diff options
author | Karol Niczyj <karol.niczyj@intel.com> | 2022-04-27 19:04:58 +0300 |
---|---|---|
committer | Bolesław Ogończyk Mąkowski <boleslawx.ogonczyk-makowski@intel.com> | 2023-01-19 17:57:31 +0300 |
commit | ade2fe78b9907e5fa9d96d615f7682dade19e8c8 (patch) | |
tree | 2e98acd6d1b54509e7bf39ef2d150e1a43940c84 /test | |
parent | 2b73119c57d054d1a0d67b376ae5651fccfae5ba (diff) | |
download | bmcweb-ade2fe78b9907e5fa9d96d615f7682dade19e8c8.tar.xz |
Removed checking cookie in mTLS authentication
mTLS authentication should have the highest priority (according to code
in [1]) so it shouldn't be affected by cookies. If you provide a valid
certificate and a dummy cookie value, request will fail which means
cookies had higher priority than mTLS.
Tested:
Follow the guide in [2] to create a valid certificate for a user that
can access some resource (for example /redfish/v1/Chassis) and make two
requests:
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis -H "Cookie: SESSION=123"
Before this change second request would fail with "401 Unauthorized"
[1]: https://github.com/openbmc/bmcweb/blob/bb759e3aeaadfec9f3aac4485f253bcc8a523e4c/include/authentication.hpp#L275
[2]: https://github.com/openbmc/docs/blob/f4febd002df578bad816239b70950f84ea4567e8/security/TLS-configuration.md
Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
Signed-off-by: Boleslaw Ogonczyk Makowski <boleslawx.ogonczyk-makowski@intel.com>
Change-Id: I5d6267332b7b97c11f638850108e671d0baa26fd
Diffstat (limited to 'test')
0 files changed, 0 insertions, 0 deletions