diff options
| author | Nan Zhou <nanzhoumails@gmail.com> | 2021-11-13 22:00:07 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2021-11-18 21:05:41 +0300 |
| commit | 8682c5ad05a9dff8ba3575ff5c4e8ceb535f6c5e (patch) | |
| tree | 0efb6cb0d458ae5775cf9b8887083ec7e0fca1e6 | |
| parent | 997093eb732dc889bd76f7aaa65e16a2aa4d7224 (diff) | |
| download | bmcweb-8682c5ad05a9dff8ba3575ff5c4e8ceb535f6c5e.tar.xz | |
meson_options: implement disable-auth; delete pam
Implemented the disable-auth option.
This patch also removed the pam option which never worked.
Tested:
With disable-auth,
```
~# wget -qO- http://localhost/redfish/v1/Systems/
{
"@odata.id": "/redfish/v1/Systems",
"@odata.type": "#ComputerSystemCollection.ComputerSystemCollection",
"Members": [
{
"@odata.id": "/redfish/v1/Systems/system"
}
],
"Members@odata.count": 1,
"Name": "Computer System Collection"
}
```
Without disable-auth,
```
~# wget -qO- http://localhost/redfish/
{
"v1": "/redfish/v1/"
}
~# wget -qO- http://localhost/redfish/v1/Systems/system
wget: server returned error: HTTP/1.1 401 Unauthorized
```
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I88e4e6fa6ed71096bc866b42b9af283645a65988
| -rw-r--r-- | http/http_connection.hpp | 8 | ||||
| -rw-r--r-- | include/authorization.hpp | 16 | ||||
| -rw-r--r-- | meson.build | 3 | ||||
| -rw-r--r-- | meson_options.txt | 1 |
4 files changed, 15 insertions, 13 deletions
diff --git a/http/http_connection.hpp b/http/http_connection.hpp index 4b4310f7d1..fb5eac733e 100644 --- a/http/http_connection.hpp +++ b/http/http_connection.hpp @@ -354,7 +354,7 @@ class Connection : completeRequest(); return; } - +#ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION if (!crow::authorization::isOnAllowlist(req->url, req->method()) && thisReq.session == nullptr) { @@ -365,7 +365,7 @@ class Connection : completeRequest(); return; } - +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION res.setCompleteRequestHandler([self(shared_from_this())] { boost::asio::post(self->adaptor.get_executor(), [self] { self->completeRequest(); }); @@ -566,7 +566,6 @@ class Connection : return; } - boost::beast::http::verb method = parser->get().method(); readClientIp(); boost::asio::ip::address ip; @@ -575,8 +574,11 @@ class Connection : BMCWEB_LOG_DEBUG << "Unable to get client IP"; } sessionIsFromTransport = false; +#ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION + boost::beast::http::verb method = parser->get().method(); userSession = crow::authorization::authenticate( ip, res, method, parser->get().base(), userSession); +#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION bool loggedIn = userSession != nullptr; if (loggedIn) { diff --git a/include/authorization.hpp b/include/authorization.hpp index 40a6119877..202628c243 100644 --- a/include/authorization.hpp +++ b/include/authorization.hpp @@ -223,7 +223,8 @@ static std::shared_ptr<persistent_data::UserSession> #endif // checks if request can be forwarded without authentication -static bool isOnAllowlist(std::string_view url, boost::beast::http::verb method) +[[maybe_unused]] static bool isOnAllowlist(std::string_view url, + boost::beast::http::verb method) { if (boost::beast::http::verb::get == method) { @@ -255,12 +256,13 @@ static bool isOnAllowlist(std::string_view url, boost::beast::http::verb method) return false; } -static std::shared_ptr<persistent_data::UserSession> authenticate( - boost::asio::ip::address& ipAddress [[maybe_unused]], - Response& res [[maybe_unused]], boost::beast::http::verb method, - const boost::beast::http::header<true>& reqHeader, - [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>& - session) +[[maybe_unused]] static std::shared_ptr<persistent_data::UserSession> + authenticate( + boost::asio::ip::address& ipAddress [[maybe_unused]], + Response& res [[maybe_unused]], boost::beast::http::verb method, + const boost::beast::http::header<true>& reqHeader, + [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>& + session) { const persistent_data::AuthConfigMethods& authMethodsConfig = persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); diff --git a/meson.build b/meson.build index bdfa36eb0c..01417f2b3b 100644 --- a/meson.build +++ b/meson.build @@ -72,7 +72,6 @@ feature_map = { 'insecure-tftp-update' : '-DBMCWEB_INSECURE_ENABLE_REDFISH_FW_TFTP_UPDATE', 'kvm' : '-DBMCWEB_ENABLE_KVM' , 'mutual-tls-auth' : '-DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION', - 'pam' : '-DWEBSERVER_ENABLE_PAM', 'redfish' : '-DBMCWEB_ENABLE_REDFISH', 'redfish-bmc-journal' : '-DBMCWEB_ENABLE_REDFISH_BMC_JOURNAL', 'redfish-cpu-log' : '-DBMCWEB_ENABLE_REDFISH_CPU_LOG', @@ -263,7 +262,7 @@ language : 'cpp') # automatically during the configure step bmcweb_dependencies = [] -pam = cxx.find_library('pam', required: get_option('pam')) +pam = cxx.find_library('pam', required: true) atomic = cxx.find_library('atomic', required: true) openssl = dependency('openssl', required : true) bmcweb_dependencies += [pam, atomic, openssl] diff --git a/meson_options.txt b/meson_options.txt index 6c0f6434c4..e2addbc0c0 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,4 +1,3 @@ -option('pam', type: 'feature', value : 'enabled', description : 'Built static libraries') option('yocto-deps', type: 'feature', value: 'disabled', description : 'Use YOCTO dependencies system') option('kvm', type : 'feature',value : 'enabled', description : 'Enable the KVM host video WebSocket. Path is \'/kvm/0\'. Video is from the BMC\'s \'/dev/video\' device.') option ('tests', type : 'feature', value : 'enabled', description : 'Enable Unit tests for bmcweb') |