Age | Commit message (Collapse) | Author | Files | Lines |
|
mTLS authentication should have the highest priority (according to code
in [1]) so it shouldn't be affected by cookies. If you provide a valid
certificate and a dummy cookie value, request will fail which means
cookies had higher priority than mTLS.
Tested:
Follow the guide in [2] to create a valid certificate for a user that
can access some resource (for example /redfish/v1/Chassis) and make two
requests:
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis -H "Cookie: SESSION=123"
Before this change second request would fail with "401 Unauthorized"
[1]: https://github.com/openbmc/bmcweb/blob/bb759e3aeaadfec9f3aac4485f253bcc8a523e4c/include/authentication.hpp#L275
[2]: https://github.com/openbmc/docs/blob/f4febd002df578bad816239b70950f84ea4567e8/security/TLS-configuration.md
Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
Signed-off-by: Boleslaw Ogonczyk Makowski <boleslawx.ogonczyk-makowski@intel.com>
Change-Id: I5d6267332b7b97c11f638850108e671d0baa26fd
|
|
Most of these missing includes were found by running clang-tidy on all
files, including headers. The existing scripts just run clang-tidy on
source files, which doesn't catch most of these.
Tested: Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic741fbb2cc9e5e92955fd5a1b778a482830e80e8
|
|
In 2022.2, Redfish added support for the Context parameter on the
Session Resource. This parameter has the same function that the
OemSession.ClientId field served. This commit moves all the existing
ClientId code to produce Context as well.
Functionally, this has one important difference, in that Context in
Redfish is optionally provided by the user, which means we need to omit
it if not given by the user. The old implementation left it set to
empty string ("").
Because of this, a few minor interfaces need to change to use
std::optional. Existing uses of clientId are moved to using
value_or("") to keep the same behavior as before.
Tested:
curl --insecure -X POST -d "{\"UserName\": \"root\", \"Password\":
\"0penBmc\"}" https://192.168.7.2/redfish/v1/SessionService/Sessions
Returns a Session object with no Context key present
curl --insecure -X POST -d "{\"UserName\": \"root\", \"Password\":
\"0penBmc\", \"Context\": \"Foobar\"}"
https://192.168.7.2/redfish/v1/SessionService/Sessions
Returns a Session object with:
"Context": "Foobar"
Subsequent Gets of /redfish/v1/SessionService/Sessions/<sid>
return the same session objects, both with and without Context.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I4df358623f93f3e6cb659e99970ad909cefebc62
|
|
Today `basic-auth` (and other options) can be enabled even if
`insecure-disable-auth` is enabled, which doesn't make sense.
With this block this commit added in meson, If we disable authx with
`insecure-disable-auth`, then all these auth options will be ignored.
Tested:
1. code compiles with and without 'insecure-disable-auth'.
2. No new service validator errors when 'insecure-disable-auth' is
turned on.
3. No new service validator errors when 'insecure-disable-auth' is
turned off.
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I2c634851f7aa7b9e57158770c5d40c12954c93a7
|
|
Per the coding standard, now that C++ supports std::string::starts_with
and std::string::ends_with, we should be using them over the boost
alternatives. This commit goes through and updates all usages.
Arguably some of these are incorrect, and instances of common error 13,
but because this is mostly a mechanical it intentionally doesn't try to
handle it.
Tested: Unit tests pass.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic4c6e5d0da90f7442693199dc691a47d2240fa4f
|
|
cppcheck correctly notes that a lot of variables in the new code can be
const. Make most of them const.
Tested: WIP
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I8f37b6353fd707923f533e1d61c5b5419282bf23
|
|
The existing authorization header is actually doing "authentication"
work. The authorization is happening in routing.hpp where we fetch the
role of the authenticated user and get their privilege set.
This commits changes the name of the file, as well as the namespace, to
be more precise on what the file actually does.
Tested:
1. Trivial change, it builds
Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ib91ed70507a7308522c7e5363ed2f4dc279a19d9
|