1 #pragma once 2 3 #include "config.h" 4 5 #include "ldap_mapper_entry.hpp" 6 7 #include <sdbusplus/bus.hpp> 8 #include <sdbusplus/server/object.hpp> 9 #include <xyz/openbmc_project/Object/Enable/server.hpp> 10 #include <xyz/openbmc_project/User/Ldap/Config/server.hpp> 11 #include <xyz/openbmc_project/User/Ldap/Create/server.hpp> 12 #include <xyz/openbmc_project/User/PrivilegeMapper/server.hpp> 13 14 #include <filesystem> 15 #include <set> 16 #include <string> 17 18 namespace phosphor 19 { 20 namespace ldap 21 { 22 23 using ConfigIface = sdbusplus::xyz::openbmc_project::User::Ldap::server::Config; 24 using EnableIface = sdbusplus::xyz::openbmc_project::Object::server::Enable; 25 using CreateIface = sdbusplus::server::object_t< 26 sdbusplus::xyz::openbmc_project::User::Ldap::server::Create>; 27 namespace fs = std::filesystem; 28 using MapperIface = 29 sdbusplus::xyz::openbmc_project::User::server::PrivilegeMapper; 30 31 using Ifaces = 32 sdbusplus::server::object_t<ConfigIface, EnableIface, MapperIface>; 33 using ObjectPath = sdbusplus::message::object_path; 34 35 namespace sdbusRule = sdbusplus::bus::match::rules; 36 37 class ConfigMgr; 38 class MockConfigMgr; 39 40 /** @class Config 41 * @brief Configuration for LDAP. 42 * @details concrete implementation of xyz.openbmc_project.User.Ldap.Config 43 * API, in order to provide LDAP configuration. 44 */ 45 class Config : public Ifaces 46 { 47 public: 48 Config() = delete; 49 ~Config() = default; 50 Config(const Config&) = delete; 51 Config& operator=(const Config&) = delete; 52 Config(Config&&) = delete; 53 Config& operator=(Config&&) = delete; 54 55 /** @brief Constructor to put object onto bus at a D-Bus path. 56 * @param[in] bus - Bus to attach to. 57 * @param[in] path - The D-Bus object path to attach at. 58 * @param[in] filePath - LDAP configuration file. 59 * @param[in] caCertFile - LDAP's CA certificate file. 60 * @param[in] certFile - LDAP's client certificate file. 61 * @param[in] secureLDAP - Specifies whether to use SSL or not. 62 * @param[in] ldapServerURI - LDAP URI of the server. 63 * @param[in] ldapBindDN - distinguished name with which to bind. 64 * @param[in] ldapBaseDN - distinguished name to use as search base. 65 * @param[in] ldapBindDNPassword - credentials with which to bind. 66 * @param[in] ldapSearchScope - the search scope. 67 * @param[in] ldapType - Specifies the LDAP server type which can be AD 68 * or openLDAP. 69 * @param[in] ldapServiceEnabled - Specifies whether the service would be 70 * enabled or not. 71 * @param[in] groupNameAttribute - Specifies attribute name that contains 72 * the name of the Group in the LDAP server. 73 * @param[in] userNameAttribute - Specifies attribute name that contains 74 * the username in the LDAP server. 75 * 76 * @param[in] parent - parent of config object. 77 */ 78 79 Config(sdbusplus::bus_t& bus, const char* path, const char* filePath, 80 const char* caCertFile, const char* certFile, bool secureLDAP, 81 std::string ldapServerURI, std::string ldapBindDN, 82 std::string ldapBaseDN, std::string&& ldapBindDNPassword, 83 ConfigIface::SearchScope ldapSearchScope, ConfigIface::Type ldapType, 84 bool ldapServiceEnabled, std::string groupNameAttribute, 85 std::string userNameAttribute, ConfigMgr& parent); 86 87 /** @brief Constructor to put object onto bus at a D-Bus path. 88 * @param[in] bus - Bus to attach to. 89 * @param[in] path - The D-Bus object path to attach at. 90 * @param[in] filePath - LDAP configuration file. 91 * @param[in] ldapType - Specifies the LDAP server type which can be AD 92 * or openLDAP. 93 * @param[in] parent - parent of config object. 94 */ 95 Config(sdbusplus::bus_t& bus, const char* path, const char* filePath, 96 const char* caCertFile, const char* certFile, 97 ConfigIface::Type ldapType, ConfigMgr& parent); 98 99 using ConfigIface::groupNameAttribute; 100 using ConfigIface::ldapBaseDN; 101 using ConfigIface::ldapBindDN; 102 using ConfigIface::ldapBindDNPassword; 103 using ConfigIface::ldapSearchScope; 104 using ConfigIface::ldapServerURI; 105 using ConfigIface::ldapType; 106 using ConfigIface::setPropertyByName; 107 using ConfigIface::userNameAttribute; 108 using EnableIface::enabled; 109 110 /** @brief Update the Server URI property. 111 * @param[in] value - ldapServerURI value to be updated. 112 * @returns value of changed ldapServerURI. 113 */ 114 std::string ldapServerURI(std::string value) override; 115 116 /** @brief Update the BindDN property. 117 * @param[in] value - ldapBindDN value to be updated. 118 * @returns value of changed ldapBindDN. 119 */ 120 std::string ldapBindDN(std::string value) override; 121 122 /** @brief Update the BaseDN property. 123 * @param[in] value - ldapBaseDN value to be updated. 124 * @returns value of changed ldapBaseDN. 125 */ 126 std::string ldapBaseDN(std::string value) override; 127 128 /** @brief Update the Search scope property. 129 * @param[in] value - ldapSearchScope value to be updated. 130 * @returns value of changed ldapSearchScope. 131 */ 132 ConfigIface::SearchScope 133 ldapSearchScope(ConfigIface::SearchScope value) override; 134 135 /** @brief Update the LDAP Type property. 136 * @param[in] value - ldapType value to be updated. 137 * @returns value of changed ldapType. 138 */ 139 ConfigIface::Type ldapType(ConfigIface::Type value) override; 140 141 /** @brief Update the ldapServiceEnabled property. 142 * @param[in] value - ldapServiceEnabled value to be updated. 143 * @returns value of changed ldapServiceEnabled. 144 */ 145 bool enabled(bool value) override; 146 147 /** @brief Update the userNameAttribute property. 148 * @param[in] value - userNameAttribute value to be updated. 149 * @returns value of changed userNameAttribute. 150 */ 151 std::string userNameAttribute(std::string value) override; 152 153 /** @brief Update the groupNameAttribute property. 154 * @param[in] value - groupNameAttribute value to be updated. 155 * @returns value of changed groupNameAttribute. 156 */ 157 std::string groupNameAttribute(std::string value) override; 158 159 /** @brief Update the BindDNPasword property. 160 * @param[in] value - ldapBindDNPassword value to be updated. 161 * @returns value of changed ldapBindDNPassword. 162 */ 163 std::string ldapBindDNPassword(std::string value) override; 164 165 /** @brief Function required by Cereal to perform deserialization. 166 * @tparam Archive - Cereal archive type (binary in our case). 167 * @param[in] archive - reference to Cereal archive. 168 * @param[in] version - Class version that enables handling 169 * a serialized data across code levels 170 */ 171 template <class Archive> 172 void load(Archive& archive, const std::uint32_t version); 173 174 /** @brief Function required by Cereal to perform serialization. 175 * @tparam Archive - Cereal archive type (binary in our case). 176 * @param[in] archive - reference to Cereal archive. 177 * @param[in] version - Class version that enables handling 178 * a serialized data across code levels 179 */ 180 template <class Archive> 181 void save(Archive& archive, const std::uint32_t version) const; 182 183 /** @brief Serialize and persist this object at the persist 184 * location. 185 */ 186 void serialize(); 187 188 /** @brief Deserialize LDAP config data from the persistent location 189 * into this object 190 * @return bool - true if the deserialization was successful, false 191 * otherwise. 192 */ 193 bool deserialize(); 194 195 /** @brief enable or disable the service with the given value 196 * @param[in] value - enable/disble 197 * @returns value of changed status 198 */ 199 bool enableService(bool value); 200 201 /** @brief Creates a mapping for the group to the privilege 202 * 203 * @param[in] groupName - Group Name to which the privilege needs to be 204 * assigned. 205 * @param[in] privilege - The privilege role associated with the group. 206 * 207 * @return On success return the D-Bus object path of the created privilege 208 * mapper entry. 209 */ 210 ObjectPath create(std::string groupName, std::string privilege) override; 211 212 /** @brief Delete privilege mapping for LDAP group 213 * 214 * This method deletes the privilege mapping 215 * 216 * @param[in] id - id of the object which needs to be deleted. 217 */ 218 void deletePrivilegeMapper(Id id); 219 220 /** @brief Check if LDAP group privilege mapping requested is valid 221 * 222 * Check if the privilege mapping already exists for the LDAP group name 223 * and group name is empty. 224 * 225 * @param[in] groupName - LDAP group name 226 * 227 * @return throw exception if the conditions are not met. 228 */ 229 void checkPrivilegeMapper(const std::string& groupName); 230 231 /** @brief Check if the privilege level is a valid one 232 * 233 * @param[in] privilege - Privilege level 234 * 235 * @return throw exception if the conditions are not met. 236 */ 237 void checkPrivilegeLevel(const std::string& privilege); 238 239 /** @brief Construct LDAP mapper entry D-Bus objects from their persisted 240 * representations. 241 */ 242 void restoreRoleMapping(); 243 244 private: 245 bool secureLDAP; 246 std::string ldapBindPassword{}; 247 std::string tlsCacertFile{}; 248 std::string tlsCertFile{}; 249 std::string configFilePath{}; 250 std::string objectPath{}; 251 std::filesystem::path configPersistPath{}; 252 253 /** @brief Persistent sdbusplus D-Bus bus connection. */ 254 sdbusplus::bus_t& bus; 255 256 /** @brief Create a new LDAP config file. 257 */ 258 virtual void writeConfig(); 259 260 /** @brief reference to config manager object */ 261 ConfigMgr& parent; 262 263 /** @brief Id of the last privilege mapper entry */ 264 Id entryId = 0; 265 266 /** @brief container to hold privilege mapper objects */ 267 std::map<Id, std::unique_ptr<LDAPMapperEntry>> PrivilegeMapperList; 268 269 /** @brief available privileges container */ 270 std::set<std::string> privMgr = { 271 "priv-admin", 272 "priv-operator", 273 "priv-user", 274 }; 275 276 /** @brief React to InterfaceAdded signal 277 * @param[in] msg - sdbusplus message 278 */ 279 void certificateInstalled(sdbusplus::message_t& msg); 280 sdbusplus::bus::match_t certificateInstalledSignal; 281 282 sdbusplus::bus::match_t cacertificateInstalledSignal; 283 284 /** @brief React to certificate changed signal 285 * @param[in] msg - sdbusplus message 286 */ 287 void certificateChanged(sdbusplus::message_t& msg); 288 sdbusplus::bus::match_t certificateChangedSignal; 289 290 friend class MockConfigMgr; 291 }; 292 293 } // namespace ldap 294 } // namespace phosphor 295