1 /*
2 Copyright (c) 2018 Intel Corporation
3
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
15 */
16 #pragma once
17
18 #include "app.hpp"
19 #include "boost_formatters.hpp"
20 #include "certificate_service.hpp"
21 #include "dbus_utility.hpp"
22 #include "error_messages.hpp"
23 #include "generated/enums/account_service.hpp"
24 #include "persistent_data.hpp"
25 #include "query.hpp"
26 #include "registries/privilege_registry.hpp"
27 #include "sessions.hpp"
28 #include "utils/collection.hpp"
29 #include "utils/dbus_utils.hpp"
30 #include "utils/json_utils.hpp"
31
32 #include <boost/url/format.hpp>
33 #include <boost/url/url.hpp>
34 #include <sdbusplus/asio/property.hpp>
35 #include <sdbusplus/unpack_properties.hpp>
36
37 #include <array>
38 #include <memory>
39 #include <optional>
40 #include <ranges>
41 #include <string>
42 #include <string_view>
43 #include <utility>
44 #include <vector>
45
46 namespace redfish
47 {
48
49 constexpr const char* ldapConfigObjectName =
50 "/xyz/openbmc_project/user/ldap/openldap";
51 constexpr const char* adConfigObject =
52 "/xyz/openbmc_project/user/ldap/active_directory";
53
54 constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
55 constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
56 constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
57 constexpr const char* ldapConfigInterface =
58 "xyz.openbmc_project.User.Ldap.Config";
59 constexpr const char* ldapCreateInterface =
60 "xyz.openbmc_project.User.Ldap.Create";
61 constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
62 constexpr const char* ldapPrivMapperInterface =
63 "xyz.openbmc_project.User.PrivilegeMapper";
64
65 struct LDAPRoleMapData
66 {
67 std::string groupName;
68 std::string privilege;
69 };
70
71 struct LDAPConfigData
72 {
73 std::string uri;
74 std::string bindDN;
75 std::string baseDN;
76 std::string searchScope;
77 std::string serverType;
78 bool serviceEnabled = false;
79 std::string userNameAttribute;
80 std::string groupAttribute;
81 std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
82 };
83
getRoleIdFromPrivilege(std::string_view role)84 inline std::string getRoleIdFromPrivilege(std::string_view role)
85 {
86 if (role == "priv-admin")
87 {
88 return "Administrator";
89 }
90 if (role == "priv-user")
91 {
92 return "ReadOnly";
93 }
94 if (role == "priv-operator")
95 {
96 return "Operator";
97 }
98 return "";
99 }
getPrivilegeFromRoleId(std::string_view role)100 inline std::string getPrivilegeFromRoleId(std::string_view role)
101 {
102 if (role == "Administrator")
103 {
104 return "priv-admin";
105 }
106 if (role == "ReadOnly")
107 {
108 return "priv-user";
109 }
110 if (role == "Operator")
111 {
112 return "priv-operator";
113 }
114 return "";
115 }
116
117 /**
118 * @brief Maps user group names retrieved from D-Bus object to
119 * Account Types.
120 *
121 * @param[in] userGroups List of User groups
122 * @param[out] res AccountTypes populated
123 *
124 * @return true in case of success, false if UserGroups contains
125 * invalid group name(s).
126 */
translateUserGroup(const std::vector<std::string> & userGroups,crow::Response & res)127 inline bool translateUserGroup(const std::vector<std::string>& userGroups,
128 crow::Response& res)
129 {
130 std::vector<std::string> accountTypes;
131 for (const auto& userGroup : userGroups)
132 {
133 if (userGroup == "redfish")
134 {
135 accountTypes.emplace_back("Redfish");
136 accountTypes.emplace_back("WebUI");
137 }
138 else if (userGroup == "ipmi")
139 {
140 accountTypes.emplace_back("IPMI");
141 }
142 else if (userGroup == "ssh")
143 {
144 accountTypes.emplace_back("ManagerConsole");
145 }
146 else if (userGroup == "hostconsole")
147 {
148 // The hostconsole group controls who can access the host console
149 // port via ssh and websocket.
150 accountTypes.emplace_back("HostConsole");
151 }
152 else if (userGroup == "web")
153 {
154 // 'web' is one of the valid groups in the UserGroups property of
155 // the user account in the D-Bus object. This group is currently not
156 // doing anything, and is considered to be equivalent to 'redfish'.
157 // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
158 // AccountTypes, so do nothing here...
159 }
160 else
161 {
162 // Invalid user group name. Caller throws an exception.
163 return false;
164 }
165 }
166
167 res.jsonValue["AccountTypes"] = std::move(accountTypes);
168 return true;
169 }
170
171 /**
172 * @brief Builds User Groups from the Account Types
173 *
174 * @param[in] asyncResp Async Response
175 * @param[in] accountTypes List of Account Types
176 * @param[out] userGroups List of User Groups mapped from Account Types
177 *
178 * @return true if Account Types mapped to User Groups, false otherwise.
179 */
getUserGroupFromAccountType(crow::Response & res,const std::vector<std::string> & accountTypes,std::vector<std::string> & userGroups)180 inline bool getUserGroupFromAccountType(
181 crow::Response& res, const std::vector<std::string>& accountTypes,
182 std::vector<std::string>& userGroups)
183 {
184 // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
185 bool redfishType = false;
186 bool webUIType = false;
187
188 for (const auto& accountType : accountTypes)
189 {
190 if (accountType == "Redfish")
191 {
192 redfishType = true;
193 }
194 else if (accountType == "WebUI")
195 {
196 webUIType = true;
197 }
198 else if (accountType == "IPMI")
199 {
200 userGroups.emplace_back("ipmi");
201 }
202 else if (accountType == "HostConsole")
203 {
204 userGroups.emplace_back("hostconsole");
205 }
206 else if (accountType == "ManagerConsole")
207 {
208 userGroups.emplace_back("ssh");
209 }
210 else
211 {
212 // Invalid Account Type
213 messages::propertyValueNotInList(res, "AccountTypes", accountType);
214 return false;
215 }
216 }
217
218 // Both Redfish and WebUI Account Types are needed to PATCH
219 if (redfishType ^ webUIType)
220 {
221 BMCWEB_LOG_ERROR(
222 "Missing Redfish or WebUI Account Type to set redfish User Group");
223 messages::strictAccountTypes(res, "AccountTypes");
224 return false;
225 }
226
227 if (redfishType && webUIType)
228 {
229 userGroups.emplace_back("redfish");
230 }
231
232 return true;
233 }
234
235 /**
236 * @brief Sets UserGroups property of the user based on the Account Types
237 *
238 * @param[in] accountTypes List of User Account Types
239 * @param[in] asyncResp Async Response
240 * @param[in] dbusObjectPath D-Bus Object Path
241 * @param[in] userSelf true if User is updating OWN Account Types
242 */
243 inline void
patchAccountTypes(const std::vector<std::string> & accountTypes,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & dbusObjectPath,bool userSelf)244 patchAccountTypes(const std::vector<std::string>& accountTypes,
245 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
246 const std::string& dbusObjectPath, bool userSelf)
247 {
248 // Check if User is disabling own Redfish Account Type
249 if (userSelf &&
250 (accountTypes.cend() ==
251 std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
252 {
253 BMCWEB_LOG_ERROR(
254 "User disabling OWN Redfish Account Type is not allowed");
255 messages::strictAccountTypes(asyncResp->res, "AccountTypes");
256 return;
257 }
258
259 std::vector<std::string> updatedUserGroups;
260 if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
261 updatedUserGroups))
262 {
263 // Problem in mapping Account Types to User Groups, Error already
264 // logged.
265 return;
266 }
267 setDbusProperty(asyncResp, "AccountTypes",
268 "xyz.openbmc_project.User.Manager", dbusObjectPath,
269 "xyz.openbmc_project.User.Attributes", "UserGroups",
270 updatedUserGroups);
271 }
272
userErrorMessageHandler(const sd_bus_error * e,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & newUser,const std::string & username)273 inline void userErrorMessageHandler(
274 const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
275 const std::string& newUser, const std::string& username)
276 {
277 if (e == nullptr)
278 {
279 messages::internalError(asyncResp->res);
280 return;
281 }
282
283 const char* errorMessage = e->name;
284 if (strcmp(errorMessage,
285 "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
286 {
287 messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
288 "UserName", newUser);
289 }
290 else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
291 "UserNameDoesNotExist") == 0)
292 {
293 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
294 }
295 else if ((strcmp(errorMessage,
296 "xyz.openbmc_project.Common.Error.InvalidArgument") ==
297 0) ||
298 (strcmp(
299 errorMessage,
300 "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
301 0))
302 {
303 messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
304 }
305 else if (strcmp(errorMessage,
306 "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
307 {
308 messages::createLimitReachedForResource(asyncResp->res);
309 }
310 else
311 {
312 BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
313 messages::internalError(asyncResp->res);
314 }
315 }
316
parseLDAPConfigData(nlohmann::json & jsonResponse,const LDAPConfigData & confData,const std::string & ldapType)317 inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
318 const LDAPConfigData& confData,
319 const std::string& ldapType)
320 {
321 nlohmann::json::object_t ldap;
322 ldap["ServiceEnabled"] = confData.serviceEnabled;
323 nlohmann::json::array_t serviceAddresses;
324 serviceAddresses.emplace_back(confData.uri);
325 ldap["ServiceAddresses"] = std::move(serviceAddresses);
326
327 nlohmann::json::object_t authentication;
328 authentication["AuthenticationType"] =
329 account_service::AuthenticationTypes::UsernameAndPassword;
330 authentication["Username"] = confData.bindDN;
331 authentication["Password"] = nullptr;
332 ldap["Authentication"] = std::move(authentication);
333
334 nlohmann::json::object_t ldapService;
335 nlohmann::json::object_t searchSettings;
336 nlohmann::json::array_t baseDistinguishedNames;
337 baseDistinguishedNames.emplace_back(confData.baseDN);
338
339 searchSettings["BaseDistinguishedNames"] =
340 std::move(baseDistinguishedNames);
341 searchSettings["UsernameAttribute"] = confData.userNameAttribute;
342 searchSettings["GroupsAttribute"] = confData.groupAttribute;
343 ldapService["SearchSettings"] = std::move(searchSettings);
344 ldap["LDAPService"] = std::move(ldapService);
345
346 nlohmann::json::array_t roleMapArray;
347 for (const auto& obj : confData.groupRoleList)
348 {
349 BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
350
351 nlohmann::json::object_t remoteGroup;
352 remoteGroup["RemoteGroup"] = obj.second.groupName;
353 remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
354 roleMapArray.emplace_back(std::move(remoteGroup));
355 }
356
357 ldap["RemoteRoleMapping"] = std::move(roleMapArray);
358
359 jsonResponse[ldapType].update(ldap);
360 }
361
362 /**
363 * @brief validates given JSON input and then calls appropriate method to
364 * create, to delete or to set Rolemapping object based on the given input.
365 *
366 */
handleRoleMapPatch(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::vector<std::pair<std::string,LDAPRoleMapData>> & roleMapObjData,const std::string & serverType,std::vector<std::variant<nlohmann::json::object_t,std::nullptr_t>> & input)367 inline void handleRoleMapPatch(
368 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
369 const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
370 const std::string& serverType,
371 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>& input)
372 {
373 for (size_t index = 0; index < input.size(); index++)
374 {
375 std::variant<nlohmann::json::object_t, std::nullptr_t>& thisJson =
376 input[index];
377 nlohmann::json::object_t* obj =
378 std::get_if<nlohmann::json::object_t>(&thisJson);
379 if (obj == nullptr)
380 {
381 // delete the existing object
382 if (index < roleMapObjData.size())
383 {
384 crow::connections::systemBus->async_method_call(
385 [asyncResp, roleMapObjData, serverType,
386 index](const boost::system::error_code& ec) {
387 if (ec)
388 {
389 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
390 messages::internalError(asyncResp->res);
391 return;
392 }
393 asyncResp->res
394 .jsonValue[serverType]["RemoteRoleMapping"][index] =
395 nullptr;
396 },
397 ldapDbusService, roleMapObjData[index].first,
398 "xyz.openbmc_project.Object.Delete", "Delete");
399 }
400 else
401 {
402 BMCWEB_LOG_ERROR("Can't delete the object");
403 messages::propertyValueTypeError(
404 asyncResp->res, "null",
405 "RemoteRoleMapping/" + std::to_string(index));
406 return;
407 }
408 }
409 else if (obj->empty())
410 {
411 // Don't do anything for the empty objects,parse next json
412 // eg {"RemoteRoleMapping",[{}]}
413 }
414 else
415 {
416 // update/create the object
417 std::optional<std::string> remoteGroup;
418 std::optional<std::string> localRole;
419
420 if (!json_util::readJsonObject( //
421 *obj, asyncResp->res, //
422 "LocalRole", localRole, //
423 "RemoteGroup", remoteGroup //
424 ))
425 {
426 continue;
427 }
428
429 // Update existing RoleMapping Object
430 if (index < roleMapObjData.size())
431 {
432 BMCWEB_LOG_DEBUG("Update Role Map Object");
433 // If "RemoteGroup" info is provided
434 if (remoteGroup)
435 {
436 setDbusProperty(
437 asyncResp,
438 std::format("RemoteRoleMapping/{}/RemoteGroup", index),
439 ldapDbusService, roleMapObjData[index].first,
440 "xyz.openbmc_project.User.PrivilegeMapperEntry",
441 "GroupName", *remoteGroup);
442 }
443
444 // If "LocalRole" info is provided
445 if (localRole)
446 {
447 std::string priv = getPrivilegeFromRoleId(*localRole);
448 if (priv.empty())
449 {
450 messages::propertyValueNotInList(
451 asyncResp->res, *localRole,
452 std::format("RemoteRoleMapping/{}/LocalRole",
453 index));
454 return;
455 }
456 setDbusProperty(
457 asyncResp,
458 std::format("RemoteRoleMapping/{}/LocalRole", index),
459 ldapDbusService, roleMapObjData[index].first,
460 "xyz.openbmc_project.User.PrivilegeMapperEntry",
461 "Privilege", priv);
462 }
463 }
464 // Create a new RoleMapping Object.
465 else
466 {
467 BMCWEB_LOG_DEBUG(
468 "setRoleMappingProperties: Creating new Object");
469 std::string pathString =
470 "RemoteRoleMapping/" + std::to_string(index);
471
472 if (!localRole)
473 {
474 messages::propertyMissing(asyncResp->res,
475 pathString + "/LocalRole");
476 continue;
477 }
478 if (!remoteGroup)
479 {
480 messages::propertyMissing(asyncResp->res,
481 pathString + "/RemoteGroup");
482 continue;
483 }
484
485 std::string dbusObjectPath;
486 if (serverType == "ActiveDirectory")
487 {
488 dbusObjectPath = adConfigObject;
489 }
490 else if (serverType == "LDAP")
491 {
492 dbusObjectPath = ldapConfigObjectName;
493 }
494
495 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
496 *localRole);
497
498 crow::connections::systemBus->async_method_call(
499 [asyncResp, serverType, localRole,
500 remoteGroup](const boost::system::error_code& ec) {
501 if (ec)
502 {
503 BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
504 messages::internalError(asyncResp->res);
505 return;
506 }
507 nlohmann::json& remoteRoleJson =
508 asyncResp->res
509 .jsonValue[serverType]["RemoteRoleMapping"];
510 nlohmann::json::object_t roleMapEntry;
511 roleMapEntry["LocalRole"] = *localRole;
512 roleMapEntry["RemoteGroup"] = *remoteGroup;
513 remoteRoleJson.emplace_back(std::move(roleMapEntry));
514 },
515 ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
516 "Create", *remoteGroup,
517 getPrivilegeFromRoleId(std::move(*localRole)));
518 }
519 }
520 }
521 }
522
523 /**
524 * Function that retrieves all properties for LDAP config object
525 * into JSON
526 */
527 template <typename CallbackFunc>
528 inline void
getLDAPConfigData(const std::string & ldapType,CallbackFunc && callback)529 getLDAPConfigData(const std::string& ldapType, CallbackFunc&& callback)
530 {
531 constexpr std::array<std::string_view, 2> interfaces = {
532 ldapEnableInterface, ldapConfigInterface};
533
534 dbus::utility::getDbusObject(
535 ldapConfigObjectName, interfaces,
536 [callback = std::forward<CallbackFunc>(callback),
537 ldapType](const boost::system::error_code& ec,
538 const dbus::utility::MapperGetObject& resp) mutable {
539 if (ec || resp.empty())
540 {
541 BMCWEB_LOG_WARNING(
542 "DBUS response error during getting of service name: {}",
543 ec);
544 LDAPConfigData empty{};
545 callback(false, empty, ldapType);
546 return;
547 }
548 std::string service = resp.begin()->first;
549 sdbusplus::message::object_path path(ldapRootObject);
550 dbus::utility::getManagedObjects(
551 service, path,
552 [callback, ldapType](const boost::system::error_code& ec2,
553 const dbus::utility::ManagedObjectType&
554 ldapObjects) mutable {
555 LDAPConfigData confData{};
556 if (ec2)
557 {
558 callback(false, confData, ldapType);
559 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
560 return;
561 }
562
563 std::string ldapDbusType;
564 std::string searchString;
565
566 if (ldapType == "LDAP")
567 {
568 ldapDbusType =
569 "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
570 searchString = "openldap";
571 }
572 else if (ldapType == "ActiveDirectory")
573 {
574 ldapDbusType =
575 "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
576 searchString = "active_directory";
577 }
578 else
579 {
580 BMCWEB_LOG_ERROR(
581 "Can't get the DbusType for the given type={}",
582 ldapType);
583 callback(false, confData, ldapType);
584 return;
585 }
586
587 std::string ldapEnableInterfaceStr = ldapEnableInterface;
588 std::string ldapConfigInterfaceStr = ldapConfigInterface;
589
590 for (const auto& object : ldapObjects)
591 {
592 // let's find the object whose ldap type is equal to the
593 // given type
594 if (object.first.str.find(searchString) ==
595 std::string::npos)
596 {
597 continue;
598 }
599
600 for (const auto& interface : object.second)
601 {
602 if (interface.first == ldapEnableInterfaceStr)
603 {
604 // rest of the properties are string.
605 for (const auto& property : interface.second)
606 {
607 if (property.first == "Enabled")
608 {
609 const bool* value =
610 std::get_if<bool>(&property.second);
611 if (value == nullptr)
612 {
613 continue;
614 }
615 confData.serviceEnabled = *value;
616 break;
617 }
618 }
619 }
620 else if (interface.first == ldapConfigInterfaceStr)
621 {
622 for (const auto& property : interface.second)
623 {
624 const std::string* strValue =
625 std::get_if<std::string>(
626 &property.second);
627 if (strValue == nullptr)
628 {
629 continue;
630 }
631 if (property.first == "LDAPServerURI")
632 {
633 confData.uri = *strValue;
634 }
635 else if (property.first == "LDAPBindDN")
636 {
637 confData.bindDN = *strValue;
638 }
639 else if (property.first == "LDAPBaseDN")
640 {
641 confData.baseDN = *strValue;
642 }
643 else if (property.first ==
644 "LDAPSearchScope")
645 {
646 confData.searchScope = *strValue;
647 }
648 else if (property.first ==
649 "GroupNameAttribute")
650 {
651 confData.groupAttribute = *strValue;
652 }
653 else if (property.first ==
654 "UserNameAttribute")
655 {
656 confData.userNameAttribute = *strValue;
657 }
658 else if (property.first == "LDAPType")
659 {
660 confData.serverType = *strValue;
661 }
662 }
663 }
664 else if (
665 interface.first ==
666 "xyz.openbmc_project.User.PrivilegeMapperEntry")
667 {
668 LDAPRoleMapData roleMapData{};
669 for (const auto& property : interface.second)
670 {
671 const std::string* strValue =
672 std::get_if<std::string>(
673 &property.second);
674
675 if (strValue == nullptr)
676 {
677 continue;
678 }
679
680 if (property.first == "GroupName")
681 {
682 roleMapData.groupName = *strValue;
683 }
684 else if (property.first == "Privilege")
685 {
686 roleMapData.privilege = *strValue;
687 }
688 }
689
690 confData.groupRoleList.emplace_back(
691 object.first.str, roleMapData);
692 }
693 }
694 }
695 callback(true, confData, ldapType);
696 });
697 });
698 }
699
700 /**
701 * @brief updates the LDAP server address and updates the
702 json response with the new value.
703 * @param serviceAddressList address to be updated.
704 * @param asyncResp pointer to the JSON response
705 * @param ldapServerElementName Type of LDAP
706 server(openLDAP/ActiveDirectory)
707 */
708
handleServiceAddressPatch(const std::vector<std::string> & serviceAddressList,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)709 inline void handleServiceAddressPatch(
710 const std::vector<std::string>& serviceAddressList,
711 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
712 const std::string& ldapServerElementName,
713 const std::string& ldapConfigObject)
714 {
715 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceAddress",
716 ldapDbusService, ldapConfigObject, ldapConfigInterface,
717 "LDAPServerURI", serviceAddressList.front());
718 }
719 /**
720 * @brief updates the LDAP Bind DN and updates the
721 json response with the new value.
722 * @param username name of the user which needs to be updated.
723 * @param asyncResp pointer to the JSON response
724 * @param ldapServerElementName Type of LDAP
725 server(openLDAP/ActiveDirectory)
726 */
727
728 inline void
handleUserNamePatch(const std::string & username,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)729 handleUserNamePatch(const std::string& username,
730 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
731 const std::string& ldapServerElementName,
732 const std::string& ldapConfigObject)
733 {
734 setDbusProperty(asyncResp,
735 ldapServerElementName + "/Authentication/Username",
736 ldapDbusService, ldapConfigObject, ldapConfigInterface,
737 "LDAPBindDN", username);
738 }
739
740 /**
741 * @brief updates the LDAP password
742 * @param password : ldap password which needs to be updated.
743 * @param asyncResp pointer to the JSON response
744 * @param ldapServerElementName Type of LDAP
745 * server(openLDAP/ActiveDirectory)
746 */
747
748 inline void
handlePasswordPatch(const std::string & password,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)749 handlePasswordPatch(const std::string& password,
750 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
751 const std::string& ldapServerElementName,
752 const std::string& ldapConfigObject)
753 {
754 setDbusProperty(asyncResp,
755 ldapServerElementName + "/Authentication/Password",
756 ldapDbusService, ldapConfigObject, ldapConfigInterface,
757 "LDAPBindDNPassword", password);
758 }
759
760 /**
761 * @brief updates the LDAP BaseDN and updates the
762 json response with the new value.
763 * @param baseDNList baseDN list which needs to be updated.
764 * @param asyncResp pointer to the JSON response
765 * @param ldapServerElementName Type of LDAP
766 server(openLDAP/ActiveDirectory)
767 */
768
769 inline void
handleBaseDNPatch(const std::vector<std::string> & baseDNList,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)770 handleBaseDNPatch(const std::vector<std::string>& baseDNList,
771 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
772 const std::string& ldapServerElementName,
773 const std::string& ldapConfigObject)
774 {
775 setDbusProperty(asyncResp,
776 ldapServerElementName +
777 "/LDAPService/SearchSettings/BaseDistinguishedNames",
778 ldapDbusService, ldapConfigObject, ldapConfigInterface,
779 "LDAPBaseDN", baseDNList.front());
780 }
781 /**
782 * @brief updates the LDAP user name attribute and updates the
783 json response with the new value.
784 * @param userNameAttribute attribute to be updated.
785 * @param asyncResp pointer to the JSON response
786 * @param ldapServerElementName Type of LDAP
787 server(openLDAP/ActiveDirectory)
788 */
789
handleUserNameAttrPatch(const std::string & userNameAttribute,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)790 inline void handleUserNameAttrPatch(
791 const std::string& userNameAttribute,
792 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
793 const std::string& ldapServerElementName,
794 const std::string& ldapConfigObject)
795 {
796 setDbusProperty(
797 asyncResp,
798 ldapServerElementName + "LDAPService/SearchSettings/UsernameAttribute",
799 ldapDbusService, ldapConfigObject, ldapConfigInterface,
800 "UserNameAttribute", userNameAttribute);
801 }
802 /**
803 * @brief updates the LDAP group attribute and updates the
804 json response with the new value.
805 * @param groupsAttribute attribute to be updated.
806 * @param asyncResp pointer to the JSON response
807 * @param ldapServerElementName Type of LDAP
808 server(openLDAP/ActiveDirectory)
809 */
810
handleGroupNameAttrPatch(const std::string & groupsAttribute,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)811 inline void handleGroupNameAttrPatch(
812 const std::string& groupsAttribute,
813 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
814 const std::string& ldapServerElementName,
815 const std::string& ldapConfigObject)
816 {
817 setDbusProperty(
818 asyncResp,
819 ldapServerElementName + "/LDAPService/SearchSettings/GroupsAttribute",
820 ldapDbusService, ldapConfigObject, ldapConfigInterface,
821 "GroupNameAttribute", groupsAttribute);
822 }
823 /**
824 * @brief updates the LDAP service enable and updates the
825 json response with the new value.
826 * @param input JSON data.
827 * @param asyncResp pointer to the JSON response
828 * @param ldapServerElementName Type of LDAP
829 server(openLDAP/ActiveDirectory)
830 */
831
handleServiceEnablePatch(bool serviceEnabled,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & ldapServerElementName,const std::string & ldapConfigObject)832 inline void handleServiceEnablePatch(
833 bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
834 const std::string& ldapServerElementName,
835 const std::string& ldapConfigObject)
836 {
837 setDbusProperty(asyncResp, ldapServerElementName + "/ServiceEnabled",
838 ldapDbusService, ldapConfigObject, ldapEnableInterface,
839 "Enabled", serviceEnabled);
840 }
841
842 struct AuthMethods
843 {
844 std::optional<bool> basicAuth;
845 std::optional<bool> cookie;
846 std::optional<bool> sessionToken;
847 std::optional<bool> xToken;
848 std::optional<bool> tls;
849 };
850
851 inline void
handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const AuthMethods & auth)852 handleAuthMethodsPatch(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
853 const AuthMethods& auth)
854 {
855 persistent_data::AuthConfigMethods& authMethodsConfig =
856 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
857
858 if (auth.basicAuth)
859 {
860 if constexpr (!BMCWEB_BASIC_AUTH)
861 {
862 messages::actionNotSupported(
863 asyncResp->res,
864 "Setting BasicAuth when basic-auth feature is disabled");
865 return;
866 }
867
868 authMethodsConfig.basic = *auth.basicAuth;
869 }
870
871 if (auth.cookie)
872 {
873 if constexpr (!BMCWEB_COOKIE_AUTH)
874 {
875 messages::actionNotSupported(
876 asyncResp->res,
877 "Setting Cookie when cookie-auth feature is disabled");
878 return;
879 }
880 authMethodsConfig.cookie = *auth.cookie;
881 }
882
883 if (auth.sessionToken)
884 {
885 if constexpr (!BMCWEB_SESSION_AUTH)
886 {
887 messages::actionNotSupported(
888 asyncResp->res,
889 "Setting SessionToken when session-auth feature is disabled");
890 return;
891 }
892 authMethodsConfig.sessionToken = *auth.sessionToken;
893 }
894
895 if (auth.xToken)
896 {
897 if constexpr (!BMCWEB_XTOKEN_AUTH)
898 {
899 messages::actionNotSupported(
900 asyncResp->res,
901 "Setting XToken when xtoken-auth feature is disabled");
902 return;
903 }
904 authMethodsConfig.xtoken = *auth.xToken;
905 }
906
907 if (auth.tls)
908 {
909 if constexpr (!BMCWEB_MUTUAL_TLS_AUTH)
910 {
911 messages::actionNotSupported(
912 asyncResp->res,
913 "Setting TLS when mutual-tls-auth feature is disabled");
914 return;
915 }
916 authMethodsConfig.tls = *auth.tls;
917 }
918
919 if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
920 !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
921 !authMethodsConfig.tls)
922 {
923 // Do not allow user to disable everything
924 messages::actionNotSupported(asyncResp->res,
925 "of disabling all available methods");
926 return;
927 }
928
929 persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
930 authMethodsConfig);
931 // Save configuration immediately
932 persistent_data::getConfig().writeData();
933
934 messages::success(asyncResp->res);
935 }
936
937 /**
938 * @brief Get the required values from the given JSON, validates the
939 * value and create the LDAP config object.
940 * @param input JSON data
941 * @param asyncResp pointer to the JSON response
942 * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
943 */
944
945 struct LdapPatchParams
946 {
947 std::optional<std::string> authType;
948 std::optional<std::vector<std::string>> serviceAddressList;
949 std::optional<bool> serviceEnabled;
950 std::optional<std::vector<std::string>> baseDNList;
951 std::optional<std::string> userNameAttribute;
952 std::optional<std::string> groupsAttribute;
953 std::optional<std::string> userName;
954 std::optional<std::string> password;
955 std::optional<
956 std::vector<std::variant<nlohmann::json::object_t, std::nullptr_t>>>
957 remoteRoleMapData;
958 };
959
handleLDAPPatch(LdapPatchParams && input,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & serverType)960 inline void handleLDAPPatch(LdapPatchParams&& input,
961 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
962 const std::string& serverType)
963 {
964 std::string dbusObjectPath;
965 if (serverType == "ActiveDirectory")
966 {
967 dbusObjectPath = adConfigObject;
968 }
969 else if (serverType == "LDAP")
970 {
971 dbusObjectPath = ldapConfigObjectName;
972 }
973 else
974 {
975 BMCWEB_LOG_ERROR("serverType wasn't AD or LDAP but was {}????",
976 serverType);
977 return;
978 }
979
980 if (input.authType && *input.authType != "UsernameAndPassword")
981 {
982 messages::propertyValueNotInList(asyncResp->res, *input.authType,
983 "AuthenticationType");
984 return;
985 }
986
987 if (input.serviceAddressList)
988 {
989 if (input.serviceAddressList->empty())
990 {
991 messages::propertyValueNotInList(
992 asyncResp->res, *input.serviceAddressList, "ServiceAddress");
993 return;
994 }
995 }
996 if (input.baseDNList)
997 {
998 if (input.baseDNList->empty())
999 {
1000 messages::propertyValueNotInList(asyncResp->res, *input.baseDNList,
1001 "BaseDistinguishedNames");
1002 return;
1003 }
1004 }
1005
1006 // nothing to update, then return
1007 if (!input.userName && !input.password && !input.serviceAddressList &&
1008 !input.baseDNList && !input.userNameAttribute &&
1009 !input.groupsAttribute && !input.serviceEnabled &&
1010 !input.remoteRoleMapData)
1011 {
1012 return;
1013 }
1014
1015 // Get the existing resource first then keep modifying
1016 // whenever any property gets updated.
1017 getLDAPConfigData(serverType, [asyncResp, input = std::move(input),
1018 dbusObjectPath = std::move(dbusObjectPath)](
1019 bool success,
1020 const LDAPConfigData& confData,
1021 const std::string& serverT) mutable {
1022 if (!success)
1023 {
1024 messages::internalError(asyncResp->res);
1025 return;
1026 }
1027 parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1028 if (confData.serviceEnabled)
1029 {
1030 // Disable the service first and update the rest of
1031 // the properties.
1032 handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
1033 }
1034
1035 if (input.serviceAddressList)
1036 {
1037 handleServiceAddressPatch(*input.serviceAddressList, asyncResp,
1038 serverT, dbusObjectPath);
1039 }
1040 if (input.userName)
1041 {
1042 handleUserNamePatch(*input.userName, asyncResp, serverT,
1043 dbusObjectPath);
1044 }
1045 if (input.password)
1046 {
1047 handlePasswordPatch(*input.password, asyncResp, serverT,
1048 dbusObjectPath);
1049 }
1050
1051 if (input.baseDNList)
1052 {
1053 handleBaseDNPatch(*input.baseDNList, asyncResp, serverT,
1054 dbusObjectPath);
1055 }
1056 if (input.userNameAttribute)
1057 {
1058 handleUserNameAttrPatch(*input.userNameAttribute, asyncResp,
1059 serverT, dbusObjectPath);
1060 }
1061 if (input.groupsAttribute)
1062 {
1063 handleGroupNameAttrPatch(*input.groupsAttribute, asyncResp, serverT,
1064 dbusObjectPath);
1065 }
1066 if (input.serviceEnabled)
1067 {
1068 // if user has given the value as true then enable
1069 // the service. if user has given false then no-op
1070 // as service is already stopped.
1071 if (*input.serviceEnabled)
1072 {
1073 handleServiceEnablePatch(*input.serviceEnabled, asyncResp,
1074 serverT, dbusObjectPath);
1075 }
1076 }
1077 else
1078 {
1079 // if user has not given the service enabled value
1080 // then revert it to the same state as it was
1081 // before.
1082 handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1083 serverT, dbusObjectPath);
1084 }
1085
1086 if (input.remoteRoleMapData)
1087 {
1088 handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1089 *input.remoteRoleMapData);
1090 }
1091 });
1092 }
1093
updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp,const std::string & username,const std::optional<std::string> & password,const std::optional<bool> & enabled,const std::optional<std::string> & roleId,const std::optional<bool> & locked,std::optional<std::vector<std::string>> accountTypes,bool userSelf,const std::shared_ptr<persistent_data::UserSession> & session)1094 inline void updateUserProperties(
1095 std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1096 const std::optional<std::string>& password,
1097 const std::optional<bool>& enabled,
1098 const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1099 std::optional<std::vector<std::string>> accountTypes, bool userSelf,
1100 const std::shared_ptr<persistent_data::UserSession>& session)
1101 {
1102 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1103 tempObjPath /= username;
1104 std::string dbusObjectPath(tempObjPath);
1105
1106 dbus::utility::checkDbusPathExists(
1107 dbusObjectPath,
1108 [dbusObjectPath, username, password, roleId, enabled, locked,
1109 accountTypes(std::move(accountTypes)), userSelf, session,
1110 asyncResp{std::move(asyncResp)}](int rc) {
1111 if (rc <= 0)
1112 {
1113 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1114 username);
1115 return;
1116 }
1117
1118 if (password)
1119 {
1120 int retval = pamUpdatePassword(username, *password);
1121
1122 if (retval == PAM_USER_UNKNOWN)
1123 {
1124 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1125 username);
1126 }
1127 else if (retval == PAM_AUTHTOK_ERR)
1128 {
1129 // If password is invalid
1130 messages::propertyValueFormatError(asyncResp->res, nullptr,
1131 "Password");
1132 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1133 }
1134 else if (retval != PAM_SUCCESS)
1135 {
1136 messages::internalError(asyncResp->res);
1137 return;
1138 }
1139 else
1140 {
1141 // Remove existing sessions of the user when password
1142 // changed
1143 persistent_data::SessionStore::getInstance()
1144 .removeSessionsByUsernameExceptSession(username,
1145 session);
1146 messages::success(asyncResp->res);
1147 }
1148 }
1149
1150 if (enabled)
1151 {
1152 setDbusProperty(
1153 asyncResp, "Enabled", "xyz.openbmc_project.User.Manager",
1154 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
1155 "UserEnabled", *enabled);
1156 }
1157
1158 if (roleId)
1159 {
1160 std::string priv = getPrivilegeFromRoleId(*roleId);
1161 if (priv.empty())
1162 {
1163 messages::propertyValueNotInList(asyncResp->res, true,
1164 "Locked");
1165 return;
1166 }
1167 setDbusProperty(
1168 asyncResp, "RoleId", "xyz.openbmc_project.User.Manager",
1169 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
1170 "UserPrivilege", priv);
1171 }
1172
1173 if (locked)
1174 {
1175 // admin can unlock the account which is locked by
1176 // successive authentication failures but admin should
1177 // not be allowed to lock an account.
1178 if (*locked)
1179 {
1180 messages::propertyValueNotInList(asyncResp->res, "true",
1181 "Locked");
1182 return;
1183 }
1184 setDbusProperty(
1185 asyncResp, "Locked", "xyz.openbmc_project.User.Manager",
1186 dbusObjectPath, "xyz.openbmc_project.User.Attributes",
1187 "UserLockedForFailedAttempt", *locked);
1188 }
1189
1190 if (accountTypes)
1191 {
1192 patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1193 userSelf);
1194 }
1195 });
1196 }
1197
handleAccountServiceHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1198 inline void handleAccountServiceHead(
1199 App& app, const crow::Request& req,
1200 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1201 {
1202 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1203 {
1204 return;
1205 }
1206 asyncResp->res.addHeader(
1207 boost::beast::http::field::link,
1208 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1209 }
1210
1211 inline void
getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const nlohmann::json::json_pointer & keyLocation)1212 getClientCertificates(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1213 const nlohmann::json::json_pointer& keyLocation)
1214 {
1215 boost::urls::url url(
1216 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates");
1217 std::array<std::string_view, 1> interfaces = {
1218 "xyz.openbmc_project.Certs.Certificate"};
1219 std::string path = "/xyz/openbmc_project/certs/authority/truststore";
1220
1221 collection_util::getCollectionToKey(asyncResp, url, interfaces, path,
1222 keyLocation);
1223 }
1224
handleAccountServiceClientCertificatesInstanceHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string &)1225 inline void handleAccountServiceClientCertificatesInstanceHead(
1226 App& app, const crow::Request& req,
1227 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1228 const std::string& /*id*/)
1229 {
1230 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1231 {
1232 return;
1233 }
1234
1235 asyncResp->res.addHeader(
1236 boost::beast::http::field::link,
1237 "</redfish/v1/JsonSchemas/Certificate/Certificate.json>; rel=describedby");
1238 }
1239
handleAccountServiceClientCertificatesInstanceGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & id)1240 inline void handleAccountServiceClientCertificatesInstanceGet(
1241 App& app, const crow::Request& req,
1242 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, const std::string& id)
1243 {
1244 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1245 {
1246 return;
1247 }
1248 BMCWEB_LOG_DEBUG("ClientCertificate Certificate ID={}", id);
1249 const boost::urls::url certURL = boost::urls::format(
1250 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/{}",
1251 id);
1252 std::string objPath =
1253 sdbusplus::message::object_path(certs::authorityObjectPath) / id;
1254 getCertificateProperties(
1255 asyncResp, objPath,
1256 "xyz.openbmc_project.Certs.Manager.Authority.Truststore", id, certURL,
1257 "Client Certificate");
1258 }
1259
handleAccountServiceClientCertificatesHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1260 inline void handleAccountServiceClientCertificatesHead(
1261 App& app, const crow::Request& req,
1262 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1263 {
1264 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1265 {
1266 return;
1267 }
1268
1269 asyncResp->res.addHeader(
1270 boost::beast::http::field::link,
1271 "</redfish/v1/JsonSchemas/CertificateCollection/CertificateCollection.json>; rel=describedby");
1272 }
1273
handleAccountServiceClientCertificatesGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1274 inline void handleAccountServiceClientCertificatesGet(
1275 App& app, const crow::Request& req,
1276 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1277 {
1278 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1279 {
1280 return;
1281 }
1282 getClientCertificates(asyncResp, "/Members"_json_pointer);
1283 }
1284
1285 using account_service::CertificateMappingAttribute;
1286 using persistent_data::MTLSCommonNameParseMode;
1287 inline CertificateMappingAttribute
getCertificateMapping(MTLSCommonNameParseMode parse)1288 getCertificateMapping(MTLSCommonNameParseMode parse)
1289 {
1290 switch (parse)
1291 {
1292 case MTLSCommonNameParseMode::CommonName:
1293 {
1294 return CertificateMappingAttribute::CommonName;
1295 }
1296 break;
1297 case MTLSCommonNameParseMode::Whole:
1298 {
1299 return CertificateMappingAttribute::Whole;
1300 }
1301 break;
1302 case MTLSCommonNameParseMode::UserPrincipalName:
1303 {
1304 return CertificateMappingAttribute::UserPrincipalName;
1305 }
1306 break;
1307
1308 case MTLSCommonNameParseMode::Meta:
1309 {
1310 if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
1311 {
1312 return CertificateMappingAttribute::CommonName;
1313 }
1314 }
1315 break;
1316 default:
1317 {
1318 return CertificateMappingAttribute::Invalid;
1319 }
1320 break;
1321 }
1322 }
1323
1324 inline void
handleAccountServiceGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1325 handleAccountServiceGet(App& app, const crow::Request& req,
1326 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1327 {
1328 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1329 {
1330 return;
1331 }
1332
1333 if (req.session == nullptr)
1334 {
1335 messages::internalError(asyncResp->res);
1336 return;
1337 }
1338
1339 const persistent_data::AuthConfigMethods& authMethodsConfig =
1340 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1341
1342 asyncResp->res.addHeader(
1343 boost::beast::http::field::link,
1344 "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1345
1346 nlohmann::json& json = asyncResp->res.jsonValue;
1347 json["@odata.id"] = "/redfish/v1/AccountService";
1348 json["@odata.type"] = "#AccountService.v1_15_0.AccountService";
1349 json["Id"] = "AccountService";
1350 json["Name"] = "Account Service";
1351 json["Description"] = "Account Service";
1352 json["ServiceEnabled"] = true;
1353 json["MaxPasswordLength"] = 20;
1354 json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1355 json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
1356 json["HTTPBasicAuth"] = authMethodsConfig.basic
1357 ? account_service::BasicAuthState::Enabled
1358 : account_service::BasicAuthState::Disabled;
1359
1360 nlohmann::json::array_t allowed;
1361 allowed.emplace_back(account_service::BasicAuthState::Enabled);
1362 allowed.emplace_back(account_service::BasicAuthState::Disabled);
1363 json["HTTPBasicAuth@AllowableValues"] = std::move(allowed);
1364
1365 nlohmann::json::object_t clientCertificate;
1366 clientCertificate["Enabled"] = authMethodsConfig.tls;
1367 clientCertificate["RespondToUnauthenticatedClients"] =
1368 !authMethodsConfig.tlsStrict;
1369
1370 using account_service::CertificateMappingAttribute;
1371
1372 CertificateMappingAttribute mapping =
1373 getCertificateMapping(authMethodsConfig.mTLSCommonNameParsingMode);
1374 if (mapping == CertificateMappingAttribute::Invalid)
1375 {
1376 messages::internalError(asyncResp->res);
1377 }
1378 else
1379 {
1380 clientCertificate["CertificateMappingAttribute"] = mapping;
1381 }
1382 nlohmann::json::object_t certificates;
1383 certificates["@odata.id"] =
1384 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates";
1385 certificates["@odata.type"] =
1386 "#CertificateCollection.CertificateCollection";
1387 clientCertificate["Certificates"] = std::move(certificates);
1388 json["MultiFactorAuth"]["ClientCertificate"] = std::move(clientCertificate);
1389
1390 getClientCertificates(
1391 asyncResp,
1392 "/MultiFactorAuth/ClientCertificate/Certificates/Members"_json_pointer);
1393
1394 json["Oem"]["OpenBMC"]["@odata.type"] =
1395 "#OpenBMCAccountService.v1_0_0.AccountService";
1396 json["Oem"]["OpenBMC"]["@odata.id"] =
1397 "/redfish/v1/AccountService#/Oem/OpenBMC";
1398 json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1399 authMethodsConfig.basic;
1400 json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1401 authMethodsConfig.sessionToken;
1402 json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1403 json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1404 json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1405
1406 // /redfish/v1/AccountService/LDAP/Certificates is something only
1407 // ConfigureManager can access then only display when the user has
1408 // permissions ConfigureManager
1409 Privileges effectiveUserPrivileges =
1410 redfish::getUserPrivileges(*req.session);
1411
1412 if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1413 effectiveUserPrivileges))
1414 {
1415 asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1416 "/redfish/v1/AccountService/LDAP/Certificates";
1417 }
1418 dbus::utility::getAllProperties(
1419 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1420 "xyz.openbmc_project.User.AccountPolicy",
1421 [asyncResp](const boost::system::error_code& ec,
1422 const dbus::utility::DBusPropertiesMap& propertiesList) {
1423 if (ec)
1424 {
1425 messages::internalError(asyncResp->res);
1426 return;
1427 }
1428
1429 BMCWEB_LOG_DEBUG("Got {} properties for AccountService",
1430 propertiesList.size());
1431
1432 const uint8_t* minPasswordLength = nullptr;
1433 const uint32_t* accountUnlockTimeout = nullptr;
1434 const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1435
1436 const bool success = sdbusplus::unpackPropertiesNoThrow(
1437 dbus_utils::UnpackErrorPrinter(), propertiesList,
1438 "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1439 accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1440 maxLoginAttemptBeforeLockout);
1441
1442 if (!success)
1443 {
1444 messages::internalError(asyncResp->res);
1445 return;
1446 }
1447
1448 if (minPasswordLength != nullptr)
1449 {
1450 asyncResp->res.jsonValue["MinPasswordLength"] =
1451 *minPasswordLength;
1452 }
1453
1454 if (accountUnlockTimeout != nullptr)
1455 {
1456 asyncResp->res.jsonValue["AccountLockoutDuration"] =
1457 *accountUnlockTimeout;
1458 }
1459
1460 if (maxLoginAttemptBeforeLockout != nullptr)
1461 {
1462 asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1463 *maxLoginAttemptBeforeLockout;
1464 }
1465 });
1466
1467 auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
1468 const std::string& ldapType) {
1469 if (!success)
1470 {
1471 return;
1472 }
1473 parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1474 };
1475
1476 getLDAPConfigData("LDAP", callback);
1477 getLDAPConfigData("ActiveDirectory", callback);
1478 }
1479
handleCertificateMappingAttributePatch(crow::Response & res,const std::string & certMapAttribute)1480 inline void handleCertificateMappingAttributePatch(
1481 crow::Response& res, const std::string& certMapAttribute)
1482 {
1483 MTLSCommonNameParseMode parseMode =
1484 persistent_data::getMTLSCommonNameParseMode(certMapAttribute);
1485 if (parseMode == MTLSCommonNameParseMode::Invalid)
1486 {
1487 messages::propertyValueNotInList(res, "CertificateMappingAttribute",
1488 certMapAttribute);
1489 return;
1490 }
1491
1492 persistent_data::AuthConfigMethods& authMethodsConfig =
1493 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1494 authMethodsConfig.mTLSCommonNameParsingMode = parseMode;
1495 }
1496
handleRespondToUnauthenticatedClientsPatch(App & app,const crow::Request & req,crow::Response & res,bool respondToUnauthenticatedClients)1497 inline void handleRespondToUnauthenticatedClientsPatch(
1498 App& app, const crow::Request& req, crow::Response& res,
1499 bool respondToUnauthenticatedClients)
1500 {
1501 if (req.session != nullptr)
1502 {
1503 // Sanity check. If the user isn't currently authenticated with mutual
1504 // TLS, they very likely are about to permanently lock themselves out.
1505 // Make sure they're using mutual TLS before allowing locking.
1506 if (req.session->sessionType != persistent_data::SessionType::MutualTLS)
1507 {
1508 messages::propertyValueExternalConflict(
1509 res,
1510 "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients",
1511 respondToUnauthenticatedClients);
1512 return;
1513 }
1514 }
1515
1516 persistent_data::AuthConfigMethods& authMethodsConfig =
1517 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1518
1519 // Change the settings
1520 authMethodsConfig.tlsStrict = !respondToUnauthenticatedClients;
1521
1522 // Write settings to disk
1523 persistent_data::getConfig().writeData();
1524
1525 // Trigger a reload, to apply the new settings to new connections
1526 app.loadCertificate();
1527 }
1528
handleAccountServicePatch(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1529 inline void handleAccountServicePatch(
1530 App& app, const crow::Request& req,
1531 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1532 {
1533 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1534 {
1535 return;
1536 }
1537 std::optional<uint32_t> unlockTimeout;
1538 std::optional<uint16_t> lockoutThreshold;
1539 std::optional<uint8_t> minPasswordLength;
1540 std::optional<uint16_t> maxPasswordLength;
1541 LdapPatchParams ldapObject;
1542 std::optional<std::string> certificateMappingAttribute;
1543 std::optional<bool> respondToUnauthenticatedClients;
1544 LdapPatchParams activeDirectoryObject;
1545 AuthMethods auth;
1546 std::optional<std::string> httpBasicAuth;
1547
1548 if (!json_util::readJsonPatch( //
1549 req, asyncResp->res, //
1550 "AccountLockoutDuration", unlockTimeout, //
1551 "AccountLockoutThreshold", lockoutThreshold, //
1552 "ActiveDirectory/Authentication/AuthenticationType",
1553 activeDirectoryObject.authType, //
1554 "ActiveDirectory/Authentication/Password",
1555 activeDirectoryObject.password, //
1556 "ActiveDirectory/Authentication/Username",
1557 activeDirectoryObject.userName, //
1558 "ActiveDirectory/LDAPService/SearchSettings/BaseDistinguishedNames",
1559 activeDirectoryObject.baseDNList, //
1560 "ActiveDirectory/LDAPService/SearchSettings/GroupsAttribute",
1561 activeDirectoryObject.groupsAttribute, //
1562 "ActiveDirectory/LDAPService/SearchSettings/UsernameAttribute",
1563 activeDirectoryObject.userNameAttribute, //
1564 "ActiveDirectory/RemoteRoleMapping",
1565 activeDirectoryObject.remoteRoleMapData, //
1566 "ActiveDirectory/ServiceAddresses",
1567 activeDirectoryObject.serviceAddressList, //
1568 "ActiveDirectory/ServiceEnabled",
1569 activeDirectoryObject.serviceEnabled, //
1570 "HTTPBasicAuth", httpBasicAuth, //
1571 "LDAP/Authentication/AuthenticationType", ldapObject.authType, //
1572 "LDAP/Authentication/Password", ldapObject.password, //
1573 "LDAP/Authentication/Username", ldapObject.userName, //
1574 "LDAP/LDAPService/SearchSettings/BaseDistinguishedNames",
1575 ldapObject.baseDNList, //
1576 "LDAP/LDAPService/SearchSettings/GroupsAttribute",
1577 ldapObject.groupsAttribute, //
1578 "LDAP/LDAPService/SearchSettings/UsernameAttribute",
1579 ldapObject.userNameAttribute, //
1580 "LDAP/RemoteRoleMapping", ldapObject.remoteRoleMapData, //
1581 "LDAP/ServiceAddresses", ldapObject.serviceAddressList, //
1582 "LDAP/ServiceEnabled", ldapObject.serviceEnabled, //
1583 "MaxPasswordLength", maxPasswordLength, //
1584 "MinPasswordLength", minPasswordLength, //
1585 "MultiFactorAuth/ClientCertificate/CertificateMappingAttribute",
1586 certificateMappingAttribute, //
1587 "MultiFactorAuth/ClientCertificate/RespondToUnauthenticatedClients",
1588 respondToUnauthenticatedClients, //
1589 "Oem/OpenBMC/AuthMethods/BasicAuth", auth.basicAuth, //
1590 "Oem/OpenBMC/AuthMethods/Cookie", auth.cookie, //
1591 "Oem/OpenBMC/AuthMethods/SessionToken", auth.sessionToken, //
1592 "Oem/OpenBMC/AuthMethods/TLS", auth.tls, //
1593 "Oem/OpenBMC/AuthMethods/XToken", auth.xToken //
1594 ))
1595 {
1596 return;
1597 }
1598
1599 if (httpBasicAuth)
1600 {
1601 if (*httpBasicAuth == "Enabled")
1602 {
1603 auth.basicAuth = true;
1604 }
1605 else if (*httpBasicAuth == "Disabled")
1606 {
1607 auth.basicAuth = false;
1608 }
1609 else
1610 {
1611 messages::propertyValueNotInList(asyncResp->res, "HttpBasicAuth",
1612 *httpBasicAuth);
1613 }
1614 }
1615
1616 if (respondToUnauthenticatedClients)
1617 {
1618 handleRespondToUnauthenticatedClientsPatch(
1619 app, req, asyncResp->res, *respondToUnauthenticatedClients);
1620 }
1621
1622 if (certificateMappingAttribute)
1623 {
1624 handleCertificateMappingAttributePatch(asyncResp->res,
1625 *certificateMappingAttribute);
1626 }
1627
1628 if (minPasswordLength)
1629 {
1630 setDbusProperty(
1631 asyncResp, "MinPasswordLength", "xyz.openbmc_project.User.Manager",
1632 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
1633 "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
1634 *minPasswordLength);
1635 }
1636
1637 if (maxPasswordLength)
1638 {
1639 messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1640 }
1641
1642 handleLDAPPatch(std::move(activeDirectoryObject), asyncResp,
1643 "ActiveDirectory");
1644 handleLDAPPatch(std::move(ldapObject), asyncResp, "LDAP");
1645
1646 handleAuthMethodsPatch(asyncResp, auth);
1647
1648 if (unlockTimeout)
1649 {
1650 setDbusProperty(
1651 asyncResp, "AccountLockoutDuration",
1652 "xyz.openbmc_project.User.Manager",
1653 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
1654 "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
1655 *unlockTimeout);
1656 }
1657 if (lockoutThreshold)
1658 {
1659 setDbusProperty(
1660 asyncResp, "AccountLockoutThreshold",
1661 "xyz.openbmc_project.User.Manager",
1662 sdbusplus::message::object_path("/xyz/openbmc_project/user"),
1663 "xyz.openbmc_project.User.AccountPolicy",
1664 "MaxLoginAttemptBeforeLockout", *lockoutThreshold);
1665 }
1666 }
1667
handleAccountCollectionHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1668 inline void handleAccountCollectionHead(
1669 App& app, const crow::Request& req,
1670 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1671 {
1672 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1673 {
1674 return;
1675 }
1676 asyncResp->res.addHeader(
1677 boost::beast::http::field::link,
1678 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1679 }
1680
handleAccountCollectionGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1681 inline void handleAccountCollectionGet(
1682 App& app, const crow::Request& req,
1683 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1684 {
1685 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1686 {
1687 return;
1688 }
1689
1690 if (req.session == nullptr)
1691 {
1692 messages::internalError(asyncResp->res);
1693 return;
1694 }
1695
1696 asyncResp->res.addHeader(
1697 boost::beast::http::field::link,
1698 "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1699
1700 asyncResp->res.jsonValue["@odata.id"] =
1701 "/redfish/v1/AccountService/Accounts";
1702 asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1703 "ManagerAccountCollection";
1704 asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1705 asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1706
1707 Privileges effectiveUserPrivileges =
1708 redfish::getUserPrivileges(*req.session);
1709
1710 std::string thisUser;
1711 if (req.session)
1712 {
1713 thisUser = req.session->username;
1714 }
1715 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1716 dbus::utility::getManagedObjects(
1717 "xyz.openbmc_project.User.Manager", path,
1718 [asyncResp, thisUser, effectiveUserPrivileges](
1719 const boost::system::error_code& ec,
1720 const dbus::utility::ManagedObjectType& users) {
1721 if (ec)
1722 {
1723 messages::internalError(asyncResp->res);
1724 return;
1725 }
1726
1727 bool userCanSeeAllAccounts =
1728 effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1729
1730 bool userCanSeeSelf =
1731 effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1732
1733 nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1734 memberArray = nlohmann::json::array();
1735
1736 for (const auto& userpath : users)
1737 {
1738 std::string user = userpath.first.filename();
1739 if (user.empty())
1740 {
1741 messages::internalError(asyncResp->res);
1742 BMCWEB_LOG_ERROR("Invalid firmware ID");
1743
1744 return;
1745 }
1746
1747 // As clarified by Redfish here:
1748 // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1749 // Users without ConfigureUsers, only see their own
1750 // account. Users with ConfigureUsers, see all
1751 // accounts.
1752 if (userCanSeeAllAccounts ||
1753 (thisUser == user && userCanSeeSelf))
1754 {
1755 nlohmann::json::object_t member;
1756 member["@odata.id"] = boost::urls::format(
1757 "/redfish/v1/AccountService/Accounts/{}", user);
1758 memberArray.emplace_back(std::move(member));
1759 }
1760 }
1761 asyncResp->res.jsonValue["Members@odata.count"] =
1762 memberArray.size();
1763 });
1764 }
1765
processAfterCreateUser(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username,const std::string & password,const boost::system::error_code & ec,sdbusplus::message_t & m)1766 inline void processAfterCreateUser(
1767 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1768 const std::string& username, const std::string& password,
1769 const boost::system::error_code& ec, sdbusplus::message_t& m)
1770 {
1771 if (ec)
1772 {
1773 userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1774 return;
1775 }
1776
1777 if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1778 {
1779 // At this point we have a user that's been
1780 // created, but the password set
1781 // failed.Something is wrong, so delete the user
1782 // that we've already created
1783 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1784 tempObjPath /= username;
1785 const std::string userPath(tempObjPath);
1786
1787 crow::connections::systemBus->async_method_call(
1788 [asyncResp, password](const boost::system::error_code& ec3) {
1789 if (ec3)
1790 {
1791 messages::internalError(asyncResp->res);
1792 return;
1793 }
1794
1795 // If password is invalid
1796 messages::propertyValueFormatError(asyncResp->res, nullptr,
1797 "Password");
1798 },
1799 "xyz.openbmc_project.User.Manager", userPath,
1800 "xyz.openbmc_project.Object.Delete", "Delete");
1801
1802 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1803 return;
1804 }
1805
1806 messages::created(asyncResp->res);
1807 asyncResp->res.addHeader("Location",
1808 "/redfish/v1/AccountService/Accounts/" + username);
1809 }
1810
processAfterGetAllGroups(const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username,const std::string & password,const std::string & roleId,bool enabled,std::optional<std::vector<std::string>> accountTypes,const std::vector<std::string> & allGroupsList)1811 inline void processAfterGetAllGroups(
1812 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1813 const std::string& username, const std::string& password,
1814 const std::string& roleId, bool enabled,
1815 std::optional<std::vector<std::string>> accountTypes,
1816 const std::vector<std::string>& allGroupsList)
1817 {
1818 std::vector<std::string> userGroups;
1819 std::vector<std::string> accountTypeUserGroups;
1820
1821 // If user specified account types then convert them to unix user groups
1822 if (accountTypes)
1823 {
1824 if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1825 accountTypeUserGroups))
1826 {
1827 // Problem in mapping Account Types to User Groups, Error already
1828 // logged.
1829 return;
1830 }
1831 }
1832
1833 for (const auto& grp : allGroupsList)
1834 {
1835 // If user specified the account type then only accept groups which are
1836 // in the account types group list.
1837 if (!accountTypeUserGroups.empty())
1838 {
1839 bool found = false;
1840 for (const auto& grp1 : accountTypeUserGroups)
1841 {
1842 if (grp == grp1)
1843 {
1844 found = true;
1845 break;
1846 }
1847 }
1848 if (!found)
1849 {
1850 continue;
1851 }
1852 }
1853
1854 // Console access is provided to the user who is a member of
1855 // hostconsole group and has a administrator role. So, set
1856 // hostconsole group only for the administrator.
1857 if ((grp == "hostconsole") && (roleId != "priv-admin"))
1858 {
1859 if (!accountTypeUserGroups.empty())
1860 {
1861 BMCWEB_LOG_ERROR(
1862 "Only administrator can get HostConsole access");
1863 asyncResp->res.result(boost::beast::http::status::bad_request);
1864 return;
1865 }
1866 continue;
1867 }
1868 userGroups.emplace_back(grp);
1869 }
1870
1871 // Make sure user specified groups are valid. This is internal error because
1872 // it some inconsistencies between user manager and bmcweb.
1873 if (!accountTypeUserGroups.empty() &&
1874 accountTypeUserGroups.size() != userGroups.size())
1875 {
1876 messages::internalError(asyncResp->res);
1877 return;
1878 }
1879 crow::connections::systemBus->async_method_call(
1880 [asyncResp, username, password](const boost::system::error_code& ec2,
1881 sdbusplus::message_t& m) {
1882 processAfterCreateUser(asyncResp, username, password, ec2, m);
1883 },
1884 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1885 "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
1886 roleId, enabled);
1887 }
1888
handleAccountCollectionPost(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp)1889 inline void handleAccountCollectionPost(
1890 App& app, const crow::Request& req,
1891 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1892 {
1893 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1894 {
1895 return;
1896 }
1897 std::string username;
1898 std::string password;
1899 std::optional<std::string> roleIdJson;
1900 std::optional<bool> enabledJson;
1901 std::optional<std::vector<std::string>> accountTypes;
1902 if (!json_util::readJsonPatch( //
1903 req, asyncResp->res, //
1904 "AccountTypes", accountTypes, //
1905 "Enabled", enabledJson, //
1906 "Password", password, //
1907 "RoleId", roleIdJson, //
1908 "UserName", username //
1909 ))
1910 {
1911 return;
1912 }
1913
1914 std::string roleId = roleIdJson.value_or("User");
1915 std::string priv = getPrivilegeFromRoleId(roleId);
1916 if (priv.empty())
1917 {
1918 messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
1919 return;
1920 }
1921 roleId = priv;
1922
1923 bool enabled = enabledJson.value_or(true);
1924
1925 // Reading AllGroups property
1926 dbus::utility::getProperty<std::vector<std::string>>(
1927 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1928 "xyz.openbmc_project.User.Manager", "AllGroups",
1929 [asyncResp, username, password{std::move(password)}, roleId, enabled,
1930 accountTypes](const boost::system::error_code& ec,
1931 const std::vector<std::string>& allGroupsList) {
1932 if (ec)
1933 {
1934 BMCWEB_LOG_ERROR("D-Bus response error {}", ec);
1935 messages::internalError(asyncResp->res);
1936 return;
1937 }
1938
1939 if (allGroupsList.empty())
1940 {
1941 messages::internalError(asyncResp->res);
1942 return;
1943 }
1944
1945 processAfterGetAllGroups(asyncResp, username, password, roleId,
1946 enabled, accountTypes, allGroupsList);
1947 });
1948 }
1949
1950 inline void
handleAccountHead(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string &)1951 handleAccountHead(App& app, const crow::Request& req,
1952 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1953 const std::string& /*accountName*/)
1954 {
1955 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1956 {
1957 return;
1958 }
1959 asyncResp->res.addHeader(
1960 boost::beast::http::field::link,
1961 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1962 }
1963
1964 inline void
handleAccountGet(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & accountName)1965 handleAccountGet(App& app, const crow::Request& req,
1966 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1967 const std::string& accountName)
1968 {
1969 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1970 {
1971 return;
1972 }
1973 asyncResp->res.addHeader(
1974 boost::beast::http::field::link,
1975 "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1976
1977 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
1978 {
1979 // If authentication is disabled, there are no user accounts
1980 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1981 accountName);
1982 return;
1983 }
1984
1985 if (req.session == nullptr)
1986 {
1987 messages::internalError(asyncResp->res);
1988 return;
1989 }
1990 if (req.session->username != accountName)
1991 {
1992 // At this point we've determined that the user is trying to
1993 // modify a user that isn't them. We need to verify that they
1994 // have permissions to modify other users, so re-run the auth
1995 // check with the same permissions, minus ConfigureSelf.
1996 Privileges effectiveUserPrivileges =
1997 redfish::getUserPrivileges(*req.session);
1998 Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1999 "ConfigureManager"};
2000 if (!effectiveUserPrivileges.isSupersetOf(
2001 requiredPermissionsToChangeNonSelf))
2002 {
2003 BMCWEB_LOG_DEBUG("GET Account denied access");
2004 messages::insufficientPrivilege(asyncResp->res);
2005 return;
2006 }
2007 }
2008
2009 sdbusplus::message::object_path path("/xyz/openbmc_project/user");
2010 dbus::utility::getManagedObjects(
2011 "xyz.openbmc_project.User.Manager", path,
2012 [asyncResp,
2013 accountName](const boost::system::error_code& ec,
2014 const dbus::utility::ManagedObjectType& users) {
2015 if (ec)
2016 {
2017 messages::internalError(asyncResp->res);
2018 return;
2019 }
2020 const auto userIt = std::ranges::find_if(
2021 users,
2022 [accountName](
2023 const std::pair<sdbusplus::message::object_path,
2024 dbus::utility::DBusInterfacesMap>& user) {
2025 return accountName == user.first.filename();
2026 });
2027
2028 if (userIt == users.end())
2029 {
2030 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2031 accountName);
2032 return;
2033 }
2034
2035 asyncResp->res.jsonValue["@odata.type"] =
2036 "#ManagerAccount.v1_7_0.ManagerAccount";
2037 asyncResp->res.jsonValue["Name"] = "User Account";
2038 asyncResp->res.jsonValue["Description"] = "User Account";
2039 asyncResp->res.jsonValue["Password"] = nullptr;
2040 asyncResp->res.jsonValue["StrictAccountTypes"] = true;
2041
2042 for (const auto& interface : userIt->second)
2043 {
2044 if (interface.first == "xyz.openbmc_project.User.Attributes")
2045 {
2046 for (const auto& property : interface.second)
2047 {
2048 if (property.first == "UserEnabled")
2049 {
2050 const bool* userEnabled =
2051 std::get_if<bool>(&property.second);
2052 if (userEnabled == nullptr)
2053 {
2054 BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
2055 messages::internalError(asyncResp->res);
2056 return;
2057 }
2058 asyncResp->res.jsonValue["Enabled"] = *userEnabled;
2059 }
2060 else if (property.first == "UserLockedForFailedAttempt")
2061 {
2062 const bool* userLocked =
2063 std::get_if<bool>(&property.second);
2064 if (userLocked == nullptr)
2065 {
2066 BMCWEB_LOG_ERROR("UserLockedForF"
2067 "ailedAttempt "
2068 "wasn't a bool");
2069 messages::internalError(asyncResp->res);
2070 return;
2071 }
2072 asyncResp->res.jsonValue["Locked"] = *userLocked;
2073 nlohmann::json::array_t allowed;
2074 // can only unlock accounts
2075 allowed.emplace_back("false");
2076 asyncResp->res
2077 .jsonValue["Locked@Redfish.AllowableValues"] =
2078 std::move(allowed);
2079 }
2080 else if (property.first == "UserPrivilege")
2081 {
2082 const std::string* userPrivPtr =
2083 std::get_if<std::string>(&property.second);
2084 if (userPrivPtr == nullptr)
2085 {
2086 BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
2087 "string");
2088 messages::internalError(asyncResp->res);
2089 return;
2090 }
2091 std::string role =
2092 getRoleIdFromPrivilege(*userPrivPtr);
2093 if (role.empty())
2094 {
2095 BMCWEB_LOG_ERROR("Invalid user role");
2096 messages::internalError(asyncResp->res);
2097 return;
2098 }
2099 asyncResp->res.jsonValue["RoleId"] = role;
2100
2101 nlohmann::json& roleEntry =
2102 asyncResp->res.jsonValue["Links"]["Role"];
2103 roleEntry["@odata.id"] = boost::urls::format(
2104 "/redfish/v1/AccountService/Roles/{}", role);
2105 }
2106 else if (property.first == "UserPasswordExpired")
2107 {
2108 const bool* userPasswordExpired =
2109 std::get_if<bool>(&property.second);
2110 if (userPasswordExpired == nullptr)
2111 {
2112 BMCWEB_LOG_ERROR(
2113 "UserPasswordExpired wasn't a bool");
2114 messages::internalError(asyncResp->res);
2115 return;
2116 }
2117 asyncResp->res.jsonValue["PasswordChangeRequired"] =
2118 *userPasswordExpired;
2119 }
2120 else if (property.first == "UserGroups")
2121 {
2122 const std::vector<std::string>* userGroups =
2123 std::get_if<std::vector<std::string>>(
2124 &property.second);
2125 if (userGroups == nullptr)
2126 {
2127 BMCWEB_LOG_ERROR(
2128 "userGroups wasn't a string vector");
2129 messages::internalError(asyncResp->res);
2130 return;
2131 }
2132 if (!translateUserGroup(*userGroups,
2133 asyncResp->res))
2134 {
2135 BMCWEB_LOG_ERROR("userGroups mapping failed");
2136 messages::internalError(asyncResp->res);
2137 return;
2138 }
2139 }
2140 }
2141 }
2142 }
2143
2144 asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
2145 "/redfish/v1/AccountService/Accounts/{}", accountName);
2146 asyncResp->res.jsonValue["Id"] = accountName;
2147 asyncResp->res.jsonValue["UserName"] = accountName;
2148 });
2149 }
2150
2151 inline void
handleAccountDelete(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username)2152 handleAccountDelete(App& app, const crow::Request& req,
2153 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2154 const std::string& username)
2155 {
2156 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2157 {
2158 return;
2159 }
2160
2161 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2162 {
2163 // If authentication is disabled, there are no user accounts
2164 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2165 return;
2166 }
2167 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2168 tempObjPath /= username;
2169 const std::string userPath(tempObjPath);
2170
2171 crow::connections::systemBus->async_method_call(
2172 [asyncResp, username](const boost::system::error_code& ec) {
2173 if (ec)
2174 {
2175 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2176 username);
2177 return;
2178 }
2179
2180 messages::accountRemoved(asyncResp->res);
2181 },
2182 "xyz.openbmc_project.User.Manager", userPath,
2183 "xyz.openbmc_project.Object.Delete", "Delete");
2184 }
2185
2186 inline void
handleAccountPatch(App & app,const crow::Request & req,const std::shared_ptr<bmcweb::AsyncResp> & asyncResp,const std::string & username)2187 handleAccountPatch(App& app, const crow::Request& req,
2188 const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2189 const std::string& username)
2190 {
2191 if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2192 {
2193 return;
2194 }
2195 if constexpr (BMCWEB_INSECURE_DISABLE_AUTH)
2196 {
2197 // If authentication is disabled, there are no user accounts
2198 messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2199 return;
2200 }
2201 std::optional<std::string> newUserName;
2202 std::optional<std::string> password;
2203 std::optional<bool> enabled;
2204 std::optional<std::string> roleId;
2205 std::optional<bool> locked;
2206 std::optional<std::vector<std::string>> accountTypes;
2207
2208 if (req.session == nullptr)
2209 {
2210 messages::internalError(asyncResp->res);
2211 return;
2212 }
2213
2214 bool userSelf = (username == req.session->username);
2215
2216 Privileges effectiveUserPrivileges =
2217 redfish::getUserPrivileges(*req.session);
2218 Privileges configureUsers = {"ConfigureUsers"};
2219 bool userHasConfigureUsers =
2220 effectiveUserPrivileges.isSupersetOf(configureUsers);
2221 if (userHasConfigureUsers)
2222 {
2223 // Users with ConfigureUsers can modify for all users
2224 if (!json_util::readJsonPatch( //
2225 req, asyncResp->res, //
2226 "AccountTypes", accountTypes, //
2227 "Enabled", enabled, //
2228 "Locked", locked, //
2229 "Password", password, //
2230 "RoleId", roleId, //
2231 "UserName", newUserName //
2232 ))
2233 {
2234 return;
2235 }
2236 }
2237 else
2238 {
2239 // ConfigureSelf accounts can only modify their own account
2240 if (!userSelf)
2241 {
2242 messages::insufficientPrivilege(asyncResp->res);
2243 return;
2244 }
2245
2246 // ConfigureSelf accounts can only modify their password
2247 if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2248 password))
2249 {
2250 return;
2251 }
2252 }
2253
2254 // if user name is not provided in the patch method or if it
2255 // matches the user name in the URI, then we are treating it as
2256 // updating user properties other then username. If username
2257 // provided doesn't match the URI, then we are treating this as
2258 // user rename request.
2259 if (!newUserName || (newUserName.value() == username))
2260 {
2261 updateUserProperties(asyncResp, username, password, enabled, roleId,
2262 locked, accountTypes, userSelf, req.session);
2263 return;
2264 }
2265 crow::connections::systemBus->async_method_call(
2266 [asyncResp, username, password(std::move(password)),
2267 roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
2268 locked, userSelf, req, accountTypes(std::move(accountTypes))](
2269 const boost::system::error_code& ec, sdbusplus::message_t& m) {
2270 if (ec)
2271 {
2272 userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2273 username);
2274 return;
2275 }
2276
2277 updateUserProperties(asyncResp, newUser, password, enabled, roleId,
2278 locked, accountTypes, userSelf, req.session);
2279 },
2280 "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2281 "xyz.openbmc_project.User.Manager", "RenameUser", username,
2282 *newUserName);
2283 }
2284
requestAccountServiceRoutes(App & app)2285 inline void requestAccountServiceRoutes(App& app)
2286 {
2287 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2288 .privileges(redfish::privileges::headAccountService)
2289 .methods(boost::beast::http::verb::head)(
2290 std::bind_front(handleAccountServiceHead, std::ref(app)));
2291
2292 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2293 .privileges(redfish::privileges::getAccountService)
2294 .methods(boost::beast::http::verb::get)(
2295 std::bind_front(handleAccountServiceGet, std::ref(app)));
2296
2297 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2298 .privileges(redfish::privileges::patchAccountService)
2299 .methods(boost::beast::http::verb::patch)(
2300 std::bind_front(handleAccountServicePatch, std::ref(app)));
2301
2302 BMCWEB_ROUTE(
2303 app,
2304 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/")
2305 .privileges(redfish::privileges::headCertificateCollection)
2306 .methods(boost::beast::http::verb::head)(std::bind_front(
2307 handleAccountServiceClientCertificatesHead, std::ref(app)));
2308
2309 BMCWEB_ROUTE(
2310 app,
2311 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/")
2312 .privileges(redfish::privileges::getCertificateCollection)
2313 .methods(boost::beast::http::verb::get)(std::bind_front(
2314 handleAccountServiceClientCertificatesGet, std::ref(app)));
2315
2316 BMCWEB_ROUTE(
2317 app,
2318 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/")
2319 .privileges(redfish::privileges::headCertificate)
2320 .methods(boost::beast::http::verb::head)(std::bind_front(
2321 handleAccountServiceClientCertificatesInstanceHead, std::ref(app)));
2322
2323 BMCWEB_ROUTE(
2324 app,
2325 "/redfish/v1/AccountService/MultiFactorAuth/ClientCertificate/Certificates/<str>/")
2326 .privileges(redfish::privileges::getCertificate)
2327 .methods(boost::beast::http::verb::get)(std::bind_front(
2328 handleAccountServiceClientCertificatesInstanceGet, std::ref(app)));
2329
2330 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2331 .privileges(redfish::privileges::headManagerAccountCollection)
2332 .methods(boost::beast::http::verb::head)(
2333 std::bind_front(handleAccountCollectionHead, std::ref(app)));
2334
2335 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2336 .privileges(redfish::privileges::getManagerAccountCollection)
2337 .methods(boost::beast::http::verb::get)(
2338 std::bind_front(handleAccountCollectionGet, std::ref(app)));
2339
2340 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2341 .privileges(redfish::privileges::postManagerAccountCollection)
2342 .methods(boost::beast::http::verb::post)(
2343 std::bind_front(handleAccountCollectionPost, std::ref(app)));
2344
2345 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2346 .privileges(redfish::privileges::headManagerAccount)
2347 .methods(boost::beast::http::verb::head)(
2348 std::bind_front(handleAccountHead, std::ref(app)));
2349
2350 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2351 .privileges(redfish::privileges::getManagerAccount)
2352 .methods(boost::beast::http::verb::get)(
2353 std::bind_front(handleAccountGet, std::ref(app)));
2354
2355 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2356 // TODO this privilege should be using the generated endpoints, but
2357 // because of the special handling of ConfigureSelf, it's not able to
2358 // yet
2359 .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2360 .methods(boost::beast::http::verb::patch)(
2361 std::bind_front(handleAccountPatch, std::ref(app)));
2362
2363 BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2364 .privileges(redfish::privileges::deleteManagerAccount)
2365 .methods(boost::beast::http::verb::delete_)(
2366 std::bind_front(handleAccountDelete, std::ref(app)));
2367 }
2368
2369 } // namespace redfish
2370