diff options
| author | Ed Tanous <ed@tanous.net> | 2024-04-18 01:40:31 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2024-05-01 18:14:17 +0300 |
| commit | 25b54dba775b31021a3a4677eb79e9771bcb97f7 (patch) | |
| tree | fcf84de17508887775cc14a9c15ad4a41d72b049 /include | |
| parent | aca174983be5a0d2af08044dd93487908ae6cfe5 (diff) | |
| download | bmcweb-25b54dba775b31021a3a4677eb79e9771bcb97f7.tar.xz | |
Bring consistency to config options
The configuration options that exist in bmcweb are an amalgimation of
CROW options, CMAKE options using #define, pre-bmcweb ifdef mechanisms
and meson options using a config file. This history has led to a lot of
different ways to configure code in the codebase itself, which has led
to problems, and issues in consistency.
ifdef options do no compile time checking of code not within the branch.
This is good when you have optional dependencies, but not great when
you're trying to ensure both options compile.
This commit moves all internal configuration options to:
1. A namespace called bmcweb
2. A naming scheme matching the meson option. hyphens are replaced with
underscores, and the option is uppercased. This consistent transform
allows matching up option keys with their code counterparts, without
naming changes.
3. All options are bool true = enabled, and any options with _ENABLED or
_DISABLED postfixes have those postfixes removed. (note, there are
still some options with disable in the name, those are left as-is)
4. All options are now constexpr booleans, without an explicit compare.
To accomplish this, unfortunately an option list in config/meson.build
is required, given that meson doesn't provide a way to dump all options,
as is a manual entry in bmcweb_config.h.in, in addition to the
meson_options. This obsoletes the map in the main meson.build, which
helps some of the complexity.
Now that we've done this, we have some rules that will be documented.
1. Runtime behavior changes should be added as a constexpr bool to
bmcweb_config.h
2. Options that require optionally pulling in a dependency shall use an
ifdef, defined in the primary meson.build. (note, there are no
options that currently meet this class, but it's included for
completeness.)
Note, that this consolidation means that at configure time, all options
are printed. This is a good thing and allows direct comparison of
configs in log files.
Tested: Code compiles
Server boots, and shows options configured in the default build. (HTTPS,
log level, etc)
Change-Id: I94e79a56bcdc01755036e4e7278c7e69e25809ce
Signed-off-by: Ed Tanous <ed@tanous.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/async_resolve.hpp | 2 | ||||
| -rw-r--r-- | include/authentication.hpp | 123 | ||||
| -rw-r--r-- | include/sessions.hpp | 34 | ||||
| -rw-r--r-- | include/ssl_key_handler.hpp | 2 | ||||
| -rw-r--r-- | include/vm_websocket.hpp | 6 |
5 files changed, 67 insertions, 100 deletions
diff --git a/include/async_resolve.hpp b/include/async_resolve.hpp index 798c3e8964..2d9899d1a4 100644 --- a/include/async_resolve.hpp +++ b/include/async_resolve.hpp @@ -1,5 +1,4 @@ #pragma once -#ifdef BMCWEB_DBUS_DNS_RESOLVER #include "dbus_singleton.hpp" #include "logging.hpp" @@ -124,4 +123,3 @@ class Resolver }; } // namespace async_resolve -#endif diff --git a/include/authentication.hpp b/include/authentication.hpp index ad9759bf49..6483365bef 100644 --- a/include/authentication.hpp +++ b/include/authentication.hpp @@ -32,8 +32,7 @@ inline void cleanupTempSession(const Request& req) } } -#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION -static std::shared_ptr<persistent_data::UserSession> +inline std::shared_ptr<persistent_data::UserSession> performBasicAuth(const boost::asio::ip::address& clientIp, std::string_view authHeader) { @@ -86,10 +85,8 @@ static std::shared_ptr<persistent_data::UserSession> user, clientIp, std::nullopt, persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly); } -#endif -#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION -static std::shared_ptr<persistent_data::UserSession> +inline std::shared_ptr<persistent_data::UserSession> performTokenAuth(std::string_view authHeader) { BMCWEB_LOG_DEBUG("[AuthMiddleware] Token authentication"); @@ -102,10 +99,8 @@ static std::shared_ptr<persistent_data::UserSession> persistent_data::SessionStore::getInstance().loginSessionByToken(token); return sessionOut; } -#endif -#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION -static std::shared_ptr<persistent_data::UserSession> +inline std::shared_ptr<persistent_data::UserSession> performXtokenAuth(const boost::beast::http::header<true>& reqHeader) { BMCWEB_LOG_DEBUG("[AuthMiddleware] X-Auth-Token authentication"); @@ -119,10 +114,8 @@ static std::shared_ptr<persistent_data::UserSession> persistent_data::SessionStore::getInstance().loginSessionByToken(token); return sessionOut; } -#endif -#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION -static std::shared_ptr<persistent_data::UserSession> +inline std::shared_ptr<persistent_data::UserSession> performCookieAuth(boost::beast::http::verb method [[maybe_unused]], const boost::beast::http::header<true>& reqHeader) { @@ -159,37 +152,36 @@ static std::shared_ptr<persistent_data::UserSession> return nullptr; } sessionOut->cookieAuth = true; -#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION - // RFC7231 defines methods that need csrf protection - if (method != boost::beast::http::verb::get) + + if constexpr (BMCWEB_INSECURE_DISABLE_CSRF) { - std::string_view csrf = reqHeader["X-XSRF-TOKEN"]; - // Make sure both tokens are filled - if (csrf.empty() || sessionOut->csrfToken.empty()) + // RFC7231 defines methods that need csrf protection + if (method != boost::beast::http::verb::get) { - return nullptr; - } + std::string_view csrf = reqHeader["X-XSRF-TOKEN"]; + // Make sure both tokens are filled + if (csrf.empty() || sessionOut->csrfToken.empty()) + { + return nullptr; + } - if (csrf.size() != persistent_data::sessionTokenSize) - { - return nullptr; - } - // Reject if csrf token not available - if (!crow::utility::constantTimeStringCompare( - csrf, sessionOut->csrfToken)) - { - return nullptr; + if (csrf.size() != persistent_data::sessionTokenSize) + { + return nullptr; + } + // Reject if csrf token not available + if (!crow::utility::constantTimeStringCompare( + csrf, sessionOut->csrfToken)) + { + return nullptr; + } } } -#endif - return sessionOut; } return nullptr; } -#endif -#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION -static std::shared_ptr<persistent_data::UserSession> +inline std::shared_ptr<persistent_data::UserSession> performTLSAuth(Response& res, const boost::beast::http::header<true>& reqHeader, const std::weak_ptr<persistent_data::UserSession>& session) @@ -219,11 +211,9 @@ static std::shared_ptr<persistent_data::UserSession> } return nullptr; } -#endif // checks if request can be forwarded without authentication -[[maybe_unused]] static bool isOnAllowlist(std::string_view url, - boost::beast::http::verb method) +inline bool isOnAllowlist(std::string_view url, boost::beast::http::verb method) { if (boost::beast::http::verb::get == method) { @@ -257,51 +247,54 @@ static std::shared_ptr<persistent_data::UserSession> return false; } -[[maybe_unused]] static std::shared_ptr<persistent_data::UserSession> - authenticate( - const boost::asio::ip::address& ipAddress [[maybe_unused]], - Response& res [[maybe_unused]], - boost::beast::http::verb method [[maybe_unused]], - const boost::beast::http::header<true>& reqHeader, - [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>& - session) +inline std::shared_ptr<persistent_data::UserSession> authenticate( + const boost::asio::ip::address& ipAddress [[maybe_unused]], + Response& res [[maybe_unused]], + boost::beast::http::verb method [[maybe_unused]], + const boost::beast::http::header<true>& reqHeader, + [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>& + session) { const persistent_data::AuthConfigMethods& authMethodsConfig = persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); std::shared_ptr<persistent_data::UserSession> sessionOut = nullptr; -#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION - if (authMethodsConfig.tls) + if constexpr (BMCWEB_MUTUAL_TLS_AUTH) { - sessionOut = performTLSAuth(res, reqHeader, session); + if (authMethodsConfig.tls) + { + sessionOut = performTLSAuth(res, reqHeader, session); + } } -#endif -#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION - if (sessionOut == nullptr && authMethodsConfig.xtoken) + if constexpr (BMCWEB_XTOKEN_AUTH) { - sessionOut = performXtokenAuth(reqHeader); + if (sessionOut == nullptr && authMethodsConfig.xtoken) + { + sessionOut = performXtokenAuth(reqHeader); + } } -#endif -#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION - if (sessionOut == nullptr && authMethodsConfig.cookie) + if constexpr (BMCWEB_COOKIE_AUTH) { - sessionOut = performCookieAuth(method, reqHeader); + if (sessionOut == nullptr && authMethodsConfig.cookie) + { + sessionOut = performCookieAuth(method, reqHeader); + } } -#endif std::string_view authHeader = reqHeader["Authorization"]; BMCWEB_LOG_DEBUG("authHeader={}", authHeader); - - if (sessionOut == nullptr && authMethodsConfig.sessionToken) + if constexpr (BMCWEB_SESSION_AUTH) { -#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION - sessionOut = performTokenAuth(authHeader); -#endif + if (sessionOut == nullptr && authMethodsConfig.sessionToken) + { + sessionOut = performTokenAuth(authHeader); + } } - if (sessionOut == nullptr && authMethodsConfig.basic) + if constexpr (BMCWEB_BASIC_AUTH) { -#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION - sessionOut = performBasicAuth(ipAddress, authHeader); -#endif + if (sessionOut == nullptr && authMethodsConfig.basic) + { + sessionOut = performBasicAuth(ipAddress, authHeader); + } } if (sessionOut != nullptr) { diff --git a/include/sessions.hpp b/include/sessions.hpp index 1d0b620fb1..50299b8f20 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -134,35 +134,11 @@ struct UserSession struct AuthConfigMethods { -#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION - bool basic = true; -#else - bool basic = false; -#endif - -#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION - bool sessionToken = true; -#else - bool sessionToken = false; -#endif - -#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION - bool xtoken = true; -#else - bool xtoken = false; -#endif - -#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION - bool cookie = true; -#else - bool cookie = false; -#endif - -#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION - bool tls = true; -#else - bool tls = false; -#endif + bool basic = BMCWEB_BASIC_AUTH; + bool sessionToken = BMCWEB_SESSION_AUTH; + bool xtoken = BMCWEB_XTOKEN_AUTH; + bool cookie = BMCWEB_COOKIE_AUTH; + bool tls = BMCWEB_MUTUAL_TLS_AUTH; void fromJson(const nlohmann::json& j) { diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index d7255dd87d..36477da02c 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -485,7 +485,7 @@ inline std::shared_ptr<boost::asio::ssl::context> mSslContext->use_private_key_file(sslPemFile, boost::asio::ssl::context::pem); - if constexpr (bmcwebEnableHTTP2) + if constexpr (BMCWEB_EXPERIMENTAL_HTTP2) { SSL_CTX_set_next_protos_advertised_cb(mSslContext->native_handle(), nextProtoCallback, nullptr); diff --git a/include/vm_websocket.hpp b/include/vm_websocket.hpp index 14672e59d8..b489a4265f 100644 --- a/include/vm_websocket.hpp +++ b/include/vm_websocket.hpp @@ -517,10 +517,10 @@ namespace obmc_vm inline void requestRoutes(App& app) { static_assert( - !(bmcwebVmWebsocket && bmcwebNbdProxy), + !(BMCWEB_VM_WEBSOCKET && BMCWEB_VM_NBDPROXY), "nbd proxy cannot be turned on at the same time as vm websocket."); - if constexpr (bmcwebNbdProxy) + if constexpr (BMCWEB_VM_NBDPROXY) { BMCWEB_ROUTE(app, "/nbd/<str>") .privileges({{"ConfigureComponents", "ConfigureManager"}}) @@ -536,7 +536,7 @@ inline void requestRoutes(App& app) .onclose(nbd_proxy::onClose) .onmessageex(nbd_proxy::onMessage); } - if constexpr (bmcwebVmWebsocket) + if constexpr (BMCWEB_VM_WEBSOCKET) { BMCWEB_ROUTE(app, "/vm/0/0") .privileges({{"ConfigureComponents", "ConfigureManager"}}) |