diff options
author | Karol Niczyj <karol.niczyj@intel.com> | 2022-04-27 19:04:58 +0300 |
---|---|---|
committer | Bolesław Ogończyk Mąkowski <boleslawx.ogonczyk-makowski@intel.com> | 2023-01-19 17:57:31 +0300 |
commit | ade2fe78b9907e5fa9d96d615f7682dade19e8c8 (patch) | |
tree | 2e98acd6d1b54509e7bf39ef2d150e1a43940c84 /include/authentication.hpp | |
parent | 2b73119c57d054d1a0d67b376ae5651fccfae5ba (diff) | |
download | bmcweb-ade2fe78b9907e5fa9d96d615f7682dade19e8c8.tar.xz |
Removed checking cookie in mTLS authentication
mTLS authentication should have the highest priority (according to code
in [1]) so it shouldn't be affected by cookies. If you provide a valid
certificate and a dummy cookie value, request will fail which means
cookies had higher priority than mTLS.
Tested:
Follow the guide in [2] to create a valid certificate for a user that
can access some resource (for example /redfish/v1/Chassis) and make two
requests:
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis -H "Cookie: SESSION=123"
Before this change second request would fail with "401 Unauthorized"
[1]: https://github.com/openbmc/bmcweb/blob/bb759e3aeaadfec9f3aac4485f253bcc8a523e4c/include/authentication.hpp#L275
[2]: https://github.com/openbmc/docs/blob/f4febd002df578bad816239b70950f84ea4567e8/security/TLS-configuration.md
Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
Signed-off-by: Boleslaw Ogonczyk Makowski <boleslawx.ogonczyk-makowski@intel.com>
Change-Id: I5d6267332b7b97c11f638850108e671d0baa26fd
Diffstat (limited to 'include/authentication.hpp')
-rw-r--r-- | include/authentication.hpp | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/include/authentication.hpp b/include/authentication.hpp index 93e9c8db79..716b4bbcc1 100644 --- a/include/authentication.hpp +++ b/include/authentication.hpp @@ -199,22 +199,16 @@ static std::shared_ptr<persistent_data::UserSession> << " will be used for this request."; return sp; } - std::string_view cookieValue = reqHeader["Cookie"]; - if (cookieValue.empty() || - cookieValue.find("SESSION=") == std::string::npos) - { - // TODO: change this to not switch to cookie auth - res.addHeader( - "Set-Cookie", - "XSRF-TOKEN=" + sp->csrfToken + - "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" + - sp->sessionToken + - "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: " - "IsAuthenticated=true; Secure"); - BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId - << " with cookie will be used for this request."; - return sp; - } + // TODO: change this to not switch to cookie auth + res.addHeader("Set-Cookie", + "XSRF-TOKEN=" + sp->csrfToken + + "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" + + sp->sessionToken + + "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: " + "IsAuthenticated=true; Secure"); + BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId + << " with cookie will be used for this request."; + return sp; } return nullptr; } |