summaryrefslogtreecommitdiff
path: root/CMakeLists.txt
diff options
context:
space:
mode:
authorKowalski, Kamil <kamil.kowalski@intel.com>2019-07-10 14:12:57 +0300
committerJames Feist <james.feist@linux.intel.com>2019-11-08 19:52:06 +0300
commit55e43f69db10c3320430c190853bff8a5a272965 (patch)
treea54e098c8702af8d083a48de0aaf576a8cc84b93 /CMakeLists.txt
parent8ae37025d83533889be862d73d8ec701a818275a (diff)
downloadbmcweb-55e43f69db10c3320430c190853bff8a5a272965.tar.xz
TLS based user auth implementation
Implemented TLS based user auth. It utilizes certificates stored by Phosphor Certificate Manager in storage mode, to verify that user that tries to log in, has a certificate signed by a trusted CA. More about this can be read in redfish-tls-user-authentication.md design document. Tested that it does not break current authentication methods, when not using TLS Auth - user should not see difference between versions. TLS Auth itself allows user in when certificate is signed by trusted CA and valid, and stops working immediatley after it is removed. User is not let in when provided certificate is not between notBefore and notAfter dates. Session is tested to not be created when user does not exist in the system (courtesy of earlier UserManagement usage commits). Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com> Change-Id: I6bcaff018fe3105f77d3c10f69765e0011af8dab Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Diffstat (limited to 'CMakeLists.txt')
-rw-r--r--CMakeLists.txt15
1 files changed, 15 insertions, 0 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 32c6fadf04..b93f342053 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -77,6 +77,12 @@ option (
'/redfish/v1/Systems/system/'."
OFF
)
+option (
+ BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
+ "Enables authenticating users through TLS client certificates.
+ The BMCWEB_INSECURE_DISABLE_SSL must be OFF for this option to take effect."
+ OFF
+)
# Insecure options. Every option that starts with a BMCWEB_INSECURE flag should
# not be enabled by default for any platform, unless the author fully
@@ -108,6 +114,14 @@ option (
OFF
)
+
+
+if (BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION AND BMCWEB_INSECURE_DISABLE_SSL)
+ message("SSL Must be enabled to allow SSL authentication")
+ set(BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION OFF)
+endif()
+
+
include (CTest)
set (CMAKE_CXX_STANDARD 17)
@@ -344,6 +358,7 @@ install (TARGETS bmcweb DESTINATION bin)
target_compile_definitions (
bmcweb PRIVATE $<$<BOOL:${BMCWEB_ENABLE_KVM}>: -DBMCWEB_ENABLE_KVM>
+ $<$<BOOL:${BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION}>: -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION>
$<$<BOOL:${BMCWEB_ENABLE_VM_WEBSOCKET}>: -DBMCWEB_ENABLE_VM_WEBSOCKET>
$<$<BOOL:${BMCWEB_ENABLE_DBUS_REST}>: -DBMCWEB_ENABLE_DBUS_REST>
$<$<BOOL:${BMCWEB_ENABLE_REDFISH}>: -DBMCWEB_ENABLE_REDFISH>