diff options
author | James Feist <james.feist@linux.intel.com> | 2020-07-29 02:10:23 +0300 |
---|---|---|
committer | James Feist <james.feist@linux.intel.com> | 2020-07-29 22:00:06 +0300 |
commit | 6964c9820ad101d6fc30badd1ae353efea3dd094 (patch) | |
tree | 780e003294b379aa8997bfc937a0f40bc914d662 /include/authorization.hpp | |
parent | 80319af19c4b74a95a940ade10b13dee2562fe8a (diff) | |
download | bmcweb-6964c9820ad101d6fc30badd1ae353efea3dd094.tar.xz |
Fix MTLS Auth
MTLS Auth was not in the authenticate header,
making it authenticate too late now (in handle) as
we now authenticate before reading the headers.
Move it to the authenticate header.
Tested: MTLS in Chrome and via scripting allowed
GETs on resources
Change-Id: Ia765efd5c588b497de010605b474f6bb886a9dd1
Signed-off-by: James Feist <james.feist@linux.intel.com>
Diffstat (limited to 'include/authorization.hpp')
-rw-r--r-- | include/authorization.hpp | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/include/authorization.hpp b/include/authorization.hpp index 8237bc4fb6..c00090b4dd 100644 --- a/include/authorization.hpp +++ b/include/authorization.hpp @@ -163,6 +163,44 @@ static const std::shared_ptr<crow::persistent_data::UserSession> return session; } +static const std::shared_ptr<crow::persistent_data::UserSession> + performTLSAuth(const crow::Request& req, Response& res, + std::weak_ptr<crow::persistent_data::UserSession> session) +{ +#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION + if (auto sp = session.lock()) + { + // set cookie only if this is req from the browser. + if (req.getHeaderValue("User-Agent").empty()) + { + BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId + << " will be used for this request."; + return sp; + } + else + { + std::string_view cookieValue = req.getHeaderValue("Cookie"); + if (cookieValue.empty() || + cookieValue.find("SESSION=") == std::string::npos) + { + // TODO: change this to not switch to cookie auth + res.addHeader( + "Set-Cookie", + "XSRF-TOKEN=" + sp->csrfToken + + "; Secure\r\nSet-Cookie: SESSION=" + sp->sessionToken + + "; Secure; HttpOnly\r\nSet-Cookie: " + "IsAuthenticated=true; Secure"); + BMCWEB_LOG_DEBUG + << " TLS session: " << sp->uniqueId + << " with cookie will be used for this request."; + return sp; + } + } + } +#endif + return nullptr; +} + // checks if request can be forwarded without authentication static bool isOnWhitelist(const crow::Request& req) { @@ -197,7 +235,9 @@ static bool isOnWhitelist(const crow::Request& req) return false; } -static void authenticate(crow::Request& req, Response& res) +static void + authenticate(crow::Request& req, Response& res, + std::weak_ptr<crow::persistent_data::UserSession> session) { if (isOnWhitelist(req)) { @@ -208,6 +248,10 @@ static void authenticate(crow::Request& req, Response& res) crow::persistent_data::SessionStore::getInstance() .getAuthMethodsConfig(); + if (req.session == nullptr && authMethodsConfig.tls) + { + req.session = performTLSAuth(req, res, session); + } if (req.session == nullptr && authMethodsConfig.xtoken) { req.session = performXtokenAuth(req); |