1 /* 2 // Copyright (c) 2018 Intel Corporation 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 */ 16 #pragma once 17 #include "json_serializer.hpp" 18 #include "users.hpp" 19 20 #include <boost/process/child.hpp> 21 #include <boost/process/io.hpp> 22 #include <phosphor-logging/elog-errors.hpp> 23 #include <phosphor-logging/elog.hpp> 24 #include <phosphor-logging/lg2.hpp> 25 #include <sdbusplus/bus.hpp> 26 #include <sdbusplus/server/object.hpp> 27 #include <xyz/openbmc_project/Common/error.hpp> 28 #include <xyz/openbmc_project/User/AccountPolicy/server.hpp> 29 #include <xyz/openbmc_project/User/Manager/server.hpp> 30 #include <xyz/openbmc_project/User/MultiFactorAuthConfiguration/server.hpp> 31 #include <xyz/openbmc_project/User/TOTPState/server.hpp> 32 33 #include <span> 34 #include <string> 35 #include <unordered_map> 36 #include <variant> 37 #include <vector> 38 39 namespace phosphor 40 { 41 namespace user 42 { 43 44 inline constexpr size_t ipmiMaxUsers = 15; 45 inline constexpr size_t maxSystemUsers = 30; 46 inline constexpr uint8_t minPasswdLength = 8; 47 extern uint8_t maxPasswdLength; // MAX_PASSWORD_LENGTH; 48 inline constexpr size_t maxSystemGroupNameLength = 32; 49 inline constexpr size_t maxSystemGroupCount = 64; 50 51 using UserMgrIface = sdbusplus::xyz::openbmc_project::User::server::Manager; 52 using UserSSHLists = 53 std::pair<std::vector<std::string>, std::vector<std::string>>; 54 using AccountPolicyIface = 55 sdbusplus::xyz::openbmc_project::User::server::AccountPolicy; 56 57 using MultiFactorAuthConfigurationIface = 58 sdbusplus::xyz::openbmc_project::User::server::MultiFactorAuthConfiguration; 59 60 using TOTPStateIface = sdbusplus::xyz::openbmc_project::User::server::TOTPState; 61 62 using Ifaces = sdbusplus::server::object_t<UserMgrIface, AccountPolicyIface, 63 MultiFactorAuthConfigurationIface, 64 TOTPStateIface>; 65 66 using Privilege = std::string; 67 using GroupList = std::vector<std::string>; 68 using UserEnabled = bool; 69 using PropertyName = std::string; 70 using ServiceEnabled = bool; 71 72 using UserInfo = std::variant<Privilege, GroupList, UserEnabled>; 73 using UserInfoMap = std::map<PropertyName, UserInfo>; 74 75 using DbusUserObjPath = sdbusplus::message::object_path; 76 77 using DbusUserPropVariant = std::variant<Privilege, ServiceEnabled>; 78 79 using DbusUserObjProperties = std::map<PropertyName, DbusUserPropVariant>; 80 81 using Interface = std::string; 82 83 using DbusUserObjValue = std::map<Interface, DbusUserObjProperties>; 84 85 using DbusUserObj = std::map<DbusUserObjPath, DbusUserObjValue>; 86 87 using MultiFactorAuthType = sdbusplus::common::xyz::openbmc_project::user:: 88 MultiFactorAuthConfiguration::Type; 89 std::string getCSVFromVector(std::span<const std::string> vec); 90 91 bool removeStringFromCSV(std::string& csvStr, const std::string& delStr); 92 93 template <typename... ArgTypes> 94 std::vector<std::string> executeCmd(const char* path, ArgTypes&&... tArgs) 95 { 96 std::vector<std::string> stdOutput; 97 boost::process::ipstream stdOutStream; 98 boost::process::child execProg(path, const_cast<char*>(tArgs)..., 99 boost::process::std_out > stdOutStream); 100 std::string stdOutLine; 101 102 while (stdOutStream && std::getline(stdOutStream, stdOutLine) && 103 !stdOutLine.empty()) 104 { 105 stdOutput.emplace_back(stdOutLine); 106 } 107 108 execProg.wait(); 109 110 int retCode = execProg.exit_code(); 111 if (retCode) 112 { 113 lg2::error("Command {PATH} execution failed, return code {RETCODE}", 114 "PATH", path, "RETCODE", retCode); 115 phosphor::logging::elog< 116 sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure>(); 117 } 118 119 return stdOutput; 120 } 121 122 /** @class UserMgr 123 * @brief Responsible for managing user accounts over the D-Bus interface. 124 */ 125 class UserMgr : public Ifaces 126 { 127 public: 128 UserMgr() = delete; 129 ~UserMgr() = default; 130 UserMgr(const UserMgr&) = delete; 131 UserMgr& operator=(const UserMgr&) = delete; 132 UserMgr(UserMgr&&) = delete; 133 UserMgr& operator=(UserMgr&&) = delete; 134 135 /** @brief Constructs UserMgr object. 136 * 137 * @param[in] bus - sdbusplus handler 138 * @param[in] path - D-Bus path 139 */ 140 UserMgr(sdbusplus::bus_t& bus, const char* path); 141 142 /** @brief create user method. 143 * This method creates a new user as requested 144 * 145 * @param[in] userName - Name of the user which has to be created 146 * @param[in] groupNames - Group names list, to which user has to be added. 147 * @param[in] priv - Privilege of the user. 148 * @param[in] enabled - State of the user enabled / disabled. 149 */ 150 void createUser(std::string userName, std::vector<std::string> groupNames, 151 std::string priv, bool enabled) override; 152 153 /** @brief rename user method. 154 * This method renames the user as requested 155 * 156 * @param[in] userName - current name of the user 157 * @param[in] newUserName - new user name to which it has to be renamed. 158 */ 159 void renameUser(std::string userName, std::string newUserName) override; 160 161 /** @brief delete user method. 162 * This method deletes the user as requested 163 * 164 * @param[in] userName - Name of the user which has to be deleted 165 */ 166 void deleteUser(std::string userName); 167 168 /** @brief Update user groups & privilege. 169 * This method updates user groups & privilege 170 * 171 * @param[in] userName - user name, for which update is requested 172 * @param[in] groupName - Group to be updated.. 173 * @param[in] priv - Privilege to be updated. 174 */ 175 void updateGroupsAndPriv(const std::string& userName, 176 std::vector<std::string> groups, 177 const std::string& priv); 178 179 /** @brief Update user enabled state. 180 * This method enables / disables user 181 * 182 * @param[in] userName - user name, for which update is requested 183 * @param[in] enabled - enable / disable the user 184 */ 185 void userEnable(const std::string& userName, bool enabled); 186 187 /** @brief get user enabled state 188 * method to get user enabled state. 189 * 190 * @param[in] userName - name of the user 191 * @return - user enabled status (true/false) 192 */ 193 virtual bool isUserEnabled(const std::string& userName); 194 195 /** @brief update minimum password length requirement 196 * 197 * @param[in] val - minimum password length 198 * @return - minimum password length 199 */ 200 uint8_t minPasswordLength(uint8_t val) override; 201 202 /** @brief update old password history count 203 * 204 * @param[in] val - number of times old passwords has to be avoided 205 * @return - number of times old password has to be avoided 206 */ 207 uint8_t rememberOldPasswordTimes(uint8_t val) override; 208 209 /** @brief update maximum number of failed login attempt before locked 210 * out. 211 * 212 * @param[in] val - number of allowed attempt 213 * @return - number of allowed attempt 214 */ 215 uint16_t maxLoginAttemptBeforeLockout(uint16_t val) override; 216 217 /** @brief update timeout to unlock the account 218 * 219 * @param[in] val - value in seconds 220 * @return - value in seconds 221 */ 222 uint32_t accountUnlockTimeout(uint32_t val) override; 223 224 /** @brief parses the faillock output for locked user status 225 * 226 * @param[in] - output from faillock for the user 227 * @return - true / false indicating user locked / un-locked 228 **/ 229 bool parseFaillockForLockout( 230 const std::vector<std::string>& faillockOutput); 231 232 /** @brief lists user locked state for failed attempt 233 * 234 * @param[in] - user name 235 * @return - true / false indicating user locked / un-locked 236 **/ 237 virtual bool userLockedForFailedAttempt(const std::string& userName); 238 239 /** @brief lists user locked state for failed attempt 240 * 241 * @param[in]: user name 242 * @param[in]: value - false -unlock user account, true - no action taken 243 **/ 244 bool userLockedForFailedAttempt(const std::string& userName, 245 const bool& value); 246 247 /** @brief shows if the user's password is expired 248 * 249 * @param[in]: user name 250 * @return - true / false indicating user password expired 251 **/ 252 virtual bool userPasswordExpired(const std::string& userName); 253 254 /** @brief returns user info 255 * Checks if user is local user, then returns map of properties of user. 256 * like user privilege, list of user groups, user enabled state and user 257 * locked state. If its not local user, then it checks if its a ldap user, 258 * then it gets the privilege mapping of the LDAP group. 259 * 260 * @param[in] - user name 261 * @return - map of user properties 262 **/ 263 UserInfoMap getUserInfo(std::string userName) override; 264 265 /** @brief get IPMI user count 266 * method to get IPMI user count 267 * 268 * @return - returns user count 269 */ 270 virtual size_t getIpmiUsersCount(void); 271 272 void createGroup(std::string groupName) override; 273 274 void deleteGroup(std::string groupName) override; 275 MultiFactorAuthType enabled() const override 276 { 277 return MultiFactorAuthConfigurationIface::enabled(); 278 } 279 MultiFactorAuthType enabled(MultiFactorAuthType value, 280 bool skipSignal) override; 281 bool secretKeyRequired(std::string userName) override; 282 static std::vector<std::string> readAllGroupsOnSystem(); 283 void load(); 284 JsonSerializer& getSerializer() 285 { 286 return serializer; 287 } 288 289 protected: 290 /** @brief get pam argument value 291 * method to get argument value from pam configuration 292 * 293 * @param[in] moduleName - name of the module from where arg has to be read 294 * @param[in] argName - argument name 295 * @param[out] argValue - argument value 296 * 297 * @return 0 - success state of the function 298 */ 299 int getPamModuleArgValue(const std::string& moduleName, 300 const std::string& argName, std::string& argValue); 301 302 /** @brief get pam argument value 303 * method to get argument value from pam configuration 304 * 305 * @param[in] confFile - path of the module config file from where arg has 306 * to be read 307 * @param[in] argName - argument name 308 * @param[out] argValue - argument value 309 * 310 * @return 0 - success state of the function 311 */ 312 int getPamModuleConfValue(const std::string& confFile, 313 const std::string& argName, 314 std::string& argValue); 315 316 /** @brief set pam argument value 317 * method to set argument value in pam configuration 318 * 319 * @param[in] moduleName - name of the module in which argument value has 320 * to be set 321 * @param[in] argName - argument name 322 * @param[out] argValue - argument value 323 * 324 * @return 0 - success state of the function 325 */ 326 int setPamModuleArgValue(const std::string& moduleName, 327 const std::string& argName, 328 const std::string& argValue); 329 330 /** @brief set pam argument value 331 * method to set argument value in pam configuration 332 * 333 * @param[in] confFile - path of the module config file in which argument 334 * value has to be set 335 * @param[in] argName - argument name 336 * @param[out] argValue - argument value 337 * 338 * @return 0 - success state of the function 339 */ 340 int setPamModuleConfValue(const std::string& confFile, 341 const std::string& argName, 342 const std::string& argValue); 343 344 /** @brief check for user presence 345 * method to check for user existence 346 * 347 * @param[in] userName - name of the user 348 * @return -true if user exists and false if not. 349 */ 350 bool isUserExist(const std::string& userName); 351 352 size_t getNonIpmiUsersCount(); 353 354 /** @brief check user exists 355 * method to check whether user exist, and throw if not. 356 * 357 * @param[in] userName - name of the user 358 */ 359 void throwForUserDoesNotExist(const std::string& userName); 360 361 /** @brief check user does not exist 362 * method to check whether does not exist, and throw if exists. 363 * 364 * @param[in] userName - name of the user 365 */ 366 void throwForUserExists(const std::string& userName); 367 368 /** @brief check user name constraints 369 * method to check user name constraints and throw if failed. 370 * 371 * @param[in] userName - name of the user 372 * @param[in] groupNames - user groups 373 */ 374 void throwForUserNameConstraints( 375 const std::string& userName, 376 const std::vector<std::string>& groupNames); 377 378 /** @brief check group user count 379 * method to check max group user count, and throw if limit reached 380 * 381 * @param[in] groupNames - group name 382 */ 383 void throwForMaxGrpUserCount(const std::vector<std::string>& groupNames); 384 385 virtual void executeUserAdd(const char* userName, const char* groups, 386 bool sshRequested, bool enabled); 387 388 virtual void executeUserDelete(const char* userName); 389 390 /** @brief clear user's failure records 391 * method to clear user fail records and throw if failed. 392 * 393 * @param[in] userName - name of the user 394 */ 395 virtual void executeUserClearFailRecords(const char* userName); 396 397 virtual void executeUserRename(const char* userName, 398 const char* newUserName); 399 400 virtual void executeUserModify(const char* userName, const char* newGroups, 401 bool sshRequested); 402 403 virtual void executeUserModifyUserEnable(const char* userName, 404 bool enabled); 405 406 virtual void executeGroupCreation(const char* groupName); 407 408 virtual void executeGroupDeletion(const char* groupName); 409 410 virtual std::vector<std::string> getFailedAttempt(const char* userName); 411 412 /** @brief check for valid privielge 413 * method to check valid privilege, and throw if invalid 414 * 415 * @param[in] priv - privilege of the user 416 */ 417 void throwForInvalidPrivilege(const std::string& priv); 418 419 /** @brief check for valid groups 420 * method to check valid groups, and throw if invalid 421 * 422 * @param[in] groupNames - user groups 423 */ 424 void throwForInvalidGroups(const std::vector<std::string>& groupName); 425 426 void initializeAccountPolicy(); 427 428 /** @brief checks if the group creation meets all constraints 429 * @param groupName - group to check 430 */ 431 void checkCreateGroupConstraints(const std::string& groupName); 432 433 /** @brief checks if the group deletion meets all constraints 434 * @param groupName - group to check 435 */ 436 void checkDeleteGroupConstraints(const std::string& groupName); 437 438 /** @brief checks if the group name is legal and whether it's allowed to 439 * change. The daemon doesn't allow arbitrary group to be created 440 * @param groupName - group to check 441 */ 442 void checkAndThrowForDisallowedGroupCreation(const std::string& groupName); 443 444 private: 445 /** @brief sdbusplus handler */ 446 sdbusplus::bus_t& bus; 447 448 /** @brief object path */ 449 const std::string path; 450 451 /** @brief serializer for mfa */ 452 JsonSerializer serializer; 453 /** @brief privilege manager container */ 454 const std::vector<std::string> privMgr = {"priv-admin", "priv-operator", 455 "priv-user"}; 456 457 /** @brief groups manager container */ 458 std::vector<std::string> groupsMgr; 459 460 /** @brief map container to hold users object */ 461 462 std::unordered_map<std::string, std::unique_ptr<phosphor::user::Users>> 463 usersList; 464 465 /** @brief get users in group 466 * method to get group user list 467 * 468 * @param[in] groupName - group name 469 * 470 * @return userList - list of users in the group. 471 */ 472 std::vector<std::string> getUsersInGroup(const std::string& groupName); 473 474 /** @brief get user & SSH users list 475 * method to get the users and ssh users list. 476 * 477 *@return - vector of User & SSH user lists 478 */ 479 UserSSHLists getUserAndSshGrpList(void); 480 481 /** @brief initialize the user manager objects 482 * method to initialize the user manager objects accordingly 483 * 484 */ 485 void initUserObjects(void); 486 487 /** @brief get service name 488 * method to get dbus service name 489 * 490 * @param[in] path - object path 491 * @param[in] intf - interface 492 * @return - service name 493 */ 494 std::string getServiceName(std::string&& path, std::string&& intf); 495 496 /** @brief get primary group ID of specified user 497 * 498 * @param[in] - userName 499 * @return - primary group ID 500 */ 501 virtual gid_t getPrimaryGroup(const std::string& userName) const; 502 503 /** @brief check whether if the user is a member of the group 504 * 505 * @param[in] - userName 506 * @param[in] - ID of the user's primary group 507 * @param[in] - groupName 508 * @return - true if the user is a member of the group 509 */ 510 virtual bool isGroupMember(const std::string& userName, gid_t primaryGid, 511 const std::string& groupName) const; 512 513 protected: 514 /** @brief get privilege mapper object 515 * method to get dbus privilege mapper object 516 * 517 * @return - map of user object 518 */ 519 virtual DbusUserObj getPrivilegeMapperObject(void); 520 521 friend class TestUserMgr; 522 523 std::string faillockConfigFile; 524 std::string pwHistoryConfigFile; 525 std::string pwQualityConfigFile; 526 }; 527 528 } // namespace user 529 } // namespace phosphor 530