1 /*
2 // Copyright (c) 2018 Intel Corporation
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 */
16 #pragma once
17 
18 #include "app.hpp"
19 #include "dbus_utility.hpp"
20 #include "error_messages.hpp"
21 #include "generated/enums/account_service.hpp"
22 #include "openbmc_dbus_rest.hpp"
23 #include "persistent_data.hpp"
24 #include "query.hpp"
25 #include "registries/privilege_registry.hpp"
26 #include "utils/dbus_utils.hpp"
27 #include "utils/json_utils.hpp"
28 
29 #include <sdbusplus/asio/property.hpp>
30 #include <sdbusplus/unpack_properties.hpp>
31 
32 #include <array>
33 #include <optional>
34 #include <ranges>
35 #include <string>
36 #include <string_view>
37 #include <vector>
38 
39 namespace redfish
40 {
41 
42 constexpr const char* ldapConfigObjectName =
43     "/xyz/openbmc_project/user/ldap/openldap";
44 constexpr const char* adConfigObject =
45     "/xyz/openbmc_project/user/ldap/active_directory";
46 
47 constexpr const char* rootUserDbusPath = "/xyz/openbmc_project/user/";
48 constexpr const char* ldapRootObject = "/xyz/openbmc_project/user/ldap";
49 constexpr const char* ldapDbusService = "xyz.openbmc_project.Ldap.Config";
50 constexpr const char* ldapConfigInterface =
51     "xyz.openbmc_project.User.Ldap.Config";
52 constexpr const char* ldapCreateInterface =
53     "xyz.openbmc_project.User.Ldap.Create";
54 constexpr const char* ldapEnableInterface = "xyz.openbmc_project.Object.Enable";
55 constexpr const char* ldapPrivMapperInterface =
56     "xyz.openbmc_project.User.PrivilegeMapper";
57 
58 struct LDAPRoleMapData
59 {
60     std::string groupName;
61     std::string privilege;
62 };
63 
64 struct LDAPConfigData
65 {
66     std::string uri{};
67     std::string bindDN{};
68     std::string baseDN{};
69     std::string searchScope{};
70     std::string serverType{};
71     bool serviceEnabled = false;
72     std::string userNameAttribute{};
73     std::string groupAttribute{};
74     std::vector<std::pair<std::string, LDAPRoleMapData>> groupRoleList;
75 };
76 
77 inline std::string getRoleIdFromPrivilege(std::string_view role)
78 {
79     if (role == "priv-admin")
80     {
81         return "Administrator";
82     }
83     if (role == "priv-user")
84     {
85         return "ReadOnly";
86     }
87     if (role == "priv-operator")
88     {
89         return "Operator";
90     }
91     return "";
92 }
93 inline std::string getPrivilegeFromRoleId(std::string_view role)
94 {
95     if (role == "Administrator")
96     {
97         return "priv-admin";
98     }
99     if (role == "ReadOnly")
100     {
101         return "priv-user";
102     }
103     if (role == "Operator")
104     {
105         return "priv-operator";
106     }
107     return "";
108 }
109 
110 /**
111  * @brief Maps user group names retrieved from D-Bus object to
112  * Account Types.
113  *
114  * @param[in] userGroups List of User groups
115  * @param[out] res AccountTypes populated
116  *
117  * @return true in case of success, false if UserGroups contains
118  * invalid group name(s).
119  */
120 inline bool translateUserGroup(const std::vector<std::string>& userGroups,
121                                crow::Response& res)
122 {
123     std::vector<std::string> accountTypes;
124     for (const auto& userGroup : userGroups)
125     {
126         if (userGroup == "redfish")
127         {
128             accountTypes.emplace_back("Redfish");
129             accountTypes.emplace_back("WebUI");
130         }
131         else if (userGroup == "ipmi")
132         {
133             accountTypes.emplace_back("IPMI");
134         }
135         else if (userGroup == "ssh")
136         {
137             accountTypes.emplace_back("ManagerConsole");
138         }
139         else if (userGroup == "hostconsole")
140         {
141             // The hostconsole group controls who can access the host console
142             // port via ssh and websocket.
143             accountTypes.emplace_back("HostConsole");
144         }
145         else if (userGroup == "web")
146         {
147             // 'web' is one of the valid groups in the UserGroups property of
148             // the user account in the D-Bus object. This group is currently not
149             // doing anything, and is considered to be equivalent to 'redfish'.
150             // 'redfish' user group is mapped to 'Redfish'and 'WebUI'
151             // AccountTypes, so do nothing here...
152         }
153         else
154         {
155             // Invalid user group name. Caller throws an excption.
156             return false;
157         }
158     }
159 
160     res.jsonValue["AccountTypes"] = std::move(accountTypes);
161     return true;
162 }
163 
164 /**
165  * @brief Builds User Groups from the Account Types
166  *
167  * @param[in] asyncResp Async Response
168  * @param[in] accountTypes List of Account Types
169  * @param[out] userGroups List of User Groups mapped from Account Types
170  *
171  * @return true if Account Types mapped to User Groups, false otherwise.
172  */
173 inline bool
174     getUserGroupFromAccountType(crow::Response& res,
175                                 const std::vector<std::string>& accountTypes,
176                                 std::vector<std::string>& userGroups)
177 {
178     // Need both Redfish and WebUI Account Types to map to 'redfish' User Group
179     bool redfishType = false;
180     bool webUIType = false;
181 
182     for (const auto& accountType : accountTypes)
183     {
184         if (accountType == "Redfish")
185         {
186             redfishType = true;
187         }
188         else if (accountType == "WebUI")
189         {
190             webUIType = true;
191         }
192         else if (accountType == "IPMI")
193         {
194             userGroups.emplace_back("ipmi");
195         }
196         else if (accountType == "HostConsole")
197         {
198             userGroups.emplace_back("hostconsole");
199         }
200         else if (accountType == "ManagerConsole")
201         {
202             userGroups.emplace_back("ssh");
203         }
204         else
205         {
206             // Invalid Account Type
207             messages::propertyValueNotInList(res, "AccountTypes", accountType);
208             return false;
209         }
210     }
211 
212     // Both  Redfish and WebUI Account Types are needed to PATCH
213     if (redfishType ^ webUIType)
214     {
215         BMCWEB_LOG_ERROR(
216             "Missing Redfish or WebUI Account Type to set redfish User Group");
217         messages::strictAccountTypes(res, "AccountTypes");
218         return false;
219     }
220 
221     if (redfishType && webUIType)
222     {
223         userGroups.emplace_back("redfish");
224     }
225 
226     return true;
227 }
228 
229 /**
230  * @brief Sets UserGroups property of the user based on the Account Types
231  *
232  * @param[in] accountTypes List of User Account Types
233  * @param[in] asyncResp Async Response
234  * @param[in] dbusObjectPath D-Bus Object Path
235  * @param[in] userSelf true if User is updating OWN Account Types
236  */
237 inline void
238     patchAccountTypes(const std::vector<std::string>& accountTypes,
239                       const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
240                       const std::string& dbusObjectPath, bool userSelf)
241 {
242     // Check if User is disabling own Redfish Account Type
243     if (userSelf &&
244         (accountTypes.cend() ==
245          std::find(accountTypes.cbegin(), accountTypes.cend(), "Redfish")))
246     {
247         BMCWEB_LOG_ERROR(
248             "User disabling OWN Redfish Account Type is not allowed");
249         messages::strictAccountTypes(asyncResp->res, "AccountTypes");
250         return;
251     }
252 
253     std::vector<std::string> updatedUserGroups;
254     if (!getUserGroupFromAccountType(asyncResp->res, accountTypes,
255                                      updatedUserGroups))
256     {
257         // Problem in mapping Account Types to User Groups, Error already
258         // logged.
259         return;
260     }
261 
262     sdbusplus::asio::setProperty(
263         *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
264         dbusObjectPath, "xyz.openbmc_project.User.Attributes", "UserGroups",
265         updatedUserGroups, [asyncResp](const boost::system::error_code& ec) {
266         if (ec)
267         {
268             BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
269             messages::internalError(asyncResp->res);
270             return;
271         }
272         messages::success(asyncResp->res);
273     });
274 }
275 
276 inline void userErrorMessageHandler(
277     const sd_bus_error* e, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
278     const std::string& newUser, const std::string& username)
279 {
280     if (e == nullptr)
281     {
282         messages::internalError(asyncResp->res);
283         return;
284     }
285 
286     const char* errorMessage = e->name;
287     if (strcmp(errorMessage,
288                "xyz.openbmc_project.User.Common.Error.UserNameExists") == 0)
289     {
290         messages::resourceAlreadyExists(asyncResp->res, "ManagerAccount",
291                                         "UserName", newUser);
292     }
293     else if (strcmp(errorMessage, "xyz.openbmc_project.User.Common.Error."
294                                   "UserNameDoesNotExist") == 0)
295     {
296         messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
297     }
298     else if ((strcmp(errorMessage,
299                      "xyz.openbmc_project.Common.Error.InvalidArgument") ==
300               0) ||
301              (strcmp(
302                   errorMessage,
303                   "xyz.openbmc_project.User.Common.Error.UserNameGroupFail") ==
304               0))
305     {
306         messages::propertyValueFormatError(asyncResp->res, newUser, "UserName");
307     }
308     else if (strcmp(errorMessage,
309                     "xyz.openbmc_project.User.Common.Error.NoResource") == 0)
310     {
311         messages::createLimitReachedForResource(asyncResp->res);
312     }
313     else
314     {
315         BMCWEB_LOG_ERROR("DBUS response error {}", errorMessage);
316         messages::internalError(asyncResp->res);
317     }
318 }
319 
320 inline void parseLDAPConfigData(nlohmann::json& jsonResponse,
321                                 const LDAPConfigData& confData,
322                                 const std::string& ldapType)
323 {
324     std::string service = (ldapType == "LDAP") ? "LDAPService"
325                                                : "ActiveDirectoryService";
326 
327     nlohmann::json& ldap = jsonResponse[ldapType];
328 
329     ldap["ServiceEnabled"] = confData.serviceEnabled;
330     ldap["ServiceAddresses"] = nlohmann::json::array({confData.uri});
331     ldap["Authentication"]["AuthenticationType"] =
332         account_service::AuthenticationTypes::UsernameAndPassword;
333     ldap["Authentication"]["Username"] = confData.bindDN;
334     ldap["Authentication"]["Password"] = nullptr;
335 
336     ldap["LDAPService"]["SearchSettings"]["BaseDistinguishedNames"] =
337         nlohmann::json::array({confData.baseDN});
338     ldap["LDAPService"]["SearchSettings"]["UsernameAttribute"] =
339         confData.userNameAttribute;
340     ldap["LDAPService"]["SearchSettings"]["GroupsAttribute"] =
341         confData.groupAttribute;
342 
343     nlohmann::json& roleMapArray = ldap["RemoteRoleMapping"];
344     roleMapArray = nlohmann::json::array();
345     for (const auto& obj : confData.groupRoleList)
346     {
347         BMCWEB_LOG_DEBUG("Pushing the data groupName={}", obj.second.groupName);
348 
349         nlohmann::json::object_t remoteGroup;
350         remoteGroup["RemoteGroup"] = obj.second.groupName;
351         remoteGroup["LocalRole"] = getRoleIdFromPrivilege(obj.second.privilege);
352         roleMapArray.emplace_back(std::move(remoteGroup));
353     }
354 }
355 
356 /**
357  *  @brief validates given JSON input and then calls appropriate method to
358  * create, to delete or to set Rolemapping object based on the given input.
359  *
360  */
361 inline void handleRoleMapPatch(
362     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
363     const std::vector<std::pair<std::string, LDAPRoleMapData>>& roleMapObjData,
364     const std::string& serverType, const std::vector<nlohmann::json>& input)
365 {
366     for (size_t index = 0; index < input.size(); index++)
367     {
368         const nlohmann::json& thisJson = input[index];
369 
370         if (thisJson.is_null())
371         {
372             // delete the existing object
373             if (index < roleMapObjData.size())
374             {
375                 crow::connections::systemBus->async_method_call(
376                     [asyncResp, roleMapObjData, serverType,
377                      index](const boost::system::error_code& ec) {
378                     if (ec)
379                     {
380                         BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
381                         messages::internalError(asyncResp->res);
382                         return;
383                     }
384                     asyncResp->res.jsonValue[serverType]["RemoteRoleMapping"]
385                                             [index] = nullptr;
386                 },
387                     ldapDbusService, roleMapObjData[index].first,
388                     "xyz.openbmc_project.Object.Delete", "Delete");
389             }
390             else
391             {
392                 BMCWEB_LOG_ERROR("Can't delete the object");
393                 messages::propertyValueTypeError(asyncResp->res, thisJson,
394                                                  "RemoteRoleMapping/" +
395                                                      std::to_string(index));
396                 return;
397             }
398         }
399         else if (thisJson.empty())
400         {
401             // Don't do anything for the empty objects,parse next json
402             // eg {"RemoteRoleMapping",[{}]}
403         }
404         else
405         {
406             // update/create the object
407             std::optional<std::string> remoteGroup;
408             std::optional<std::string> localRole;
409 
410             // This is a copy, but it's required in this case because of how
411             // readJson is structured
412             nlohmann::json thisJsonCopy = thisJson;
413             if (!json_util::readJson(thisJsonCopy, asyncResp->res,
414                                      "RemoteGroup", remoteGroup, "LocalRole",
415                                      localRole))
416             {
417                 continue;
418             }
419 
420             // Update existing RoleMapping Object
421             if (index < roleMapObjData.size())
422             {
423                 BMCWEB_LOG_DEBUG("Update Role Map Object");
424                 // If "RemoteGroup" info is provided
425                 if (remoteGroup)
426                 {
427                     sdbusplus::asio::setProperty(
428                         *crow::connections::systemBus, ldapDbusService,
429                         roleMapObjData[index].first,
430                         "xyz.openbmc_project.User.PrivilegeMapperEntry",
431                         "GroupName", *remoteGroup,
432                         [asyncResp, roleMapObjData, serverType, index,
433                          remoteGroup](const boost::system::error_code& ec,
434                                       const sdbusplus::message_t& msg) {
435                         if (ec)
436                         {
437                             const sd_bus_error* dbusError = msg.get_error();
438                             if ((dbusError != nullptr) &&
439                                 (dbusError->name ==
440                                  std::string_view(
441                                      "xyz.openbmc_project.Common.Error.InvalidArgument")))
442                             {
443                                 BMCWEB_LOG_WARNING("DBUS response error: {}",
444                                                    ec);
445                                 messages::propertyValueIncorrect(asyncResp->res,
446                                                                  "RemoteGroup",
447                                                                  *remoteGroup);
448                                 return;
449                             }
450                             messages::internalError(asyncResp->res);
451                             return;
452                         }
453                         asyncResp->res
454                             .jsonValue[serverType]["RemoteRoleMapping"][index]
455                                       ["RemoteGroup"] = *remoteGroup;
456                     });
457                 }
458 
459                 // If "LocalRole" info is provided
460                 if (localRole)
461                 {
462                     sdbusplus::asio::setProperty(
463                         *crow::connections::systemBus, ldapDbusService,
464                         roleMapObjData[index].first,
465                         "xyz.openbmc_project.User.PrivilegeMapperEntry",
466                         "Privilege", *localRole,
467                         [asyncResp, roleMapObjData, serverType, index,
468                          localRole](const boost::system::error_code& ec,
469                                     const sdbusplus::message_t& msg) {
470                         if (ec)
471                         {
472                             const sd_bus_error* dbusError = msg.get_error();
473                             if ((dbusError != nullptr) &&
474                                 (dbusError->name ==
475                                  std::string_view(
476                                      "xyz.openbmc_project.Common.Error.InvalidArgument")))
477                             {
478                                 BMCWEB_LOG_WARNING("DBUS response error: {}",
479                                                    ec);
480                                 messages::propertyValueIncorrect(
481                                     asyncResp->res, "LocalRole", *localRole);
482                                 return;
483                             }
484                             messages::internalError(asyncResp->res);
485                             return;
486                         }
487                         asyncResp->res
488                             .jsonValue[serverType]["RemoteRoleMapping"][index]
489                                       ["LocalRole"] = *localRole;
490                     });
491                 }
492             }
493             // Create a new RoleMapping Object.
494             else
495             {
496                 BMCWEB_LOG_DEBUG(
497                     "setRoleMappingProperties: Creating new Object");
498                 std::string pathString = "RemoteRoleMapping/" +
499                                          std::to_string(index);
500 
501                 if (!localRole)
502                 {
503                     messages::propertyMissing(asyncResp->res,
504                                               pathString + "/LocalRole");
505                     continue;
506                 }
507                 if (!remoteGroup)
508                 {
509                     messages::propertyMissing(asyncResp->res,
510                                               pathString + "/RemoteGroup");
511                     continue;
512                 }
513 
514                 std::string dbusObjectPath;
515                 if (serverType == "ActiveDirectory")
516                 {
517                     dbusObjectPath = adConfigObject;
518                 }
519                 else if (serverType == "LDAP")
520                 {
521                     dbusObjectPath = ldapConfigObjectName;
522                 }
523 
524                 BMCWEB_LOG_DEBUG("Remote Group={},LocalRole={}", *remoteGroup,
525                                  *localRole);
526 
527                 crow::connections::systemBus->async_method_call(
528                     [asyncResp, serverType, localRole,
529                      remoteGroup](const boost::system::error_code& ec) {
530                     if (ec)
531                     {
532                         BMCWEB_LOG_ERROR("DBUS response error: {}", ec);
533                         messages::internalError(asyncResp->res);
534                         return;
535                     }
536                     nlohmann::json& remoteRoleJson =
537                         asyncResp->res
538                             .jsonValue[serverType]["RemoteRoleMapping"];
539                     nlohmann::json::object_t roleMapEntry;
540                     roleMapEntry["LocalRole"] = *localRole;
541                     roleMapEntry["RemoteGroup"] = *remoteGroup;
542                     remoteRoleJson.emplace_back(std::move(roleMapEntry));
543                 },
544                     ldapDbusService, dbusObjectPath, ldapPrivMapperInterface,
545                     "Create", *remoteGroup,
546                     getPrivilegeFromRoleId(std::move(*localRole)));
547             }
548         }
549     }
550 }
551 
552 /**
553  * Function that retrieves all properties for LDAP config object
554  * into JSON
555  */
556 template <typename CallbackFunc>
557 inline void getLDAPConfigData(const std::string& ldapType,
558                               CallbackFunc&& callback)
559 {
560     constexpr std::array<std::string_view, 2> interfaces = {
561         ldapEnableInterface, ldapConfigInterface};
562 
563     dbus::utility::getDbusObject(
564         ldapConfigObjectName, interfaces,
565         [callback, ldapType](const boost::system::error_code& ec,
566                              const dbus::utility::MapperGetObject& resp) {
567         if (ec || resp.empty())
568         {
569             BMCWEB_LOG_WARNING(
570                 "DBUS response error during getting of service name: {}", ec);
571             LDAPConfigData empty{};
572             callback(false, empty, ldapType);
573             return;
574         }
575         std::string service = resp.begin()->first;
576         sdbusplus::message::object_path path(ldapRootObject);
577         dbus::utility::getManagedObjects(
578             service, path,
579             [callback,
580              ldapType](const boost::system::error_code& ec2,
581                        const dbus::utility::ManagedObjectType& ldapObjects) {
582             LDAPConfigData confData{};
583             if (ec2)
584             {
585                 callback(false, confData, ldapType);
586                 BMCWEB_LOG_WARNING("D-Bus responses error: {}", ec2);
587                 return;
588             }
589 
590             std::string ldapDbusType;
591             std::string searchString;
592 
593             if (ldapType == "LDAP")
594             {
595                 ldapDbusType =
596                     "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap";
597                 searchString = "openldap";
598             }
599             else if (ldapType == "ActiveDirectory")
600             {
601                 ldapDbusType =
602                     "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory";
603                 searchString = "active_directory";
604             }
605             else
606             {
607                 BMCWEB_LOG_ERROR("Can't get the DbusType for the given type={}",
608                                  ldapType);
609                 callback(false, confData, ldapType);
610                 return;
611             }
612 
613             std::string ldapEnableInterfaceStr = ldapEnableInterface;
614             std::string ldapConfigInterfaceStr = ldapConfigInterface;
615 
616             for (const auto& object : ldapObjects)
617             {
618                 // let's find the object whose ldap type is equal to the
619                 // given type
620                 if (object.first.str.find(searchString) == std::string::npos)
621                 {
622                     continue;
623                 }
624 
625                 for (const auto& interface : object.second)
626                 {
627                     if (interface.first == ldapEnableInterfaceStr)
628                     {
629                         // rest of the properties are string.
630                         for (const auto& property : interface.second)
631                         {
632                             if (property.first == "Enabled")
633                             {
634                                 const bool* value =
635                                     std::get_if<bool>(&property.second);
636                                 if (value == nullptr)
637                                 {
638                                     continue;
639                                 }
640                                 confData.serviceEnabled = *value;
641                                 break;
642                             }
643                         }
644                     }
645                     else if (interface.first == ldapConfigInterfaceStr)
646                     {
647                         for (const auto& property : interface.second)
648                         {
649                             const std::string* strValue =
650                                 std::get_if<std::string>(&property.second);
651                             if (strValue == nullptr)
652                             {
653                                 continue;
654                             }
655                             if (property.first == "LDAPServerURI")
656                             {
657                                 confData.uri = *strValue;
658                             }
659                             else if (property.first == "LDAPBindDN")
660                             {
661                                 confData.bindDN = *strValue;
662                             }
663                             else if (property.first == "LDAPBaseDN")
664                             {
665                                 confData.baseDN = *strValue;
666                             }
667                             else if (property.first == "LDAPSearchScope")
668                             {
669                                 confData.searchScope = *strValue;
670                             }
671                             else if (property.first == "GroupNameAttribute")
672                             {
673                                 confData.groupAttribute = *strValue;
674                             }
675                             else if (property.first == "UserNameAttribute")
676                             {
677                                 confData.userNameAttribute = *strValue;
678                             }
679                             else if (property.first == "LDAPType")
680                             {
681                                 confData.serverType = *strValue;
682                             }
683                         }
684                     }
685                     else if (interface.first ==
686                              "xyz.openbmc_project.User.PrivilegeMapperEntry")
687                     {
688                         LDAPRoleMapData roleMapData{};
689                         for (const auto& property : interface.second)
690                         {
691                             const std::string* strValue =
692                                 std::get_if<std::string>(&property.second);
693 
694                             if (strValue == nullptr)
695                             {
696                                 continue;
697                             }
698 
699                             if (property.first == "GroupName")
700                             {
701                                 roleMapData.groupName = *strValue;
702                             }
703                             else if (property.first == "Privilege")
704                             {
705                                 roleMapData.privilege = *strValue;
706                             }
707                         }
708 
709                         confData.groupRoleList.emplace_back(object.first.str,
710                                                             roleMapData);
711                     }
712                 }
713             }
714             callback(true, confData, ldapType);
715         });
716     });
717 }
718 
719 /**
720  * @brief parses the authentication section under the LDAP
721  * @param input JSON data
722  * @param asyncResp pointer to the JSON response
723  * @param userName  userName to be filled from the given JSON.
724  * @param password  password to be filled from the given JSON.
725  */
726 inline void parseLDAPAuthenticationJson(
727     nlohmann::json input, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
728     std::optional<std::string>& username, std::optional<std::string>& password)
729 {
730     std::optional<std::string> authType;
731 
732     if (!json_util::readJson(input, asyncResp->res, "AuthenticationType",
733                              authType, "Username", username, "Password",
734                              password))
735     {
736         return;
737     }
738     if (!authType)
739     {
740         return;
741     }
742     if (*authType != "UsernameAndPassword")
743     {
744         messages::propertyValueNotInList(asyncResp->res, *authType,
745                                          "AuthenticationType");
746         return;
747     }
748 }
749 /**
750  * @brief parses the LDAPService section under the LDAP
751  * @param input JSON data
752  * @param asyncResp pointer to the JSON response
753  * @param baseDNList baseDN to be filled from the given JSON.
754  * @param userNameAttribute  userName to be filled from the given JSON.
755  * @param groupaAttribute  password to be filled from the given JSON.
756  */
757 
758 inline void
759     parseLDAPServiceJson(nlohmann::json input,
760                          const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
761                          std::optional<std::vector<std::string>>& baseDNList,
762                          std::optional<std::string>& userNameAttribute,
763                          std::optional<std::string>& groupsAttribute)
764 {
765     std::optional<nlohmann::json> searchSettings;
766 
767     if (!json_util::readJson(input, asyncResp->res, "SearchSettings",
768                              searchSettings))
769     {
770         return;
771     }
772     if (!searchSettings)
773     {
774         return;
775     }
776     if (!json_util::readJson(*searchSettings, asyncResp->res,
777                              "BaseDistinguishedNames", baseDNList,
778                              "UsernameAttribute", userNameAttribute,
779                              "GroupsAttribute", groupsAttribute))
780     {
781         return;
782     }
783 }
784 /**
785  * @brief updates the LDAP server address and updates the
786           json response with the new value.
787  * @param serviceAddressList address to be updated.
788  * @param asyncResp pointer to the JSON response
789  * @param ldapServerElementName Type of LDAP
790  server(openLDAP/ActiveDirectory)
791  */
792 
793 inline void handleServiceAddressPatch(
794     const std::vector<std::string>& serviceAddressList,
795     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
796     const std::string& ldapServerElementName,
797     const std::string& ldapConfigObject)
798 {
799     sdbusplus::asio::setProperty(
800         *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
801         ldapConfigInterface, "LDAPServerURI", serviceAddressList.front(),
802         [asyncResp, ldapServerElementName, serviceAddressList](
803             const boost::system::error_code& ec, sdbusplus::message_t& msg) {
804         if (ec)
805         {
806             const sd_bus_error* dbusError = msg.get_error();
807             if ((dbusError != nullptr) &&
808                 (dbusError->name ==
809                  std::string_view(
810                      "xyz.openbmc_project.Common.Error.InvalidArgument")))
811             {
812                 BMCWEB_LOG_WARNING(
813                     "Error Occurred in updating the service address");
814                 messages::propertyValueIncorrect(asyncResp->res,
815                                                  "ServiceAddresses",
816                                                  serviceAddressList.front());
817                 return;
818             }
819             messages::internalError(asyncResp->res);
820             return;
821         }
822         std::vector<std::string> modifiedserviceAddressList = {
823             serviceAddressList.front()};
824         asyncResp->res.jsonValue[ldapServerElementName]["ServiceAddresses"] =
825             modifiedserviceAddressList;
826         if ((serviceAddressList).size() > 1)
827         {
828             messages::propertyValueModified(asyncResp->res, "ServiceAddresses",
829                                             serviceAddressList.front());
830         }
831         BMCWEB_LOG_DEBUG("Updated the service address");
832     });
833 }
834 /**
835  * @brief updates the LDAP Bind DN and updates the
836           json response with the new value.
837  * @param username name of the user which needs to be updated.
838  * @param asyncResp pointer to the JSON response
839  * @param ldapServerElementName Type of LDAP
840  server(openLDAP/ActiveDirectory)
841  */
842 
843 inline void
844     handleUserNamePatch(const std::string& username,
845                         const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
846                         const std::string& ldapServerElementName,
847                         const std::string& ldapConfigObject)
848 {
849     sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService,
850                                  ldapConfigObject, ldapConfigInterface,
851                                  "LDAPBindDN", username,
852                                  [asyncResp, username, ldapServerElementName](
853                                      const boost::system::error_code& ec) {
854         if (ec)
855         {
856             BMCWEB_LOG_DEBUG("Error occurred in updating the username");
857             messages::internalError(asyncResp->res);
858             return;
859         }
860         asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
861                                 ["Username"] = username;
862         BMCWEB_LOG_DEBUG("Updated the username");
863     });
864 }
865 
866 /**
867  * @brief updates the LDAP password
868  * @param password : ldap password which needs to be updated.
869  * @param asyncResp pointer to the JSON response
870  * @param ldapServerElementName Type of LDAP
871  *        server(openLDAP/ActiveDirectory)
872  */
873 
874 inline void
875     handlePasswordPatch(const std::string& password,
876                         const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
877                         const std::string& ldapServerElementName,
878                         const std::string& ldapConfigObject)
879 {
880     sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService,
881                                  ldapConfigObject, ldapConfigInterface,
882                                  "LDAPBindDNPassword", password,
883                                  [asyncResp, password, ldapServerElementName](
884                                      const boost::system::error_code& ec) {
885         if (ec)
886         {
887             BMCWEB_LOG_DEBUG("Error occurred in updating the password");
888             messages::internalError(asyncResp->res);
889             return;
890         }
891         asyncResp->res.jsonValue[ldapServerElementName]["Authentication"]
892                                 ["Password"] = "";
893         BMCWEB_LOG_DEBUG("Updated the password");
894     });
895 }
896 
897 /**
898  * @brief updates the LDAP BaseDN and updates the
899           json response with the new value.
900  * @param baseDNList baseDN list which needs to be updated.
901  * @param asyncResp pointer to the JSON response
902  * @param ldapServerElementName Type of LDAP
903  server(openLDAP/ActiveDirectory)
904  */
905 
906 inline void
907     handleBaseDNPatch(const std::vector<std::string>& baseDNList,
908                       const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
909                       const std::string& ldapServerElementName,
910                       const std::string& ldapConfigObject)
911 {
912     sdbusplus::asio::setProperty(*crow::connections::systemBus, ldapDbusService,
913                                  ldapConfigObject, ldapConfigInterface,
914                                  "LDAPBaseDN", baseDNList.front(),
915                                  [asyncResp, baseDNList, ldapServerElementName](
916                                      const boost::system::error_code& ec,
917                                      const sdbusplus::message_t& msg) {
918         if (ec)
919         {
920             BMCWEB_LOG_DEBUG("Error Occurred in Updating the base DN");
921             const sd_bus_error* dbusError = msg.get_error();
922             if ((dbusError != nullptr) &&
923                 (dbusError->name ==
924                  std::string_view(
925                      "xyz.openbmc_project.Common.Error.InvalidArgument")))
926             {
927                 messages::propertyValueIncorrect(asyncResp->res,
928                                                  "BaseDistinguishedNames",
929                                                  baseDNList.front());
930                 return;
931             }
932             messages::internalError(asyncResp->res);
933             return;
934         }
935         auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
936         auto& searchSettingsJson =
937             serverTypeJson["LDAPService"]["SearchSettings"];
938         std::vector<std::string> modifiedBaseDNList = {baseDNList.front()};
939         searchSettingsJson["BaseDistinguishedNames"] = modifiedBaseDNList;
940         if (baseDNList.size() > 1)
941         {
942             messages::propertyValueModified(
943                 asyncResp->res, "BaseDistinguishedNames", baseDNList.front());
944         }
945         BMCWEB_LOG_DEBUG("Updated the base DN");
946     });
947 }
948 /**
949  * @brief updates the LDAP user name attribute and updates the
950           json response with the new value.
951  * @param userNameAttribute attribute to be updated.
952  * @param asyncResp pointer to the JSON response
953  * @param ldapServerElementName Type of LDAP
954  server(openLDAP/ActiveDirectory)
955  */
956 
957 inline void
958     handleUserNameAttrPatch(const std::string& userNameAttribute,
959                             const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
960                             const std::string& ldapServerElementName,
961                             const std::string& ldapConfigObject)
962 {
963     sdbusplus::asio::setProperty(
964         *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
965         ldapConfigInterface, "UserNameAttribute", userNameAttribute,
966         [asyncResp, userNameAttribute,
967          ldapServerElementName](const boost::system::error_code& ec) {
968         if (ec)
969         {
970             BMCWEB_LOG_DEBUG("Error Occurred in Updating the "
971                              "username attribute");
972             messages::internalError(asyncResp->res);
973             return;
974         }
975         auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
976         auto& searchSettingsJson =
977             serverTypeJson["LDAPService"]["SearchSettings"];
978         searchSettingsJson["UsernameAttribute"] = userNameAttribute;
979         BMCWEB_LOG_DEBUG("Updated the user name attr.");
980     });
981 }
982 /**
983  * @brief updates the LDAP group attribute and updates the
984           json response with the new value.
985  * @param groupsAttribute attribute to be updated.
986  * @param asyncResp pointer to the JSON response
987  * @param ldapServerElementName Type of LDAP
988  server(openLDAP/ActiveDirectory)
989  */
990 
991 inline void handleGroupNameAttrPatch(
992     const std::string& groupsAttribute,
993     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
994     const std::string& ldapServerElementName,
995     const std::string& ldapConfigObject)
996 {
997     sdbusplus::asio::setProperty(
998         *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
999         ldapConfigInterface, "GroupNameAttribute", groupsAttribute,
1000         [asyncResp, groupsAttribute,
1001          ldapServerElementName](const boost::system::error_code& ec) {
1002         if (ec)
1003         {
1004             BMCWEB_LOG_DEBUG("Error Occurred in Updating the "
1005                              "groupname attribute");
1006             messages::internalError(asyncResp->res);
1007             return;
1008         }
1009         auto& serverTypeJson = asyncResp->res.jsonValue[ldapServerElementName];
1010         auto& searchSettingsJson =
1011             serverTypeJson["LDAPService"]["SearchSettings"];
1012         searchSettingsJson["GroupsAttribute"] = groupsAttribute;
1013         BMCWEB_LOG_DEBUG("Updated the groupname attr");
1014     });
1015 }
1016 /**
1017  * @brief updates the LDAP service enable and updates the
1018           json response with the new value.
1019  * @param input JSON data.
1020  * @param asyncResp pointer to the JSON response
1021  * @param ldapServerElementName Type of LDAP
1022  server(openLDAP/ActiveDirectory)
1023  */
1024 
1025 inline void handleServiceEnablePatch(
1026     bool serviceEnabled, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1027     const std::string& ldapServerElementName,
1028     const std::string& ldapConfigObject)
1029 {
1030     sdbusplus::asio::setProperty(
1031         *crow::connections::systemBus, ldapDbusService, ldapConfigObject,
1032         ldapEnableInterface, "Enabled", serviceEnabled,
1033         [asyncResp, serviceEnabled,
1034          ldapServerElementName](const boost::system::error_code& ec) {
1035         if (ec)
1036         {
1037             BMCWEB_LOG_DEBUG("Error Occurred in Updating the service enable");
1038             messages::internalError(asyncResp->res);
1039             return;
1040         }
1041         asyncResp->res.jsonValue[ldapServerElementName]["ServiceEnabled"] =
1042             serviceEnabled;
1043         BMCWEB_LOG_DEBUG("Updated Service enable = {}", serviceEnabled);
1044     });
1045 }
1046 
1047 inline void
1048     handleAuthMethodsPatch(nlohmann::json& input,
1049                            const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1050 {
1051     std::optional<bool> basicAuth;
1052     std::optional<bool> cookie;
1053     std::optional<bool> sessionToken;
1054     std::optional<bool> xToken;
1055     std::optional<bool> tls;
1056 
1057     if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
1058                              "Cookie", cookie, "SessionToken", sessionToken,
1059                              "XToken", xToken, "TLS", tls))
1060     {
1061         BMCWEB_LOG_ERROR("Cannot read values from AuthMethod tag");
1062         return;
1063     }
1064 
1065     // Make a copy of methods configuration
1066     persistent_data::AuthConfigMethods authMethodsConfig =
1067         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1068 
1069     if (basicAuth)
1070     {
1071 #ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION
1072         messages::actionNotSupported(
1073             asyncResp->res,
1074             "Setting BasicAuth when basic-auth feature is disabled");
1075         return;
1076 #endif
1077         authMethodsConfig.basic = *basicAuth;
1078     }
1079 
1080     if (cookie)
1081     {
1082 #ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
1083         messages::actionNotSupported(
1084             asyncResp->res,
1085             "Setting Cookie when cookie-auth feature is disabled");
1086         return;
1087 #endif
1088         authMethodsConfig.cookie = *cookie;
1089     }
1090 
1091     if (sessionToken)
1092     {
1093 #ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION
1094         messages::actionNotSupported(
1095             asyncResp->res,
1096             "Setting SessionToken when session-auth feature is disabled");
1097         return;
1098 #endif
1099         authMethodsConfig.sessionToken = *sessionToken;
1100     }
1101 
1102     if (xToken)
1103     {
1104 #ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
1105         messages::actionNotSupported(
1106             asyncResp->res,
1107             "Setting XToken when xtoken-auth feature is disabled");
1108         return;
1109 #endif
1110         authMethodsConfig.xtoken = *xToken;
1111     }
1112 
1113     if (tls)
1114     {
1115 #ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
1116         messages::actionNotSupported(
1117             asyncResp->res,
1118             "Setting TLS when mutual-tls-auth feature is disabled");
1119         return;
1120 #endif
1121         authMethodsConfig.tls = *tls;
1122     }
1123 
1124     if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
1125         !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
1126         !authMethodsConfig.tls)
1127     {
1128         // Do not allow user to disable everything
1129         messages::actionNotSupported(asyncResp->res,
1130                                      "of disabling all available methods");
1131         return;
1132     }
1133 
1134     persistent_data::SessionStore::getInstance().updateAuthMethodsConfig(
1135         authMethodsConfig);
1136     // Save configuration immediately
1137     persistent_data::getConfig().writeData();
1138 
1139     messages::success(asyncResp->res);
1140 }
1141 
1142 /**
1143  * @brief Get the required values from the given JSON, validates the
1144  *        value and create the LDAP config object.
1145  * @param input JSON data
1146  * @param asyncResp pointer to the JSON response
1147  * @param serverType Type of LDAP server(openLDAP/ActiveDirectory)
1148  */
1149 
1150 inline void handleLDAPPatch(nlohmann::json& input,
1151                             const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1152                             const std::string& serverType)
1153 {
1154     std::string dbusObjectPath;
1155     if (serverType == "ActiveDirectory")
1156     {
1157         dbusObjectPath = adConfigObject;
1158     }
1159     else if (serverType == "LDAP")
1160     {
1161         dbusObjectPath = ldapConfigObjectName;
1162     }
1163     else
1164     {
1165         return;
1166     }
1167 
1168     std::optional<nlohmann::json> authentication;
1169     std::optional<nlohmann::json> ldapService;
1170     std::optional<std::vector<std::string>> serviceAddressList;
1171     std::optional<bool> serviceEnabled;
1172     std::optional<std::vector<std::string>> baseDNList;
1173     std::optional<std::string> userNameAttribute;
1174     std::optional<std::string> groupsAttribute;
1175     std::optional<std::string> userName;
1176     std::optional<std::string> password;
1177     std::optional<std::vector<nlohmann::json>> remoteRoleMapData;
1178 
1179     if (!json_util::readJson(input, asyncResp->res, "Authentication",
1180                              authentication, "LDAPService", ldapService,
1181                              "ServiceAddresses", serviceAddressList,
1182                              "ServiceEnabled", serviceEnabled,
1183                              "RemoteRoleMapping", remoteRoleMapData))
1184     {
1185         return;
1186     }
1187 
1188     if (authentication)
1189     {
1190         parseLDAPAuthenticationJson(*authentication, asyncResp, userName,
1191                                     password);
1192     }
1193     if (ldapService)
1194     {
1195         parseLDAPServiceJson(*ldapService, asyncResp, baseDNList,
1196                              userNameAttribute, groupsAttribute);
1197     }
1198     if (serviceAddressList)
1199     {
1200         if (serviceAddressList->empty())
1201         {
1202             messages::propertyValueNotInList(
1203                 asyncResp->res, *serviceAddressList, "ServiceAddress");
1204             return;
1205         }
1206     }
1207     if (baseDNList)
1208     {
1209         if (baseDNList->empty())
1210         {
1211             messages::propertyValueNotInList(asyncResp->res, *baseDNList,
1212                                              "BaseDistinguishedNames");
1213             return;
1214         }
1215     }
1216 
1217     // nothing to update, then return
1218     if (!userName && !password && !serviceAddressList && !baseDNList &&
1219         !userNameAttribute && !groupsAttribute && !serviceEnabled &&
1220         !remoteRoleMapData)
1221     {
1222         return;
1223     }
1224 
1225     // Get the existing resource first then keep modifying
1226     // whenever any property gets updated.
1227     getLDAPConfigData(
1228         serverType,
1229         [asyncResp, userName, password, baseDNList, userNameAttribute,
1230          groupsAttribute, serviceAddressList, serviceEnabled, dbusObjectPath,
1231          remoteRoleMapData](bool success, const LDAPConfigData& confData,
1232                             const std::string& serverT) {
1233         if (!success)
1234         {
1235             messages::internalError(asyncResp->res);
1236             return;
1237         }
1238         parseLDAPConfigData(asyncResp->res.jsonValue, confData, serverT);
1239         if (confData.serviceEnabled)
1240         {
1241             // Disable the service first and update the rest of
1242             // the properties.
1243             handleServiceEnablePatch(false, asyncResp, serverT, dbusObjectPath);
1244         }
1245 
1246         if (serviceAddressList)
1247         {
1248             handleServiceAddressPatch(*serviceAddressList, asyncResp, serverT,
1249                                       dbusObjectPath);
1250         }
1251         if (userName)
1252         {
1253             handleUserNamePatch(*userName, asyncResp, serverT, dbusObjectPath);
1254         }
1255         if (password)
1256         {
1257             handlePasswordPatch(*password, asyncResp, serverT, dbusObjectPath);
1258         }
1259 
1260         if (baseDNList)
1261         {
1262             handleBaseDNPatch(*baseDNList, asyncResp, serverT, dbusObjectPath);
1263         }
1264         if (userNameAttribute)
1265         {
1266             handleUserNameAttrPatch(*userNameAttribute, asyncResp, serverT,
1267                                     dbusObjectPath);
1268         }
1269         if (groupsAttribute)
1270         {
1271             handleGroupNameAttrPatch(*groupsAttribute, asyncResp, serverT,
1272                                      dbusObjectPath);
1273         }
1274         if (serviceEnabled)
1275         {
1276             // if user has given the value as true then enable
1277             // the service. if user has given false then no-op
1278             // as service is already stopped.
1279             if (*serviceEnabled)
1280             {
1281                 handleServiceEnablePatch(*serviceEnabled, asyncResp, serverT,
1282                                          dbusObjectPath);
1283             }
1284         }
1285         else
1286         {
1287             // if user has not given the service enabled value
1288             // then revert it to the same state as it was
1289             // before.
1290             handleServiceEnablePatch(confData.serviceEnabled, asyncResp,
1291                                      serverT, dbusObjectPath);
1292         }
1293 
1294         if (remoteRoleMapData)
1295         {
1296             handleRoleMapPatch(asyncResp, confData.groupRoleList, serverT,
1297                                *remoteRoleMapData);
1298         }
1299     });
1300 }
1301 
1302 inline void updateUserProperties(
1303     std::shared_ptr<bmcweb::AsyncResp> asyncResp, const std::string& username,
1304     const std::optional<std::string>& password,
1305     const std::optional<bool>& enabled,
1306     const std::optional<std::string>& roleId, const std::optional<bool>& locked,
1307     std::optional<std::vector<std::string>> accountTypes, bool userSelf)
1308 {
1309     sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1310     tempObjPath /= username;
1311     std::string dbusObjectPath(tempObjPath);
1312 
1313     dbus::utility::checkDbusPathExists(
1314         dbusObjectPath, [dbusObjectPath, username, password, roleId, enabled,
1315                          locked, accountTypes(std::move(accountTypes)),
1316                          userSelf, asyncResp{std::move(asyncResp)}](int rc) {
1317         if (rc <= 0)
1318         {
1319             messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1320                                        username);
1321             return;
1322         }
1323 
1324         if (password)
1325         {
1326             int retval = pamUpdatePassword(username, *password);
1327 
1328             if (retval == PAM_USER_UNKNOWN)
1329             {
1330                 messages::resourceNotFound(asyncResp->res, "ManagerAccount",
1331                                            username);
1332             }
1333             else if (retval == PAM_AUTHTOK_ERR)
1334             {
1335                 // If password is invalid
1336                 messages::propertyValueFormatError(asyncResp->res, nullptr,
1337                                                    "Password");
1338                 BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1339             }
1340             else if (retval != PAM_SUCCESS)
1341             {
1342                 messages::internalError(asyncResp->res);
1343                 return;
1344             }
1345             else
1346             {
1347                 messages::success(asyncResp->res);
1348             }
1349         }
1350 
1351         if (enabled)
1352         {
1353             sdbusplus::asio::setProperty(
1354                 *crow::connections::systemBus,
1355                 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1356                 "xyz.openbmc_project.User.Attributes", "UserEnabled", *enabled,
1357                 [asyncResp](const boost::system::error_code& ec) {
1358                 if (ec)
1359                 {
1360                     BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
1361                     messages::internalError(asyncResp->res);
1362                     return;
1363                 }
1364                 messages::success(asyncResp->res);
1365             });
1366         }
1367 
1368         if (roleId)
1369         {
1370             std::string priv = getPrivilegeFromRoleId(*roleId);
1371             if (priv.empty())
1372             {
1373                 messages::propertyValueNotInList(asyncResp->res, true,
1374                                                  "Locked");
1375                 return;
1376             }
1377 
1378             sdbusplus::asio::setProperty(
1379                 *crow::connections::systemBus,
1380                 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1381                 "xyz.openbmc_project.User.Attributes", "UserPrivilege", priv,
1382                 [asyncResp](const boost::system::error_code& ec) {
1383                 if (ec)
1384                 {
1385                     BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
1386                     messages::internalError(asyncResp->res);
1387                     return;
1388                 }
1389                 messages::success(asyncResp->res);
1390             });
1391         }
1392 
1393         if (locked)
1394         {
1395             // admin can unlock the account which is locked by
1396             // successive authentication failures but admin should
1397             // not be allowed to lock an account.
1398             if (*locked)
1399             {
1400                 messages::propertyValueNotInList(asyncResp->res, "true",
1401                                                  "Locked");
1402                 return;
1403             }
1404 
1405             sdbusplus::asio::setProperty(
1406                 *crow::connections::systemBus,
1407                 "xyz.openbmc_project.User.Manager", dbusObjectPath,
1408                 "xyz.openbmc_project.User.Attributes",
1409                 "UserLockedForFailedAttempt", *locked,
1410                 [asyncResp](const boost::system::error_code& ec) {
1411                 if (ec)
1412                 {
1413                     BMCWEB_LOG_ERROR("D-Bus responses error: {}", ec);
1414                     messages::internalError(asyncResp->res);
1415                     return;
1416                 }
1417                 messages::success(asyncResp->res);
1418             });
1419         }
1420 
1421         if (accountTypes)
1422         {
1423             patchAccountTypes(*accountTypes, asyncResp, dbusObjectPath,
1424                               userSelf);
1425         }
1426     });
1427 }
1428 
1429 inline void handleAccountServiceHead(
1430     App& app, const crow::Request& req,
1431     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1432 {
1433     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1434     {
1435         return;
1436     }
1437     asyncResp->res.addHeader(
1438         boost::beast::http::field::link,
1439         "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1440 }
1441 
1442 inline void
1443     handleAccountServiceGet(App& app, const crow::Request& req,
1444                             const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1445 {
1446     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1447     {
1448         return;
1449     }
1450 
1451     if (req.session == nullptr)
1452     {
1453         messages::internalError(asyncResp->res);
1454         return;
1455     }
1456 
1457     asyncResp->res.addHeader(
1458         boost::beast::http::field::link,
1459         "</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
1460 
1461     const persistent_data::AuthConfigMethods& authMethodsConfig =
1462         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
1463 
1464     nlohmann::json& json = asyncResp->res.jsonValue;
1465     json["@odata.id"] = "/redfish/v1/AccountService";
1466     json["@odata.type"] = "#AccountService."
1467                           "v1_10_0.AccountService";
1468     json["Id"] = "AccountService";
1469     json["Name"] = "Account Service";
1470     json["Description"] = "Account Service";
1471     json["ServiceEnabled"] = true;
1472     json["MaxPasswordLength"] = 20;
1473     json["Accounts"]["@odata.id"] = "/redfish/v1/AccountService/Accounts";
1474     json["Roles"]["@odata.id"] = "/redfish/v1/AccountService/Roles";
1475     json["Oem"]["OpenBMC"]["@odata.type"] =
1476         "#OpenBMCAccountService.v1_0_0.AccountService";
1477     json["Oem"]["OpenBMC"]["@odata.id"] =
1478         "/redfish/v1/AccountService#/Oem/OpenBMC";
1479     json["Oem"]["OpenBMC"]["AuthMethods"]["BasicAuth"] =
1480         authMethodsConfig.basic;
1481     json["Oem"]["OpenBMC"]["AuthMethods"]["SessionToken"] =
1482         authMethodsConfig.sessionToken;
1483     json["Oem"]["OpenBMC"]["AuthMethods"]["XToken"] = authMethodsConfig.xtoken;
1484     json["Oem"]["OpenBMC"]["AuthMethods"]["Cookie"] = authMethodsConfig.cookie;
1485     json["Oem"]["OpenBMC"]["AuthMethods"]["TLS"] = authMethodsConfig.tls;
1486 
1487     // /redfish/v1/AccountService/LDAP/Certificates is something only
1488     // ConfigureManager can access then only display when the user has
1489     // permissions ConfigureManager
1490     Privileges effectiveUserPrivileges =
1491         redfish::getUserPrivileges(*req.session);
1492 
1493     if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
1494                                          effectiveUserPrivileges))
1495     {
1496         asyncResp->res.jsonValue["LDAP"]["Certificates"]["@odata.id"] =
1497             "/redfish/v1/AccountService/LDAP/Certificates";
1498     }
1499     sdbusplus::asio::getAllProperties(
1500         *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1501         "/xyz/openbmc_project/user", "xyz.openbmc_project.User.AccountPolicy",
1502         [asyncResp](const boost::system::error_code& ec,
1503                     const dbus::utility::DBusPropertiesMap& propertiesList) {
1504         if (ec)
1505         {
1506             messages::internalError(asyncResp->res);
1507             return;
1508         }
1509 
1510         BMCWEB_LOG_DEBUG("Got {}properties for AccountService",
1511                          propertiesList.size());
1512 
1513         const uint8_t* minPasswordLength = nullptr;
1514         const uint32_t* accountUnlockTimeout = nullptr;
1515         const uint16_t* maxLoginAttemptBeforeLockout = nullptr;
1516 
1517         const bool success = sdbusplus::unpackPropertiesNoThrow(
1518             dbus_utils::UnpackErrorPrinter(), propertiesList,
1519             "MinPasswordLength", minPasswordLength, "AccountUnlockTimeout",
1520             accountUnlockTimeout, "MaxLoginAttemptBeforeLockout",
1521             maxLoginAttemptBeforeLockout);
1522 
1523         if (!success)
1524         {
1525             messages::internalError(asyncResp->res);
1526             return;
1527         }
1528 
1529         if (minPasswordLength != nullptr)
1530         {
1531             asyncResp->res.jsonValue["MinPasswordLength"] = *minPasswordLength;
1532         }
1533 
1534         if (accountUnlockTimeout != nullptr)
1535         {
1536             asyncResp->res.jsonValue["AccountLockoutDuration"] =
1537                 *accountUnlockTimeout;
1538         }
1539 
1540         if (maxLoginAttemptBeforeLockout != nullptr)
1541         {
1542             asyncResp->res.jsonValue["AccountLockoutThreshold"] =
1543                 *maxLoginAttemptBeforeLockout;
1544         }
1545     });
1546 
1547     auto callback = [asyncResp](bool success, const LDAPConfigData& confData,
1548                                 const std::string& ldapType) {
1549         if (!success)
1550         {
1551             return;
1552         }
1553         parseLDAPConfigData(asyncResp->res.jsonValue, confData, ldapType);
1554     };
1555 
1556     getLDAPConfigData("LDAP", callback);
1557     getLDAPConfigData("ActiveDirectory", callback);
1558 }
1559 
1560 inline void handleAccountServicePatch(
1561     App& app, const crow::Request& req,
1562     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1563 {
1564     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1565     {
1566         return;
1567     }
1568     std::optional<uint32_t> unlockTimeout;
1569     std::optional<uint16_t> lockoutThreshold;
1570     std::optional<uint8_t> minPasswordLength;
1571     std::optional<uint16_t> maxPasswordLength;
1572     std::optional<nlohmann::json> ldapObject;
1573     std::optional<nlohmann::json> activeDirectoryObject;
1574     std::optional<nlohmann::json> oemObject;
1575 
1576     if (!json_util::readJsonPatch(
1577             req, asyncResp->res, "AccountLockoutDuration", unlockTimeout,
1578             "AccountLockoutThreshold", lockoutThreshold, "MaxPasswordLength",
1579             maxPasswordLength, "MinPasswordLength", minPasswordLength, "LDAP",
1580             ldapObject, "ActiveDirectory", activeDirectoryObject, "Oem",
1581             oemObject))
1582     {
1583         return;
1584     }
1585 
1586     if (minPasswordLength)
1587     {
1588         sdbusplus::asio::setProperty(
1589             *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1590             "/xyz/openbmc_project/user",
1591             "xyz.openbmc_project.User.AccountPolicy", "MinPasswordLength",
1592             *minPasswordLength,
1593             [asyncResp](const boost::system::error_code& ec) {
1594             if (ec)
1595             {
1596                 messages::internalError(asyncResp->res);
1597                 return;
1598             }
1599             messages::success(asyncResp->res);
1600         });
1601     }
1602 
1603     if (maxPasswordLength)
1604     {
1605         messages::propertyNotWritable(asyncResp->res, "MaxPasswordLength");
1606     }
1607 
1608     if (ldapObject)
1609     {
1610         handleLDAPPatch(*ldapObject, asyncResp, "LDAP");
1611     }
1612 
1613     if (std::optional<nlohmann::json> oemOpenBMCObject;
1614         oemObject && json_util::readJson(*oemObject, asyncResp->res, "OpenBMC",
1615                                          oemOpenBMCObject))
1616     {
1617         if (std::optional<nlohmann::json> authMethodsObject;
1618             oemOpenBMCObject &&
1619             json_util::readJson(*oemOpenBMCObject, asyncResp->res,
1620                                 "AuthMethods", authMethodsObject))
1621         {
1622             if (authMethodsObject)
1623             {
1624                 handleAuthMethodsPatch(*authMethodsObject, asyncResp);
1625             }
1626         }
1627     }
1628 
1629     if (activeDirectoryObject)
1630     {
1631         handleLDAPPatch(*activeDirectoryObject, asyncResp, "ActiveDirectory");
1632     }
1633 
1634     if (unlockTimeout)
1635     {
1636         sdbusplus::asio::setProperty(
1637             *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1638             "/xyz/openbmc_project/user",
1639             "xyz.openbmc_project.User.AccountPolicy", "AccountUnlockTimeout",
1640             *unlockTimeout, [asyncResp](const boost::system::error_code& ec) {
1641             if (ec)
1642             {
1643                 messages::internalError(asyncResp->res);
1644                 return;
1645             }
1646             messages::success(asyncResp->res);
1647         });
1648     }
1649     if (lockoutThreshold)
1650     {
1651         sdbusplus::asio::setProperty(
1652             *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1653             "/xyz/openbmc_project/user",
1654             "xyz.openbmc_project.User.AccountPolicy",
1655             "MaxLoginAttemptBeforeLockout", *lockoutThreshold,
1656             [asyncResp](const boost::system::error_code& ec) {
1657             if (ec)
1658             {
1659                 messages::internalError(asyncResp->res);
1660                 return;
1661             }
1662             messages::success(asyncResp->res);
1663         });
1664     }
1665 }
1666 
1667 inline void handleAccountCollectionHead(
1668     App& app, const crow::Request& req,
1669     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1670 {
1671     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1672     {
1673         return;
1674     }
1675     asyncResp->res.addHeader(
1676         boost::beast::http::field::link,
1677         "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1678 }
1679 
1680 inline void handleAccountCollectionGet(
1681     App& app, const crow::Request& req,
1682     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1683 {
1684     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1685     {
1686         return;
1687     }
1688 
1689     if (req.session == nullptr)
1690     {
1691         messages::internalError(asyncResp->res);
1692         return;
1693     }
1694 
1695     asyncResp->res.addHeader(
1696         boost::beast::http::field::link,
1697         "</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
1698 
1699     asyncResp->res.jsonValue["@odata.id"] =
1700         "/redfish/v1/AccountService/Accounts";
1701     asyncResp->res.jsonValue["@odata.type"] = "#ManagerAccountCollection."
1702                                               "ManagerAccountCollection";
1703     asyncResp->res.jsonValue["Name"] = "Accounts Collection";
1704     asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
1705 
1706     Privileges effectiveUserPrivileges =
1707         redfish::getUserPrivileges(*req.session);
1708 
1709     std::string thisUser;
1710     if (req.session)
1711     {
1712         thisUser = req.session->username;
1713     }
1714     sdbusplus::message::object_path path("/xyz/openbmc_project/user");
1715     dbus::utility::getManagedObjects(
1716         "xyz.openbmc_project.User.Manager", path,
1717         [asyncResp, thisUser, effectiveUserPrivileges](
1718             const boost::system::error_code& ec,
1719             const dbus::utility::ManagedObjectType& users) {
1720         if (ec)
1721         {
1722             messages::internalError(asyncResp->res);
1723             return;
1724         }
1725 
1726         bool userCanSeeAllAccounts =
1727             effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"});
1728 
1729         bool userCanSeeSelf =
1730             effectiveUserPrivileges.isSupersetOf({"ConfigureSelf"});
1731 
1732         nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"];
1733         memberArray = nlohmann::json::array();
1734 
1735         for (const auto& userpath : users)
1736         {
1737             std::string user = userpath.first.filename();
1738             if (user.empty())
1739             {
1740                 messages::internalError(asyncResp->res);
1741                 BMCWEB_LOG_ERROR("Invalid firmware ID");
1742 
1743                 return;
1744             }
1745 
1746             // As clarified by Redfish here:
1747             // https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
1748             // Users without ConfigureUsers, only see their own
1749             // account. Users with ConfigureUsers, see all
1750             // accounts.
1751             if (userCanSeeAllAccounts || (thisUser == user && userCanSeeSelf))
1752             {
1753                 nlohmann::json::object_t member;
1754                 member["@odata.id"] = boost::urls::format(
1755                     "/redfish/v1/AccountService/Accounts/{}", user);
1756                 memberArray.emplace_back(std::move(member));
1757             }
1758         }
1759         asyncResp->res.jsonValue["Members@odata.count"] = memberArray.size();
1760     });
1761 }
1762 
1763 inline void processAfterCreateUser(
1764     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1765     const std::string& username, const std::string& password,
1766     const boost::system::error_code& ec, sdbusplus::message_t& m)
1767 {
1768     if (ec)
1769     {
1770         userErrorMessageHandler(m.get_error(), asyncResp, username, "");
1771         return;
1772     }
1773 
1774     if (pamUpdatePassword(username, password) != PAM_SUCCESS)
1775     {
1776         // At this point we have a user that's been
1777         // created, but the password set
1778         // failed.Something is wrong, so delete the user
1779         // that we've already created
1780         sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
1781         tempObjPath /= username;
1782         const std::string userPath(tempObjPath);
1783 
1784         crow::connections::systemBus->async_method_call(
1785             [asyncResp, password](const boost::system::error_code& ec3) {
1786             if (ec3)
1787             {
1788                 messages::internalError(asyncResp->res);
1789                 return;
1790             }
1791 
1792             // If password is invalid
1793             messages::propertyValueFormatError(asyncResp->res, nullptr,
1794                                                "Password");
1795         },
1796             "xyz.openbmc_project.User.Manager", userPath,
1797             "xyz.openbmc_project.Object.Delete", "Delete");
1798 
1799         BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
1800         return;
1801     }
1802 
1803     messages::created(asyncResp->res);
1804     asyncResp->res.addHeader("Location",
1805                              "/redfish/v1/AccountService/Accounts/" + username);
1806 }
1807 
1808 inline void processAfterGetAllGroups(
1809     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1810     const std::string& username, const std::string& password,
1811     const std::string& roleId, bool enabled,
1812     std::optional<std::vector<std::string>> accountTypes,
1813     const std::vector<std::string>& allGroupsList)
1814 {
1815     std::vector<std::string> userGroups;
1816     std::vector<std::string> accountTypeUserGroups;
1817 
1818     // If user specified account types then convert them to unix user groups
1819     if (accountTypes)
1820     {
1821         if (!getUserGroupFromAccountType(asyncResp->res, *accountTypes,
1822                                          accountTypeUserGroups))
1823         {
1824             // Problem in mapping Account Types to User Groups, Error already
1825             // logged.
1826             return;
1827         }
1828     }
1829 
1830     for (const auto& grp : allGroupsList)
1831     {
1832         // If user specified the account type then only accept groups which are
1833         // in the account types group list.
1834         if (!accountTypeUserGroups.empty())
1835         {
1836             bool found = false;
1837             for (const auto& grp1 : accountTypeUserGroups)
1838             {
1839                 if (grp == grp1)
1840                 {
1841                     found = true;
1842                     break;
1843                 }
1844             }
1845             if (!found)
1846             {
1847                 continue;
1848             }
1849         }
1850 
1851         // Console access is provided to the user who is a member of
1852         // hostconsole group and has a administrator role. So, set
1853         // hostconsole group only for the administrator.
1854         if ((grp == "hostconsole") && (roleId != "priv-admin"))
1855         {
1856             if (!accountTypeUserGroups.empty())
1857             {
1858                 BMCWEB_LOG_ERROR(
1859                     "Only administrator can get HostConsole access");
1860                 asyncResp->res.result(boost::beast::http::status::bad_request);
1861                 return;
1862             }
1863             continue;
1864         }
1865         userGroups.emplace_back(grp);
1866     }
1867 
1868     // Make sure user specified groups are valid. This is internal error because
1869     // it some inconsistencies between user manager and bmcweb.
1870     if (!accountTypeUserGroups.empty() &&
1871         accountTypeUserGroups.size() != userGroups.size())
1872     {
1873         messages::internalError(asyncResp->res);
1874         return;
1875     }
1876     crow::connections::systemBus->async_method_call(
1877         [asyncResp, username, password](const boost::system::error_code& ec2,
1878                                         sdbusplus::message_t& m) {
1879         processAfterCreateUser(asyncResp, username, password, ec2, m);
1880     },
1881         "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
1882         "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
1883         roleId, enabled);
1884 }
1885 
1886 inline void handleAccountCollectionPost(
1887     App& app, const crow::Request& req,
1888     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
1889 {
1890     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1891     {
1892         return;
1893     }
1894     std::string username;
1895     std::string password;
1896     std::optional<std::string> roleIdJson;
1897     std::optional<bool> enabledJson;
1898     std::optional<std::vector<std::string>> accountTypes;
1899     if (!json_util::readJsonPatch(req, asyncResp->res, "UserName", username,
1900                                   "Password", password, "RoleId", roleIdJson,
1901                                   "Enabled", enabledJson, "AccountTypes",
1902                                   accountTypes))
1903     {
1904         return;
1905     }
1906 
1907     std::string roleId = roleIdJson.value_or("User");
1908     std::string priv = getPrivilegeFromRoleId(roleId);
1909     if (priv.empty())
1910     {
1911         messages::propertyValueNotInList(asyncResp->res, roleId, "RoleId");
1912         return;
1913     }
1914     roleId = priv;
1915 
1916     bool enabled = enabledJson.value_or(true);
1917 
1918     // Reading AllGroups property
1919     sdbusplus::asio::getProperty<std::vector<std::string>>(
1920         *crow::connections::systemBus, "xyz.openbmc_project.User.Manager",
1921         "/xyz/openbmc_project/user", "xyz.openbmc_project.User.Manager",
1922         "AllGroups",
1923         [asyncResp, username, password{std::move(password)}, roleId, enabled,
1924          accountTypes](const boost::system::error_code& ec,
1925                        const std::vector<std::string>& allGroupsList) {
1926         if (ec)
1927         {
1928             BMCWEB_LOG_DEBUG("ERROR with async_method_call");
1929             messages::internalError(asyncResp->res);
1930             return;
1931         }
1932 
1933         if (allGroupsList.empty())
1934         {
1935             messages::internalError(asyncResp->res);
1936             return;
1937         }
1938 
1939         processAfterGetAllGroups(asyncResp, username, password, roleId, enabled,
1940                                  accountTypes, allGroupsList);
1941     });
1942 }
1943 
1944 inline void
1945     handleAccountHead(App& app, const crow::Request& req,
1946                       const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1947                       const std::string& /*accountName*/)
1948 {
1949     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1950     {
1951         return;
1952     }
1953     asyncResp->res.addHeader(
1954         boost::beast::http::field::link,
1955         "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1956 }
1957 
1958 inline void
1959     handleAccountGet(App& app, const crow::Request& req,
1960                      const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
1961                      const std::string& accountName)
1962 {
1963     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
1964     {
1965         return;
1966     }
1967     asyncResp->res.addHeader(
1968         boost::beast::http::field::link,
1969         "</redfish/v1/JsonSchemas/ManagerAccount/ManagerAccount.json>; rel=describedby");
1970 
1971 #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1972     // If authentication is disabled, there are no user accounts
1973     messages::resourceNotFound(asyncResp->res, "ManagerAccount", accountName);
1974     return;
1975 #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
1976 
1977     if (req.session == nullptr)
1978     {
1979         messages::internalError(asyncResp->res);
1980         return;
1981     }
1982     if (req.session->username != accountName)
1983     {
1984         // At this point we've determined that the user is trying to
1985         // modify a user that isn't them.  We need to verify that they
1986         // have permissions to modify other users, so re-run the auth
1987         // check with the same permissions, minus ConfigureSelf.
1988         Privileges effectiveUserPrivileges =
1989             redfish::getUserPrivileges(*req.session);
1990         Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
1991                                                          "ConfigureManager"};
1992         if (!effectiveUserPrivileges.isSupersetOf(
1993                 requiredPermissionsToChangeNonSelf))
1994         {
1995             BMCWEB_LOG_DEBUG("GET Account denied access");
1996             messages::insufficientPrivilege(asyncResp->res);
1997             return;
1998         }
1999     }
2000 
2001     sdbusplus::message::object_path path("/xyz/openbmc_project/user");
2002     dbus::utility::getManagedObjects(
2003         "xyz.openbmc_project.User.Manager", path,
2004         [asyncResp,
2005          accountName](const boost::system::error_code& ec,
2006                       const dbus::utility::ManagedObjectType& users) {
2007         if (ec)
2008         {
2009             messages::internalError(asyncResp->res);
2010             return;
2011         }
2012         const auto userIt = std::ranges::find_if(
2013             users,
2014             [accountName](
2015                 const std::pair<sdbusplus::message::object_path,
2016                                 dbus::utility::DBusInterfacesMap>& user) {
2017             return accountName == user.first.filename();
2018         });
2019 
2020         if (userIt == users.end())
2021         {
2022             messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2023                                        accountName);
2024             return;
2025         }
2026 
2027         asyncResp->res.jsonValue["@odata.type"] =
2028             "#ManagerAccount.v1_7_0.ManagerAccount";
2029         asyncResp->res.jsonValue["Name"] = "User Account";
2030         asyncResp->res.jsonValue["Description"] = "User Account";
2031         asyncResp->res.jsonValue["Password"] = nullptr;
2032         asyncResp->res.jsonValue["StrictAccountTypes"] = true;
2033 
2034         for (const auto& interface : userIt->second)
2035         {
2036             if (interface.first == "xyz.openbmc_project.User.Attributes")
2037             {
2038                 for (const auto& property : interface.second)
2039                 {
2040                     if (property.first == "UserEnabled")
2041                     {
2042                         const bool* userEnabled =
2043                             std::get_if<bool>(&property.second);
2044                         if (userEnabled == nullptr)
2045                         {
2046                             BMCWEB_LOG_ERROR("UserEnabled wasn't a bool");
2047                             messages::internalError(asyncResp->res);
2048                             return;
2049                         }
2050                         asyncResp->res.jsonValue["Enabled"] = *userEnabled;
2051                     }
2052                     else if (property.first == "UserLockedForFailedAttempt")
2053                     {
2054                         const bool* userLocked =
2055                             std::get_if<bool>(&property.second);
2056                         if (userLocked == nullptr)
2057                         {
2058                             BMCWEB_LOG_ERROR("UserLockedForF"
2059                                              "ailedAttempt "
2060                                              "wasn't a bool");
2061                             messages::internalError(asyncResp->res);
2062                             return;
2063                         }
2064                         asyncResp->res.jsonValue["Locked"] = *userLocked;
2065                         asyncResp->res
2066                             .jsonValue["Locked@Redfish.AllowableValues"] = {
2067                             "false"}; // can only unlock accounts
2068                     }
2069                     else if (property.first == "UserPrivilege")
2070                     {
2071                         const std::string* userPrivPtr =
2072                             std::get_if<std::string>(&property.second);
2073                         if (userPrivPtr == nullptr)
2074                         {
2075                             BMCWEB_LOG_ERROR("UserPrivilege wasn't a "
2076                                              "string");
2077                             messages::internalError(asyncResp->res);
2078                             return;
2079                         }
2080                         std::string role = getRoleIdFromPrivilege(*userPrivPtr);
2081                         if (role.empty())
2082                         {
2083                             BMCWEB_LOG_ERROR("Invalid user role");
2084                             messages::internalError(asyncResp->res);
2085                             return;
2086                         }
2087                         asyncResp->res.jsonValue["RoleId"] = role;
2088 
2089                         nlohmann::json& roleEntry =
2090                             asyncResp->res.jsonValue["Links"]["Role"];
2091                         roleEntry["@odata.id"] = boost::urls::format(
2092                             "/redfish/v1/AccountService/Roles/{}", role);
2093                     }
2094                     else if (property.first == "UserPasswordExpired")
2095                     {
2096                         const bool* userPasswordExpired =
2097                             std::get_if<bool>(&property.second);
2098                         if (userPasswordExpired == nullptr)
2099                         {
2100                             BMCWEB_LOG_ERROR(
2101                                 "UserPasswordExpired wasn't a bool");
2102                             messages::internalError(asyncResp->res);
2103                             return;
2104                         }
2105                         asyncResp->res.jsonValue["PasswordChangeRequired"] =
2106                             *userPasswordExpired;
2107                     }
2108                     else if (property.first == "UserGroups")
2109                     {
2110                         const std::vector<std::string>* userGroups =
2111                             std::get_if<std::vector<std::string>>(
2112                                 &property.second);
2113                         if (userGroups == nullptr)
2114                         {
2115                             BMCWEB_LOG_ERROR(
2116                                 "userGroups wasn't a string vector");
2117                             messages::internalError(asyncResp->res);
2118                             return;
2119                         }
2120                         if (!translateUserGroup(*userGroups, asyncResp->res))
2121                         {
2122                             BMCWEB_LOG_ERROR("userGroups mapping failed");
2123                             messages::internalError(asyncResp->res);
2124                             return;
2125                         }
2126                     }
2127                 }
2128             }
2129         }
2130 
2131         asyncResp->res.jsonValue["@odata.id"] = boost::urls::format(
2132             "/redfish/v1/AccountService/Accounts/{}", accountName);
2133         asyncResp->res.jsonValue["Id"] = accountName;
2134         asyncResp->res.jsonValue["UserName"] = accountName;
2135     });
2136 }
2137 
2138 inline void
2139     handleAccountDelete(App& app, const crow::Request& req,
2140                         const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2141                         const std::string& username)
2142 {
2143     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2144     {
2145         return;
2146     }
2147 
2148 #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2149     // If authentication is disabled, there are no user accounts
2150     messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2151     return;
2152 
2153 #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2154     sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
2155     tempObjPath /= username;
2156     const std::string userPath(tempObjPath);
2157 
2158     crow::connections::systemBus->async_method_call(
2159         [asyncResp, username](const boost::system::error_code& ec) {
2160         if (ec)
2161         {
2162             messages::resourceNotFound(asyncResp->res, "ManagerAccount",
2163                                        username);
2164             return;
2165         }
2166 
2167         messages::accountRemoved(asyncResp->res);
2168     },
2169         "xyz.openbmc_project.User.Manager", userPath,
2170         "xyz.openbmc_project.Object.Delete", "Delete");
2171 }
2172 
2173 inline void
2174     handleAccountPatch(App& app, const crow::Request& req,
2175                        const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
2176                        const std::string& username)
2177 {
2178     if (!redfish::setUpRedfishRoute(app, req, asyncResp))
2179     {
2180         return;
2181     }
2182 #ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2183     // If authentication is disabled, there are no user accounts
2184     messages::resourceNotFound(asyncResp->res, "ManagerAccount", username);
2185     return;
2186 
2187 #endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
2188     std::optional<std::string> newUserName;
2189     std::optional<std::string> password;
2190     std::optional<bool> enabled;
2191     std::optional<std::string> roleId;
2192     std::optional<bool> locked;
2193     std::optional<std::vector<std::string>> accountTypes;
2194 
2195     bool userSelf = (username == req.session->username);
2196 
2197     if (req.session == nullptr)
2198     {
2199         messages::internalError(asyncResp->res);
2200         return;
2201     }
2202 
2203     Privileges effectiveUserPrivileges =
2204         redfish::getUserPrivileges(*req.session);
2205     Privileges configureUsers = {"ConfigureUsers"};
2206     bool userHasConfigureUsers =
2207         effectiveUserPrivileges.isSupersetOf(configureUsers);
2208     if (userHasConfigureUsers)
2209     {
2210         // Users with ConfigureUsers can modify for all users
2211         if (!json_util::readJsonPatch(
2212                 req, asyncResp->res, "UserName", newUserName, "Password",
2213                 password, "RoleId", roleId, "Enabled", enabled, "Locked",
2214                 locked, "AccountTypes", accountTypes))
2215         {
2216             return;
2217         }
2218     }
2219     else
2220     {
2221         // ConfigureSelf accounts can only modify their own account
2222         if (!userSelf)
2223         {
2224             messages::insufficientPrivilege(asyncResp->res);
2225             return;
2226         }
2227 
2228         // ConfigureSelf accounts can only modify their password
2229         if (!json_util::readJsonPatch(req, asyncResp->res, "Password",
2230                                       password))
2231         {
2232             return;
2233         }
2234     }
2235 
2236     // if user name is not provided in the patch method or if it
2237     // matches the user name in the URI, then we are treating it as
2238     // updating user properties other then username. If username
2239     // provided doesn't match the URI, then we are treating this as
2240     // user rename request.
2241     if (!newUserName || (newUserName.value() == username))
2242     {
2243         updateUserProperties(asyncResp, username, password, enabled, roleId,
2244                              locked, accountTypes, userSelf);
2245         return;
2246     }
2247     crow::connections::systemBus->async_method_call(
2248         [asyncResp, username, password(std::move(password)),
2249          roleId(std::move(roleId)), enabled, newUser{std::string(*newUserName)},
2250          locked, userSelf, accountTypes(std::move(accountTypes))](
2251             const boost::system::error_code& ec, sdbusplus::message_t& m) {
2252         if (ec)
2253         {
2254             userErrorMessageHandler(m.get_error(), asyncResp, newUser,
2255                                     username);
2256             return;
2257         }
2258 
2259         updateUserProperties(asyncResp, newUser, password, enabled, roleId,
2260                              locked, accountTypes, userSelf);
2261     },
2262         "xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
2263         "xyz.openbmc_project.User.Manager", "RenameUser", username,
2264         *newUserName);
2265 }
2266 
2267 inline void requestAccountServiceRoutes(App& app)
2268 {
2269     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2270         .privileges(redfish::privileges::headAccountService)
2271         .methods(boost::beast::http::verb::head)(
2272             std::bind_front(handleAccountServiceHead, std::ref(app)));
2273 
2274     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2275         .privileges(redfish::privileges::getAccountService)
2276         .methods(boost::beast::http::verb::get)(
2277             std::bind_front(handleAccountServiceGet, std::ref(app)));
2278 
2279     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/")
2280         .privileges(redfish::privileges::patchAccountService)
2281         .methods(boost::beast::http::verb::patch)(
2282             std::bind_front(handleAccountServicePatch, std::ref(app)));
2283 
2284     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2285         .privileges(redfish::privileges::headManagerAccountCollection)
2286         .methods(boost::beast::http::verb::head)(
2287             std::bind_front(handleAccountCollectionHead, std::ref(app)));
2288 
2289     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2290         .privileges(redfish::privileges::getManagerAccountCollection)
2291         .methods(boost::beast::http::verb::get)(
2292             std::bind_front(handleAccountCollectionGet, std::ref(app)));
2293 
2294     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
2295         .privileges(redfish::privileges::postManagerAccountCollection)
2296         .methods(boost::beast::http::verb::post)(
2297             std::bind_front(handleAccountCollectionPost, std::ref(app)));
2298 
2299     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2300         .privileges(redfish::privileges::headManagerAccount)
2301         .methods(boost::beast::http::verb::head)(
2302             std::bind_front(handleAccountHead, std::ref(app)));
2303 
2304     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2305         .privileges(redfish::privileges::getManagerAccount)
2306         .methods(boost::beast::http::verb::get)(
2307             std::bind_front(handleAccountGet, std::ref(app)));
2308 
2309     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2310         // TODO this privilege should be using the generated endpoints, but
2311         // because of the special handling of ConfigureSelf, it's not able to
2312         // yet
2313         .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
2314         .methods(boost::beast::http::verb::patch)(
2315             std::bind_front(handleAccountPatch, std::ref(app)));
2316 
2317     BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/<str>/")
2318         .privileges(redfish::privileges::deleteManagerAccount)
2319         .methods(boost::beast::http::verb::delete_)(
2320             std::bind_front(handleAccountDelete, std::ref(app)));
2321 }
2322 
2323 } // namespace redfish
2324