diff options
| author | John Edward Broadbent <jebr@google.com> | 2021-07-14 01:36:32 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2021-09-09 05:22:38 +0300 |
| commit | 59b98b2222fddbea3d6f678d9e94006521f0c381 (patch) | |
| tree | 44a79228f34c6ae0ce2b333c2f524256f8469872 /include/forward_unauthorized.hpp | |
| parent | 7bb985eeb0930905c2f4d551e895dd5293094931 (diff) | |
| download | bmcweb-59b98b2222fddbea3d6f678d9e94006521f0c381.tar.xz | |
Change ownership of boost::req to crow::req
req is being created later, in the connection life cycle. req was
holding many important values when it was passed to authenticate, so the
authenticate call had to be refactored to includes all the data req was
holding.
Also uses of req before handle have been changed to direct calls to
boot::parse
Tested:
Made a request that did not require authentication
$ curl -vvvv --insecure "https://192.168.7.2:18080/redfish/v1"
Got correct service root
Made a unauthenticated request (Chassis)
$ curl -c cjar -b cjar -k -H "Content-Type: application/json" -X GET https://192.168.7.2:18080/redfish/v1/Chassis
Unauthenticated
Made a log-in request
$ curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST https://192.168.7.2:18080/login -d "{\"data\": [ \"root\", \"0penBmc\" ] }"
Made (same) Chassis request
$ curl -c cjar -b cjar -k -H "Content-Type: application/json" -X GET https://192.168.7.2:18080/redfish/v1/Chassis
Tested the websockets using scripts/websocket_test.py
Websockets continued to work after this change.
Followed the mTLS instructions here https://github.com/openbmc/docs/blob/master/security/TLS-configuration.md
mTLS continues to work after this change.
Change-Id: I78f78063be0331be00b66349d5d184847add1708
Signed-off-by: John Edward Broadbent <jebr@google.com>
Diffstat (limited to 'include/forward_unauthorized.hpp')
| -rw-r--r-- | include/forward_unauthorized.hpp | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/include/forward_unauthorized.hpp b/include/forward_unauthorized.hpp index 46a25d4b42..29fef337f0 100644 --- a/include/forward_unauthorized.hpp +++ b/include/forward_unauthorized.hpp @@ -8,18 +8,19 @@ namespace forward_unauthorized static bool hasWebuiRoute = false; -inline void sendUnauthorized(const crow::Request& req, crow::Response& res) +inline void sendUnauthorized(std::string_view url, std::string_view userAgent, + std::string_view accept, crow::Response& res) { // If it's a browser connecting, don't send the HTTP authenticate // header, to avoid possible CSRF attacks with basic auth - if (http_helpers::requestPrefersHtml(req)) + if (http_helpers::requestPrefersHtml(accept)) { // If we have a webui installed, redirect to that login page if (hasWebuiRoute) { res.result(boost::beast::http::status::temporary_redirect); res.addHeader("Location", - "/#/login?next=" + http_helpers::urlEncode(req.url)); + "/#/login?next=" + http_helpers::urlEncode(url)); } else { @@ -35,7 +36,7 @@ inline void sendUnauthorized(const crow::Request& req, crow::Response& res) // only send the WWW-authenticate header if this isn't a xhr // from the browser. Most scripts, tend to not set a user-agent header. // So key off that to know whether or not we need to suggest basic auth - if (req.getHeaderValue("User-Agent").empty()) + if (userAgent.empty()) { res.addHeader("WWW-Authenticate", "Basic"); } |