Tanous handleAccountServiceGet(App& app, const crow::Request& req, 14434c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 14444c7d4d33SEd Tanous { 1445afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1446afd369c6SJiaqing Zhao { 1447afd369c6SJiaqing Zhao return; 1448afd369c6SJiaqing Zhao } 14493e72c202SNinad Palsule 14503e72c202SNinad Palsule if (req.session == nullptr) 14513e72c202SNinad Palsule { 14523e72c202SNinad Palsule messages::internalError(asyncResp->res); 14533e72c202SNinad Palsule return; 14543e72c202SNinad Palsule } 14553e72c202SNinad Palsule 1456afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1457afd369c6SJiaqing Zhao boost::beast::http::field::link, 1458afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby"); 1459afd369c6SJiaqing Zhao 146052cc112dSEd Tanous const persistent_data::AuthConfigMethods& authMethodsConfig = 14611ef4c342SEd Tanous persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 146278158631SZbigniew Kurzynski 14631476687dSEd Tanous nlohmann::json& json = asyncResp->res.jsonValue; 14641476687dSEd Tanous json["@odata.id"] = "/redfish/v1/AccountService"; 14651476687dSEd Tanous json["@odata.type"] = "#AccountService." 14661476687dSEd Tanous "v1_10_0.AccountService"; 14671476687dSEd Tanous json["Id"] = "AccountService"; 14681476687dSEd Tanous json["Name"] = "Account Service"; 14691476687dSEd Tanous json["Description"] = "Account Service"; 14701476687dSEd Tanous json["ServiceEnabled"] = true; 14711476687dSEd Tanous json["MaxPasswordLength"] = 20; 14721ef4c342SEd Tanous json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts"; 14731476687dSEd Tanous json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles"; 14741476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.type"] = 14755b5574acSEd Tanous "#OpenBMCAccountService.v1_0_0.AccountService"; 14761476687dSEd Tanous json["Oem"]["OpenBMC"]["@odata.id"] = 14771476687dSEd Tanous "/redfish/v1/AccountService#/Oem/OpenBMC"; 14781476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] = 14791476687dSEd Tanous authMethodsConfig.basic; 14801476687dSEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] = 14811476687dSEd Tanous authMethodsConfig.sessionToken; 14821ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken; 14831ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie; 14841ef4c342SEd Tanous json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls; 14851476687dSEd Tanous 14861ef4c342SEd Tanous // /redfish/v1/AccountService/LDAP/Certificates is something only 14871ef4c342SEd Tanous // ConfigureManager can access then only display when the user has 14881ef4c342SEd Tanous // permissions ConfigureManager 148972048780SAbhishek Patel Privileges effectiveUserPrivileges = 14903e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 149172048780SAbhishek Patel 149272048780SAbhishek Patel if (isOperationAllowedWithPrivileges({{"ConfigureManager"}}, 149372048780SAbhishek Patel effectiveUserPrivileges)) 149472048780SAbhishek Patel { 14951ef4c342SEd Tanous asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] = 14961476687dSEd Tanous "/redfish/v1/AccountService/LDAP/Certificates"; 149772048780SAbhishek Patel } 1498d1bde9e5SKrzysztof Grobelny sdbusplus::asio::getAllProperties( 1499d1bde9e5SKrzysztof Grobelny *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 1500d1bde9e5SKrzysztof Grobelny "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy", 15015e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec, 15021ef4c342SEd Tanous const dbus::utility::DBusPropertiesMap& propertiesList) { 15033d958bbcSAppaRao Puli if (ec) 15043d958bbcSAppaRao Puli { 15053d958bbcSAppaRao Puli messages::internalError(asyncResp->res); 15063d958bbcSAppaRao Puli return; 15073d958bbcSAppaRao Puli } 1508d1bde9e5SKrzysztof Grobelny 15093d958bbcSAppaRao Puli BMCWEB_LOG_DEBUG << "Got " << propertiesList.size() 15103d958bbcSAppaRao Puli << "properties for AccountService"; 1511d1bde9e5SKrzysztof Grobelny 1512d1bde9e5SKrzysztof Grobelny const uint8_t* minPasswordLength = nullptr; 1513d1bde9e5SKrzysztof Grobelny const uint32_t* accountUnlockTimeout = nullptr; 1514d1bde9e5SKrzysztof Grobelny const uint16_t* maxLoginAttemptBeforeLockout = nullptr; 1515d1bde9e5SKrzysztof Grobelny 1516d1bde9e5SKrzysztof Grobelny const bool success = sdbusplus::unpackPropertiesNoThrow( 1517d1bde9e5SKrzysztof Grobelny dbus_utils::UnpackErrorPrinter(), propertiesList, 1518d1bde9e5SKrzysztof Grobelny "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout", 1519d1bde9e5SKrzysztof Grobelny accountUnlockTimeout, "MaxLoginAttemptBeforeLockout", 1520d1bde9e5SKrzysztof Grobelny maxLoginAttemptBeforeLockout); 1521d1bde9e5SKrzysztof Grobelny 1522d1bde9e5SKrzysztof Grobelny if (!success) 15233d958bbcSAppaRao Puli { 1524d1bde9e5SKrzysztof Grobelny messages::internalError(asyncResp->res); 1525d1bde9e5SKrzysztof Grobelny return; 15263d958bbcSAppaRao Puli } 1527d1bde9e5SKrzysztof Grobelny 1528d1bde9e5SKrzysztof Grobelny if (minPasswordLength != nullptr) 15293d958bbcSAppaRao Puli { 1530d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength; 15313d958bbcSAppaRao Puli } 1532d1bde9e5SKrzysztof Grobelny 1533d1bde9e5SKrzysztof Grobelny if (accountUnlockTimeout != nullptr) 15343d958bbcSAppaRao Puli { 1535d1bde9e5SKrzysztof Grobelny asyncResp->res.jsonValue["AccountLockoutDuration"] = 1536d1bde9e5SKrzysztof Grobelny *accountUnlockTimeout; 1537d1bde9e5SKrzysztof Grobelny } 1538d1bde9e5SKrzysztof Grobelny 1539d1bde9e5SKrzysztof Grobelny if (maxLoginAttemptBeforeLockout != nullptr) 15403d958bbcSAppaRao Puli { 1541002d39b4SEd Tanous asyncResp->res.jsonValue["AccountLockoutThreshold"] = 1542d1bde9e5SKrzysztof Grobelny *maxLoginAttemptBeforeLockout; 15433d958bbcSAppaRao Puli } 1544d1bde9e5SKrzysztof Grobelny }); 15456973a582SRatan Gupta 154602cad96eSEd Tanous auto callback = [asyncResp](bool success, const LDAPConfigData& confData, 1547ab828d7cSRatan Gupta const std::string& ldapType) { 1548cb13a392SEd Tanous if (!success) 1549cb13a392SEd Tanous { 1550cb13a392SEd Tanous return; 1551cb13a392SEd Tanous } 1552002d39b4SEd Tanous parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType); 1553ab828d7cSRatan Gupta }; 1554ab828d7cSRatan Gupta 1555ab828d7cSRatan Gupta getLDAPConfigData("LDAP", callback); 1556ab828d7cSRatan Gupta getLDAPConfigData("ActiveDirectory", callback); 15571ef4c342SEd Tanous } 15586973a582SRatan Gupta 15591ef4c342SEd Tanous inline void handleAccountServicePatch( 15601ef4c342SEd Tanous App& app, const crow::Request& req, 15611ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 15621ef4c342SEd Tanous { 15633ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 156445ca1b86SEd Tanous { 156545ca1b86SEd Tanous return; 156645ca1b86SEd Tanous } 1567f5ffd806SEd Tanous std::optional<uint32_t> unlockTimeout; 1568f5ffd806SEd Tanous std::optional<uint16_t> lockoutThreshold; 1569ef73ad0dSPaul Fertser std::optional<uint8_t> minPasswordLength; 1570f5ffd806SEd Tanous std::optional<uint16_t> maxPasswordLength; 1571f5ffd806SEd Tanous std::optional<nlohmann::json> ldapObject; 1572f5ffd806SEd Tanous std::optional<nlohmann::json> activeDirectoryObject; 1573f5ffd806SEd Tanous std::optional<nlohmann::json> oemObject; 1574f5ffd806SEd Tanous 157515ed6780SWilly Tu if (!json_util::readJsonPatch( 15761ef4c342SEd Tanous req, asyncResp->res, "AccountLockoutDuration", unlockTimeout, 15771ef4c342SEd Tanous "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength", 15781ef4c342SEd Tanous maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP", 15791ef4c342SEd Tanous ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem", 1580f5ffd806SEd Tanous oemObject)) 1581f5ffd806SEd Tanous { 1582f5ffd806SEd Tanous return; 1583f5ffd806SEd Tanous } 1584f5ffd806SEd Tanous 1585f5ffd806SEd Tanous if (minPasswordLength) 1586f5ffd806SEd Tanous { 15879ae226faSGeorge Liu sdbusplus::asio::setProperty( 15889ae226faSGeorge Liu *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 15899ae226faSGeorge Liu "/xyz/openbmc_project/user", 15909ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength", 15919ae226faSGeorge Liu *minPasswordLength, 15925e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 1593ef73ad0dSPaul Fertser if (ec) 1594ef73ad0dSPaul Fertser { 1595ef73ad0dSPaul Fertser messages::internalError(asyncResp->res); 1596ef73ad0dSPaul Fertser return; 1597ef73ad0dSPaul Fertser } 1598ef73ad0dSPaul Fertser messages::success(asyncResp->res); 15999ae226faSGeorge Liu }); 1600f5ffd806SEd Tanous } 1601f5ffd806SEd Tanous 1602f5ffd806SEd Tanous if (maxPasswordLength) 1603f5ffd806SEd Tanous { 16041ef4c342SEd Tanous messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength"); 1605f5ffd806SEd Tanous } 1606f5ffd806SEd Tanous 1607f5ffd806SEd Tanous if (ldapObject) 1608f5ffd806SEd Tanous { 1609f5ffd806SEd Tanous handleLDAPPatch(*ldapObject, asyncResp, "LDAP"); 1610f5ffd806SEd Tanous } 1611f5ffd806SEd Tanous 1612f5ffd806SEd Tanous if (std::optional<nlohmann::json> oemOpenBMCObject; 16131ef4c342SEd Tanous oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC", 1614f5ffd806SEd Tanous oemOpenBMCObject)) 1615f5ffd806SEd Tanous { 1616f5ffd806SEd Tanous if (std::optional<nlohmann::json> authMethodsObject; 1617f5ffd806SEd Tanous oemOpenBMCObject && 1618f5ffd806SEd Tanous json_util::readJson(*oemOpenBMCObject, asyncResp->res, 1619f5ffd806SEd Tanous "AuthMethods", authMethodsObject)) 1620f5ffd806SEd Tanous { 1621f5ffd806SEd Tanous if (authMethodsObject) 1622f5ffd806SEd Tanous { 16231ef4c342SEd Tanous handleAuthMethodsPatch(*authMethodsObject, asyncResp); 1624f5ffd806SEd Tanous } 1625f5ffd806SEd Tanous } 1626f5ffd806SEd Tanous } 1627f5ffd806SEd Tanous 1628f5ffd806SEd Tanous if (activeDirectoryObject) 1629f5ffd806SEd Tanous { 16301ef4c342SEd Tanous handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory"); 1631f5ffd806SEd Tanous } 1632f5ffd806SEd Tanous 1633f5ffd806SEd Tanous if (unlockTimeout) 1634f5ffd806SEd Tanous { 16359ae226faSGeorge Liu sdbusplus::asio::setProperty( 16369ae226faSGeorge Liu *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 16379ae226faSGeorge Liu "/xyz/openbmc_project/user", 16389ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout", 16399ae226faSGeorge Liu *unlockTimeout, [asyncResp](const boost::system::error_code& ec) { 1640f5ffd806SEd Tanous if (ec) 1641f5ffd806SEd Tanous { 1642f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1643f5ffd806SEd Tanous return; 1644f5ffd806SEd Tanous } 1645f5ffd806SEd Tanous messages::success(asyncResp->res); 16469ae226faSGeorge Liu }); 1647f5ffd806SEd Tanous } 1648f5ffd806SEd Tanous if (lockoutThreshold) 1649f5ffd806SEd Tanous { 16509ae226faSGeorge Liu sdbusplus::asio::setProperty( 16519ae226faSGeorge Liu *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 16529ae226faSGeorge Liu "/xyz/openbmc_project/user", 16539ae226faSGeorge Liu "xyz.openbmc_project.User.AccountPolicy", 16549ae226faSGeorge Liu "MaxLoginAttemptBeforeLockout", *lockoutThreshold, 16555e7e2dc5SEd Tanous [asyncResp](const boost::system::error_code& ec) { 1656f5ffd806SEd Tanous if (ec) 1657f5ffd806SEd Tanous { 1658f5ffd806SEd Tanous messages::internalError(asyncResp->res); 1659f5ffd806SEd Tanous return; 1660f5ffd806SEd Tanous } 1661f5ffd806SEd Tanous messages::success(asyncResp->res); 16629ae226faSGeorge Liu }); 1663f5ffd806SEd Tanous } 16641ef4c342SEd Tanous } 1665f5ffd806SEd Tanous 16664c7d4d33SEd Tanous inline void handleAccountCollectionHead( 16671ef4c342SEd Tanous App& app, const crow::Request& req, 16681ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 16691ef4c342SEd Tanous { 16703ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 167145ca1b86SEd Tanous { 167245ca1b86SEd Tanous return; 167345ca1b86SEd Tanous } 16744c7d4d33SEd Tanous asyncResp->res.addHeader( 16754c7d4d33SEd Tanous boost::beast::http::field::link, 16764c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 16774c7d4d33SEd Tanous } 16784c7d4d33SEd Tanous 16794c7d4d33SEd Tanous inline void handleAccountCollectionGet( 16804c7d4d33SEd Tanous App& app, const crow::Request& req, 16814c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 16824c7d4d33SEd Tanous { 1683afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1684afd369c6SJiaqing Zhao { 1685afd369c6SJiaqing Zhao return; 1686afd369c6SJiaqing Zhao } 16873e72c202SNinad Palsule 16883e72c202SNinad Palsule if (req.session == nullptr) 16893e72c202SNinad Palsule { 16903e72c202SNinad Palsule messages::internalError(asyncResp->res); 16913e72c202SNinad Palsule return; 16923e72c202SNinad Palsule } 16933e72c202SNinad Palsule 1694afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1695afd369c6SJiaqing Zhao boost::beast::http::field::link, 1696afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby"); 16971476687dSEd Tanous 16981476687dSEd Tanous asyncResp->res.jsonValue["@odata.id"] = 16991476687dSEd Tanous "/redfish/v1/AccountService/Accounts"; 17001ef4c342SEd Tanous asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection." 17011476687dSEd Tanous "ManagerAccountCollection"; 17021476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "Accounts Collection"; 17031476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "BMC User Accounts"; 17040f74e643SEd Tanous 17056c51eab1SEd Tanous Privileges effectiveUserPrivileges = 17063e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 17076c51eab1SEd Tanous 1708f5e29f33SJunLin Chen std::string thisUser; 1709f5e29f33SJunLin Chen if (req.session) 1710f5e29f33SJunLin Chen { 1711f5e29f33SJunLin Chen thisUser = req.session->username; 1712f5e29f33SJunLin Chen } 17135eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 17145eb468daSGeorge Liu dbus::utility::getManagedObjects( 17155eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 1716cef1ddfbSEd Tanous [asyncResp, thisUser, effectiveUserPrivileges]( 17175e7e2dc5SEd Tanous const boost::system::error_code& ec, 1718711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 1719b9b2e0b2SEd Tanous if (ec) 1720b9b2e0b2SEd Tanous { 1721f12894f8SJason M. Bills messages::internalError(asyncResp->res); 1722b9b2e0b2SEd Tanous return; 1723b9b2e0b2SEd Tanous } 1724b9b2e0b2SEd Tanous 1725cef1ddfbSEd Tanous bool userCanSeeAllAccounts = 1726002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}); 1727cef1ddfbSEd Tanous 1728cef1ddfbSEd Tanous bool userCanSeeSelf = 1729002d39b4SEd Tanous effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"}); 1730cef1ddfbSEd Tanous 1731002d39b4SEd Tanous nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; 1732b9b2e0b2SEd Tanous memberArray = nlohmann::json::array(); 1733b9b2e0b2SEd Tanous 17349eb808c1SEd Tanous for (const auto& userpath : users) 1735b9b2e0b2SEd Tanous { 17362dfd18efSEd Tanous std::string user = userpath.first.filename(); 17372dfd18efSEd Tanous if (user.empty()) 1738b9b2e0b2SEd Tanous { 17392dfd18efSEd Tanous messages::internalError(asyncResp->res); 17402dfd18efSEd Tanous BMCWEB_LOG_ERROR << "Invalid firmware ID"; 17412dfd18efSEd Tanous 17422dfd18efSEd Tanous return; 1743b9b2e0b2SEd Tanous } 1744f365910cSGunnar Mills 1745f365910cSGunnar Mills // As clarified by Redfish here: 1746f365910cSGunnar Mills // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 17476c51eab1SEd Tanous // Users without ConfigureUsers, only see their own 17486c51eab1SEd Tanous // account. Users with ConfigureUsers, see all 17496c51eab1SEd Tanous // accounts. 17501ef4c342SEd Tanous if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf)) 1751f365910cSGunnar Mills { 17521476687dSEd Tanous nlohmann::json::object_t member; 175389492a15SPatrick Williams member["@odata.id"] = "/redfish/v1/AccountService/Accounts/" + 175489492a15SPatrick Williams user; 1755b2ba3072SPatrick Williams memberArray.emplace_back(std::move(member)); 1756b9b2e0b2SEd Tanous } 1757f365910cSGunnar Mills } 17581ef4c342SEd Tanous asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size(); 17595eb468daSGeorge Liu }); 17601ef4c342SEd Tanous } 17616c51eab1SEd Tanous 176297e90da3SNinad Palsule inline void processAfterCreateUser( 176397e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 176497e90da3SNinad Palsule const std::string& username, const std::string& password, 176597e90da3SNinad Palsule const boost::system::error_code& ec, sdbusplus::message_t& m) 176697e90da3SNinad Palsule { 176797e90da3SNinad Palsule if (ec) 176897e90da3SNinad Palsule { 176997e90da3SNinad Palsule userErrorMessageHandler(m.get_error(), asyncResp, username, ""); 177097e90da3SNinad Palsule return; 177197e90da3SNinad Palsule } 177297e90da3SNinad Palsule 177397e90da3SNinad Palsule if (pamUpdatePassword(username, password) != PAM_SUCCESS) 177497e90da3SNinad Palsule { 177597e90da3SNinad Palsule // At this point we have a user that's been 177697e90da3SNinad Palsule // created, but the password set 177797e90da3SNinad Palsule // failed.Something is wrong, so delete the user 177897e90da3SNinad Palsule // that we've already created 177997e90da3SNinad Palsule sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 178097e90da3SNinad Palsule tempObjPath /= username; 178197e90da3SNinad Palsule const std::string userPath(tempObjPath); 178297e90da3SNinad Palsule 178397e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 178497e90da3SNinad Palsule [asyncResp, password](const boost::system::error_code& ec3) { 178597e90da3SNinad Palsule if (ec3) 178697e90da3SNinad Palsule { 178797e90da3SNinad Palsule messages::internalError(asyncResp->res); 178897e90da3SNinad Palsule return; 178997e90da3SNinad Palsule } 179097e90da3SNinad Palsule 179197e90da3SNinad Palsule // If password is invalid 179297e90da3SNinad Palsule messages::propertyValueFormatError(asyncResp->res, password, 179397e90da3SNinad Palsule "Password"); 179497e90da3SNinad Palsule }, 179597e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", userPath, 179697e90da3SNinad Palsule "xyz.openbmc_project.Object.Delete", "Delete"); 179797e90da3SNinad Palsule 179897e90da3SNinad Palsule BMCWEB_LOG_ERROR << "pamUpdatePassword Failed"; 179997e90da3SNinad Palsule return; 180097e90da3SNinad Palsule } 180197e90da3SNinad Palsule 180297e90da3SNinad Palsule messages::created(asyncResp->res); 180397e90da3SNinad Palsule asyncResp->res.addHeader("Location", 180497e90da3SNinad Palsule "/redfish/v1/AccountService/Accounts/" + username); 180597e90da3SNinad Palsule } 180697e90da3SNinad Palsule 180797e90da3SNinad Palsule inline void processAfterGetAllGroups( 180897e90da3SNinad Palsule const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 180997e90da3SNinad Palsule const std::string& username, const std::string& password, 181097e90da3SNinad Palsule const std::optional<std::string>& roleId, std::optional<bool> enabled, 18119ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes, 181297e90da3SNinad Palsule const std::vector<std::string>& allGroupsList) 181397e90da3SNinad Palsule { 18143e72c202SNinad Palsule std::vector<std::string> userGroups; 18159ba73934SNinad Palsule std::vector<std::string> accountTypeUserGroups; 18169ba73934SNinad Palsule 18179ba73934SNinad Palsule // If user specified account types then convert them to unix user groups 18189ba73934SNinad Palsule if (accountTypes) 18199ba73934SNinad Palsule { 18209ba73934SNinad Palsule if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes, 18219ba73934SNinad Palsule accountTypeUserGroups)) 18229ba73934SNinad Palsule { 18239ba73934SNinad Palsule // Problem in mapping Account Types to User Groups, Error already 18249ba73934SNinad Palsule // logged. 18259ba73934SNinad Palsule return; 18269ba73934SNinad Palsule } 18279ba73934SNinad Palsule } 18289ba73934SNinad Palsule 18293e72c202SNinad Palsule for (const auto& grp : allGroupsList) 18303e72c202SNinad Palsule { 18319ba73934SNinad Palsule // If user specified the account type then only accept groups which are 18329ba73934SNinad Palsule // in the account types group list. 18339ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 18349ba73934SNinad Palsule { 18359ba73934SNinad Palsule bool found = false; 18369ba73934SNinad Palsule for (const auto& grp1 : accountTypeUserGroups) 18379ba73934SNinad Palsule { 18389ba73934SNinad Palsule if (grp == grp1) 18399ba73934SNinad Palsule { 18409ba73934SNinad Palsule found = true; 18419ba73934SNinad Palsule break; 18429ba73934SNinad Palsule } 18439ba73934SNinad Palsule } 18449ba73934SNinad Palsule if (!found) 18459ba73934SNinad Palsule { 18469ba73934SNinad Palsule continue; 18479ba73934SNinad Palsule } 18489ba73934SNinad Palsule } 18499ba73934SNinad Palsule 18503e72c202SNinad Palsule // Console access is provided to the user who is a member of 18513e72c202SNinad Palsule // hostconsole group and has a administrator role. So, set 18523e72c202SNinad Palsule // hostconsole group only for the administrator. 18539ba73934SNinad Palsule if ((grp == "hostconsole") && (roleId != "priv-admin")) 18543e72c202SNinad Palsule { 18559ba73934SNinad Palsule if (!accountTypeUserGroups.empty()) 18569ba73934SNinad Palsule { 18579ba73934SNinad Palsule BMCWEB_LOG_ERROR 18589ba73934SNinad Palsule << "Only administrator can get HostConsole access"; 18599ba73934SNinad Palsule asyncResp->res.result(boost::beast::http::status::bad_request); 18609ba73934SNinad Palsule return; 18619ba73934SNinad Palsule } 18629ba73934SNinad Palsule continue; 18639ba73934SNinad Palsule } 18643e72c202SNinad Palsule userGroups.emplace_back(grp); 18653e72c202SNinad Palsule } 18669ba73934SNinad Palsule 18679ba73934SNinad Palsule // Make sure user specified groups are valid. This is internal error because 18689ba73934SNinad Palsule // it some inconsistencies between user manager and bmcweb. 18699ba73934SNinad Palsule if (!accountTypeUserGroups.empty() && 18709ba73934SNinad Palsule accountTypeUserGroups.size() != userGroups.size()) 18719ba73934SNinad Palsule { 18729ba73934SNinad Palsule messages::internalError(asyncResp->res); 18739ba73934SNinad Palsule return; 18743e72c202SNinad Palsule } 18753e72c202SNinad Palsule 187697e90da3SNinad Palsule crow::connections::systemBus->async_method_call( 187797e90da3SNinad Palsule [asyncResp, username, password](const boost::system::error_code& ec2, 187897e90da3SNinad Palsule sdbusplus::message_t& m) { 187997e90da3SNinad Palsule processAfterCreateUser(asyncResp, username, password, ec2, m); 188097e90da3SNinad Palsule }, 188197e90da3SNinad Palsule "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 18823e72c202SNinad Palsule "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups, 18833e72c202SNinad Palsule *roleId, *enabled); 188497e90da3SNinad Palsule } 188597e90da3SNinad Palsule 18861ef4c342SEd Tanous inline void handleAccountCollectionPost( 18871ef4c342SEd Tanous App& app, const crow::Request& req, 18881ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) 18891ef4c342SEd Tanous { 18903ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 189145ca1b86SEd Tanous { 189245ca1b86SEd Tanous return; 189345ca1b86SEd Tanous } 18949712f8acSEd Tanous std::string username; 18959712f8acSEd Tanous std::string password; 1896a24526dcSEd Tanous std::optional<std::string> roleId("User"); 1897a24526dcSEd Tanous std::optional<bool> enabled = true; 18989ba73934SNinad Palsule std::optional<std::vector<std::string>> accountTypes; 18999ba73934SNinad Palsule if (!json_util::readJsonPatch( 19009ba73934SNinad Palsule req, asyncResp->res, "UserName", username, "Password", password, 19019ba73934SNinad Palsule "RoleId", roleId, "Enabled", enabled, "AccountTypes", accountTypes)) 190204ae99ecSEd Tanous { 190304ae99ecSEd Tanous return; 190404ae99ecSEd Tanous } 190504ae99ecSEd Tanous 190654fc587aSNagaraju Goruganti std::string priv = getPrivilegeFromRoleId(*roleId); 190784e12cb7SAppaRao Puli if (priv.empty()) 190804ae99ecSEd Tanous { 19091ef4c342SEd Tanous messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId"); 191004ae99ecSEd Tanous return; 191104ae99ecSEd Tanous } 19129712f8acSEd Tanous roleId = priv; 191304ae99ecSEd Tanous 1914599c71d8SAyushi Smriti // Reading AllGroups property 19151e1e598dSJonathan Doman sdbusplus::asio::getProperty<std::vector<std::string>>( 19161ef4c342SEd Tanous *crow::connections::systemBus, "xyz.openbmc_project.User.Manager", 19171ef4c342SEd Tanous "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager", 19181ef4c342SEd Tanous "AllGroups", 19199ba73934SNinad Palsule [asyncResp, username, password{std::move(password)}, roleId, enabled, 19209ba73934SNinad Palsule accountTypes](const boost::system::error_code& ec, 19211e1e598dSJonathan Doman const std::vector<std::string>& allGroupsList) { 1922599c71d8SAyushi Smriti if (ec) 1923599c71d8SAyushi Smriti { 1924599c71d8SAyushi Smriti BMCWEB_LOG_DEBUG << "ERROR with async_method_call"; 1925599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1926599c71d8SAyushi Smriti return; 1927599c71d8SAyushi Smriti } 1928599c71d8SAyushi Smriti 19291e1e598dSJonathan Doman if (allGroupsList.empty()) 1930599c71d8SAyushi Smriti { 1931599c71d8SAyushi Smriti messages::internalError(asyncResp->res); 1932599c71d8SAyushi Smriti return; 1933599c71d8SAyushi Smriti } 1934599c71d8SAyushi Smriti 193597e90da3SNinad Palsule processAfterGetAllGroups(asyncResp, username, password, roleId, enabled, 19369ba73934SNinad Palsule accountTypes, allGroupsList); 19371e1e598dSJonathan Doman }); 19381ef4c342SEd Tanous } 1939b9b2e0b2SEd Tanous 19401ef4c342SEd Tanous inline void 19414c7d4d33SEd Tanous handleAccountHead(App& app, const crow::Request& req, 19426c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19434c7d4d33SEd Tanous const std::string& /*accountName*/) 19441ef4c342SEd Tanous { 19453ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 194645ca1b86SEd Tanous { 194745ca1b86SEd Tanous return; 194845ca1b86SEd Tanous } 19494c7d4d33SEd Tanous asyncResp->res.addHeader( 19504c7d4d33SEd Tanous boost::beast::http::field::link, 19514c7d4d33SEd Tanous "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 19524c7d4d33SEd Tanous } 1953afd369c6SJiaqing Zhao 19544c7d4d33SEd Tanous inline void 19554c7d4d33SEd Tanous handleAccountGet(App& app, const crow::Request& req, 19564c7d4d33SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 19574c7d4d33SEd Tanous const std::string& accountName) 19584c7d4d33SEd Tanous { 1959afd369c6SJiaqing Zhao if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 1960afd369c6SJiaqing Zhao { 1961afd369c6SJiaqing Zhao return; 1962afd369c6SJiaqing Zhao } 1963afd369c6SJiaqing Zhao asyncResp->res.addHeader( 1964afd369c6SJiaqing Zhao boost::beast::http::field::link, 1965afd369c6SJiaqing Zhao "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby"); 1966afd369c6SJiaqing Zhao 19671ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1968031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 1969d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName); 1970031514fbSJunLin Chen return; 19711ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 1972afd369c6SJiaqing Zhao 1973031514fbSJunLin Chen if (req.session == nullptr) 1974031514fbSJunLin Chen { 1975031514fbSJunLin Chen messages::internalError(asyncResp->res); 1976031514fbSJunLin Chen return; 1977031514fbSJunLin Chen } 19786c51eab1SEd Tanous if (req.session->username != accountName) 1979b9b2e0b2SEd Tanous { 19806c51eab1SEd Tanous // At this point we've determined that the user is trying to 19811ef4c342SEd Tanous // modify a user that isn't them. We need to verify that they 19821ef4c342SEd Tanous // have permissions to modify other users, so re-run the auth 19831ef4c342SEd Tanous // check with the same permissions, minus ConfigureSelf. 19846c51eab1SEd Tanous Privileges effectiveUserPrivileges = 19853e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 19861ef4c342SEd Tanous Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers", 19871ef4c342SEd Tanous "ConfigureManager"}; 19886c51eab1SEd Tanous if (!effectiveUserPrivileges.isSupersetOf( 19896c51eab1SEd Tanous requiredPermissionsToChangeNonSelf)) 1990900f9497SJoseph Reynolds { 1991900f9497SJoseph Reynolds BMCWEB_LOG_DEBUG << "GET Account denied access"; 1992900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 1993900f9497SJoseph Reynolds return; 1994900f9497SJoseph Reynolds } 1995900f9497SJoseph Reynolds } 1996900f9497SJoseph Reynolds 19975eb468daSGeorge Liu sdbusplus::message::object_path path("/xyz/openbmc_project/user"); 19985eb468daSGeorge Liu dbus::utility::getManagedObjects( 19995eb468daSGeorge Liu "xyz.openbmc_project.User.Manager", path, 20001ef4c342SEd Tanous [asyncResp, 20015e7e2dc5SEd Tanous accountName](const boost::system::error_code& ec, 2002711ac7a9SEd Tanous const dbus::utility::ManagedObjectType& users) { 2003b9b2e0b2SEd Tanous if (ec) 2004b9b2e0b2SEd Tanous { 2005f12894f8SJason M. Bills messages::internalError(asyncResp->res); 2006b9b2e0b2SEd Tanous return; 2007b9b2e0b2SEd Tanous } 2008711ac7a9SEd Tanous const auto userIt = std::find_if( 2009b477fd44SP Dheeraj Srujan Kumar users.begin(), users.end(), 2010b477fd44SP Dheeraj Srujan Kumar [accountName]( 2011b477fd44SP Dheeraj Srujan Kumar const std::pair<sdbusplus::message::object_path, 2012002d39b4SEd Tanous dbus::utility::DBusInteracesMap>& user) { 201355f79e6fSEd Tanous return accountName == user.first.filename(); 2014b477fd44SP Dheeraj Srujan Kumar }); 2015b9b2e0b2SEd Tanous 201684e12cb7SAppaRao Puli if (userIt == users.end()) 2017b9b2e0b2SEd Tanous { 2018002d39b4SEd Tanous messages::resourceNotFound(asyncResp->res, "ManagerAccount", 2019002d39b4SEd Tanous accountName); 202084e12cb7SAppaRao Puli return; 202184e12cb7SAppaRao Puli } 20224e68c45bSAyushi Smriti 20231476687dSEd Tanous asyncResp->res.jsonValue["@odata.type"] = 202458345856SAbhishek Patel "#ManagerAccount.v1_7_0.ManagerAccount"; 20251476687dSEd Tanous asyncResp->res.jsonValue["Name"] = "User Account"; 20261476687dSEd Tanous asyncResp->res.jsonValue["Description"] = "User Account"; 20271476687dSEd Tanous asyncResp->res.jsonValue["Password"] = nullptr; 202858345856SAbhishek Patel asyncResp->res.jsonValue["StrictAccountTypes"] = true; 20294e68c45bSAyushi Smriti 203084e12cb7SAppaRao Puli for (const auto& interface : userIt->second) 203165b0dc32SEd Tanous { 2032002d39b4SEd Tanous if (interface.first == "xyz.openbmc_project.User.Attributes") 203365b0dc32SEd Tanous { 203465b0dc32SEd Tanous for (const auto& property : interface.second) 203565b0dc32SEd Tanous { 203665b0dc32SEd Tanous if (property.first == "UserEnabled") 203765b0dc32SEd Tanous { 203865b0dc32SEd Tanous const bool* userEnabled = 2039abf2add6SEd Tanous std::get_if<bool>(&property.second); 204065b0dc32SEd Tanous if (userEnabled == nullptr) 204165b0dc32SEd Tanous { 2042002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserEnabled wasn't a bool"; 204384e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 204484e12cb7SAppaRao Puli return; 204565b0dc32SEd Tanous } 2046002d39b4SEd Tanous asyncResp->res.jsonValue["Enabled"] = *userEnabled; 204765b0dc32SEd Tanous } 2048002d39b4SEd Tanous else if (property.first == "UserLockedForFailedAttempt") 204965b0dc32SEd Tanous { 205065b0dc32SEd Tanous const bool* userLocked = 2051abf2add6SEd Tanous std::get_if<bool>(&property.second); 205265b0dc32SEd Tanous if (userLocked == nullptr) 205365b0dc32SEd Tanous { 205484e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "UserLockedForF" 205584e12cb7SAppaRao Puli "ailedAttempt " 205684e12cb7SAppaRao Puli "wasn't a bool"; 205784e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 205884e12cb7SAppaRao Puli return; 205965b0dc32SEd Tanous } 2060002d39b4SEd Tanous asyncResp->res.jsonValue["Locked"] = *userLocked; 2061002d39b4SEd Tanous asyncResp->res 2062002d39b4SEd Tanous .jsonValue["Locked@Redfish.AllowableValues"] = { 20633bf4e632SJoseph Reynolds "false"}; // can only unlock accounts 206465b0dc32SEd Tanous } 206584e12cb7SAppaRao Puli else if (property.first == "UserPrivilege") 206684e12cb7SAppaRao Puli { 206754fc587aSNagaraju Goruganti const std::string* userPrivPtr = 2068002d39b4SEd Tanous std::get_if<std::string>(&property.second); 206954fc587aSNagaraju Goruganti if (userPrivPtr == nullptr) 207084e12cb7SAppaRao Puli { 2071002d39b4SEd Tanous BMCWEB_LOG_ERROR << "UserPrivilege wasn't a " 207284e12cb7SAppaRao Puli "string"; 207384e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 207484e12cb7SAppaRao Puli return; 207584e12cb7SAppaRao Puli } 20761ef4c342SEd Tanous std::string role = getRoleIdFromPrivilege(*userPrivPtr); 207754fc587aSNagaraju Goruganti if (role.empty()) 207884e12cb7SAppaRao Puli { 207984e12cb7SAppaRao Puli BMCWEB_LOG_ERROR << "Invalid user role"; 208084e12cb7SAppaRao Puli messages::internalError(asyncResp->res); 208184e12cb7SAppaRao Puli return; 208284e12cb7SAppaRao Puli } 208354fc587aSNagaraju Goruganti asyncResp->res.jsonValue["RoleId"] = role; 208484e12cb7SAppaRao Puli 20851476687dSEd Tanous nlohmann::json& roleEntry = 2086002d39b4SEd Tanous asyncResp->res.jsonValue["Links"]["Role"]; 20871476687dSEd Tanous roleEntry["@odata.id"] = 2088002d39b4SEd Tanous "/redfish/v1/AccountService/Roles/" + role; 208984e12cb7SAppaRao Puli } 2090002d39b4SEd Tanous else if (property.first == "UserPasswordExpired") 20913bf4e632SJoseph Reynolds { 20923bf4e632SJoseph Reynolds const bool* userPasswordExpired = 20933bf4e632SJoseph Reynolds std::get_if<bool>(&property.second); 20943bf4e632SJoseph Reynolds if (userPasswordExpired == nullptr) 20953bf4e632SJoseph Reynolds { 20960fda0f12SGeorge Liu BMCWEB_LOG_ERROR 20970fda0f12SGeorge Liu << "UserPasswordExpired wasn't a bool"; 20983bf4e632SJoseph Reynolds messages::internalError(asyncResp->res); 20993bf4e632SJoseph Reynolds return; 21003bf4e632SJoseph Reynolds } 2101002d39b4SEd Tanous asyncResp->res.jsonValue["PasswordChangeRequired"] = 21023bf4e632SJoseph Reynolds *userPasswordExpired; 21033bf4e632SJoseph Reynolds } 2104c7229815SAbhishek Patel else if (property.first == "UserGroups") 2105c7229815SAbhishek Patel { 2106c7229815SAbhishek Patel const std::vector<std::string>* userGroups = 2107c7229815SAbhishek Patel std::get_if<std::vector<std::string>>( 2108c7229815SAbhishek Patel &property.second); 2109c7229815SAbhishek Patel if (userGroups == nullptr) 2110c7229815SAbhishek Patel { 2111c7229815SAbhishek Patel BMCWEB_LOG_ERROR 2112c7229815SAbhishek Patel << "userGroups wasn't a string vector"; 2113c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2114c7229815SAbhishek Patel return; 2115c7229815SAbhishek Patel } 2116c7229815SAbhishek Patel if (!translateUserGroup(*userGroups, asyncResp->res)) 2117c7229815SAbhishek Patel { 2118c7229815SAbhishek Patel BMCWEB_LOG_ERROR << "userGroups mapping failed"; 2119c7229815SAbhishek Patel messages::internalError(asyncResp->res); 2120c7229815SAbhishek Patel return; 2121c7229815SAbhishek Patel } 2122c7229815SAbhishek Patel } 212365b0dc32SEd Tanous } 212465b0dc32SEd Tanous } 212565b0dc32SEd Tanous } 212665b0dc32SEd Tanous 2127b9b2e0b2SEd Tanous asyncResp->res.jsonValue["@odata.id"] = 212884e12cb7SAppaRao Puli "/redfish/v1/AccountService/Accounts/" + accountName; 2129b9b2e0b2SEd Tanous asyncResp->res.jsonValue["Id"] = accountName; 2130b9b2e0b2SEd Tanous asyncResp->res.jsonValue["UserName"] = accountName; 21315eb468daSGeorge Liu }); 21321ef4c342SEd Tanous } 2133a840879dSEd Tanous 21341ef4c342SEd Tanous inline void 213520fc307fSGunnar Mills handleAccountDelete(App& app, const crow::Request& req, 21366c51eab1SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21371ef4c342SEd Tanous const std::string& username) 21381ef4c342SEd Tanous { 21393ba00073SCarson Labrado if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 214045ca1b86SEd Tanous { 214145ca1b86SEd Tanous return; 214245ca1b86SEd Tanous } 21431ef4c342SEd Tanous 21441ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 2145031514fbSJunLin Chen // If authentication is disabled, there are no user accounts 2146d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 2147031514fbSJunLin Chen return; 2148031514fbSJunLin Chen 21491ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 21501ef4c342SEd Tanous sdbusplus::message::object_path tempObjPath(rootUserDbusPath); 21511ef4c342SEd Tanous tempObjPath /= username; 21521ef4c342SEd Tanous const std::string userPath(tempObjPath); 21531ef4c342SEd Tanous 21541ef4c342SEd Tanous crow::connections::systemBus->async_method_call( 21555e7e2dc5SEd Tanous [asyncResp, username](const boost::system::error_code& ec) { 21561ef4c342SEd Tanous if (ec) 21571ef4c342SEd Tanous { 2158d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", 21591ef4c342SEd Tanous username); 21601ef4c342SEd Tanous return; 21611ef4c342SEd Tanous } 21621ef4c342SEd Tanous 21631ef4c342SEd Tanous messages::accountRemoved(asyncResp->res); 21641ef4c342SEd Tanous }, 21651ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", userPath, 21661ef4c342SEd Tanous "xyz.openbmc_project.Object.Delete", "Delete"); 21671ef4c342SEd Tanous } 21681ef4c342SEd Tanous 21691ef4c342SEd Tanous inline void 21701ef4c342SEd Tanous handleAccountPatch(App& app, const crow::Request& req, 21711ef4c342SEd Tanous const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, 21721ef4c342SEd Tanous const std::string& username) 21731ef4c342SEd Tanous { 21741ef4c342SEd Tanous if (!redfish::setUpRedfishRoute(app, req, asyncResp)) 21751ef4c342SEd Tanous { 21761ef4c342SEd Tanous return; 21771ef4c342SEd Tanous } 21781ef4c342SEd Tanous #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION 21791ef4c342SEd Tanous // If authentication is disabled, there are no user accounts 2180d8a5d5d8SJiaqing Zhao messages::resourceNotFound(asyncResp->res, "ManagerAccount", username); 21811ef4c342SEd Tanous return; 21821ef4c342SEd Tanous 21831ef4c342SEd Tanous #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION 2184a24526dcSEd Tanous std::optional<std::string> newUserName; 2185a24526dcSEd Tanous std::optional<std::string> password; 2186a24526dcSEd Tanous std::optional<bool> enabled; 2187a24526dcSEd Tanous std::optional<std::string> roleId; 218824c8542dSRatan Gupta std::optional<bool> locked; 218958345856SAbhishek Patel std::optional<std::vector<std::string>> accountTypes; 219058345856SAbhishek Patel 219158345856SAbhishek Patel bool userSelf = (username == req.session->username); 2192e9cc5172SEd Tanous 2193031514fbSJunLin Chen if (req.session == nullptr) 2194031514fbSJunLin Chen { 2195031514fbSJunLin Chen messages::internalError(asyncResp->res); 2196031514fbSJunLin Chen return; 2197031514fbSJunLin Chen } 2198031514fbSJunLin Chen 2199e9cc5172SEd Tanous Privileges effectiveUserPrivileges = 22003e72c202SNinad Palsule redfish::getUserPrivileges(*req.session); 2201e9cc5172SEd Tanous Privileges configureUsers = {"ConfigureUsers"}; 2202e9cc5172SEd Tanous bool userHasConfigureUsers = 2203e9cc5172SEd Tanous effectiveUserPrivileges.isSupersetOf(configureUsers); 2204e9cc5172SEd Tanous if (userHasConfigureUsers) 2205e9cc5172SEd Tanous { 2206e9cc5172SEd Tanous // Users with ConfigureUsers can modify for all users 220758345856SAbhishek Patel if (!json_util::readJsonPatch( 220858345856SAbhishek Patel req, asyncResp->res, "UserName", newUserName, "Password", 220958345856SAbhishek Patel password, "RoleId", roleId, "Enabled", enabled, "Locked", 221058345856SAbhishek Patel locked, "AccountTypes", accountTypes)) 2211a840879dSEd Tanous { 2212a840879dSEd Tanous return; 2213a840879dSEd Tanous } 2214e9cc5172SEd Tanous } 2215e9cc5172SEd Tanous else 2216900f9497SJoseph Reynolds { 2217e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their own account 221858345856SAbhishek Patel if (!userSelf) 2219900f9497SJoseph Reynolds { 2220900f9497SJoseph Reynolds messages::insufficientPrivilege(asyncResp->res); 2221900f9497SJoseph Reynolds return; 2222900f9497SJoseph Reynolds } 2223031514fbSJunLin Chen 2224e9cc5172SEd Tanous // ConfigureSelf accounts can only modify their password 22251ef4c342SEd Tanous if (!json_util::readJsonPatch(req, asyncResp->res, "Password", 22261ef4c342SEd Tanous password)) 2227e9cc5172SEd Tanous { 2228e9cc5172SEd Tanous return; 2229e9cc5172SEd Tanous } 2230900f9497SJoseph Reynolds } 2231900f9497SJoseph Reynolds 223266b5ca76Sjayaprakash Mutyala // if user name is not provided in the patch method or if it 22336c51eab1SEd Tanous // matches the user name in the URI, then we are treating it as 22346c51eab1SEd Tanous // updating user properties other then username. If username 22356c51eab1SEd Tanous // provided doesn't match the URI, then we are treating this as 22366c51eab1SEd Tanous // user rename request. 223766b5ca76Sjayaprakash Mutyala if (!newUserName || (newUserName.value() == username)) 2238a840879dSEd Tanous { 22391ef4c342SEd Tanous updateUserProperties(asyncResp, username, password, enabled, roleId, 224058345856SAbhishek Patel locked, accountTypes, userSelf); 224184e12cb7SAppaRao Puli return; 224284e12cb7SAppaRao Puli } 224384e12cb7SAppaRao Puli crow::connections::systemBus->async_method_call( 22446c51eab1SEd Tanous [asyncResp, username, password(std::move(password)), 22451ef4c342SEd Tanous roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)}, 224658345856SAbhishek Patel locked, userSelf, accountTypes(std::move(accountTypes))]( 2247*e81de512SEd Tanous const boost::system::error_code& ec, sdbusplus::message_t& m) { 224884e12cb7SAppaRao Puli if (ec) 224984e12cb7SAppaRao Puli { 2250002d39b4SEd Tanous userErrorMessageHandler(m.get_error(), asyncResp, newUser, 2251002d39b4SEd Tanous username); 2252a840879dSEd Tanous return; 2253a840879dSEd Tanous } 2254a840879dSEd Tanous 2255002d39b4SEd Tanous updateUserProperties(asyncResp, newUser, password, enabled, roleId, 225658345856SAbhishek Patel locked, accountTypes, userSelf); 225784e12cb7SAppaRao Puli }, 22581ef4c342SEd Tanous "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user", 225984e12cb7SAppaRao Puli "xyz.openbmc_project.User.Manager", "RenameUser", username, 226084e12cb7SAppaRao Puli *newUserName); 22611ef4c342SEd Tanous } 22621ef4c342SEd Tanous 22631ef4c342SEd Tanous inline void requestAccountServiceRoutes(App& app) 22641ef4c342SEd Tanous { 22651ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22664c7d4d33SEd Tanous .privileges(redfish::privileges::headAccountService) 22674c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22684c7d4d33SEd Tanous std::bind_front(handleAccountServiceHead, std::ref(app))); 22694c7d4d33SEd Tanous 22704c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22711ef4c342SEd Tanous .privileges(redfish::privileges::getAccountService) 22721ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 22731ef4c342SEd Tanous std::bind_front(handleAccountServiceGet, std::ref(app))); 22741ef4c342SEd Tanous 22751ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/") 22761ef4c342SEd Tanous .privileges(redfish::privileges::patchAccountService) 22771ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 22781ef4c342SEd Tanous std::bind_front(handleAccountServicePatch, std::ref(app))); 22791ef4c342SEd Tanous 22801ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 22814c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccountCollection) 22824c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22834c7d4d33SEd Tanous std::bind_front(handleAccountCollectionHead, std::ref(app))); 22844c7d4d33SEd Tanous 22854c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 22861ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccountCollection) 22871ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 22881ef4c342SEd Tanous std::bind_front(handleAccountCollectionGet, std::ref(app))); 22891ef4c342SEd Tanous 22901ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") 22911ef4c342SEd Tanous .privileges(redfish::privileges::postManagerAccountCollection) 22921ef4c342SEd Tanous .methods(boost::beast::http::verb::post)( 22931ef4c342SEd Tanous std::bind_front(handleAccountCollectionPost, std::ref(app))); 22941ef4c342SEd Tanous 22951ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 22964c7d4d33SEd Tanous .privileges(redfish::privileges::headManagerAccount) 22974c7d4d33SEd Tanous .methods(boost::beast::http::verb::head)( 22984c7d4d33SEd Tanous std::bind_front(handleAccountHead, std::ref(app))); 22994c7d4d33SEd Tanous 23004c7d4d33SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23011ef4c342SEd Tanous .privileges(redfish::privileges::getManagerAccount) 23021ef4c342SEd Tanous .methods(boost::beast::http::verb::get)( 23031ef4c342SEd Tanous std::bind_front(handleAccountGet, std::ref(app))); 23041ef4c342SEd Tanous 23051ef4c342SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 23061ef4c342SEd Tanous // TODO this privilege should be using the generated endpoints, but 23071ef4c342SEd Tanous // because of the special handling of ConfigureSelf, it's not able to 23081ef4c342SEd Tanous // yet 23091ef4c342SEd Tanous .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) 23101ef4c342SEd Tanous .methods(boost::beast::http::verb::patch)( 23111ef4c342SEd Tanous std::bind_front(handleAccountPatch, std::ref(app))); 231284e12cb7SAppaRao Puli 23136c51eab1SEd Tanous BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/") 2314ed398213SEd Tanous .privileges(redfish::privileges::deleteManagerAccount) 23156c51eab1SEd Tanous .methods(boost::beast::http::verb::delete_)( 231620fc307fSGunnar Mills std::bind_front(handleAccountDelete, std::ref(app))); 231706e086d9SEd Tanous } 231888d16c9aSLewanczyk, Dawid 231988d16c9aSLewanczyk, Dawid } // namespace redfish 2320