From f16f62633a64f386fd0382703ff0949ea177f457 Mon Sep 17 00:00:00 2001 From: Alan Kuo Date: Tue, 8 Dec 2020 19:29:59 +0800 Subject: Add meson options for all authentication methods. Add meson options to enabled/disabled authentication methods: - basic-auth : For enable basic authentication, default is enabled - session-auth : For enable session token authentication, default is enabled - xtoken-auth : For enable x-token authentication, default is enabled - cookie-auth : For enabled cookie authentication, default is enabled Signed-off-by: Alan Kuo Change-Id: I52e636f2534a14897cb57d35e563ea8841cc68b9 --- include/authorization.hpp | 16 ++++++++++++++++ include/sessions.hpp | 28 ++++++++++++++++++++++++++-- meson.build | 4 ++++ meson_options.txt | 4 ++++ redfish-core/lib/account_service.hpp | 31 +++++++++++++++++++++++++++++++ 5 files changed, 81 insertions(+), 2 deletions(-) diff --git a/include/authorization.hpp b/include/authorization.hpp index 0f73e967cb..c0a84b661a 100644 --- a/include/authorization.hpp +++ b/include/authorization.hpp @@ -34,6 +34,7 @@ static void cleanupTempSession(Request& req) } } +#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION static std::shared_ptr performBasicAuth(const boost::asio::ip::address& clientIp, std::string_view auth_header) @@ -81,7 +82,9 @@ static std::shared_ptr user, persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly, clientIp.to_string()); } +#endif +#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION static std::shared_ptr performTokenAuth(std::string_view auth_header) { @@ -92,7 +95,9 @@ static std::shared_ptr persistent_data::SessionStore::getInstance().loginSessionByToken(token); return session; } +#endif +#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION static std::shared_ptr performXtokenAuth(const crow::Request& req) { @@ -107,7 +112,9 @@ static std::shared_ptr persistent_data::SessionStore::getInstance().loginSessionByToken(token); return session; } +#endif +#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION static std::shared_ptr performCookieAuth(const crow::Request& req) { @@ -164,6 +171,7 @@ static std::shared_ptr #endif return session; } +#endif #ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION static std::shared_ptr @@ -250,14 +258,18 @@ static void authenticate( req.session = performTLSAuth(req, res, session); } #endif +#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION if (req.session == nullptr && authMethodsConfig.xtoken) { req.session = performXtokenAuth(req); } +#endif +#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION if (req.session == nullptr && authMethodsConfig.cookie) { req.session = performCookieAuth(req); } +#endif if (req.session == nullptr) { std::string_view authHeader = req.getHeaderValue("Authorization"); @@ -267,12 +279,16 @@ static void authenticate( if (boost::starts_with(authHeader, "Token ") && authMethodsConfig.sessionToken) { +#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION req.session = performTokenAuth(authHeader); +#endif } else if (boost::starts_with(authHeader, "Basic ") && authMethodsConfig.basic) { +#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION req.session = performBasicAuth(req.ipAddress, authHeader); +#endif } } } diff --git a/include/sessions.hpp b/include/sessions.hpp index 1eace0ddad..85d8ecc635 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -142,11 +142,35 @@ struct UserSession struct AuthConfigMethods { +#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION + bool basic = true; +#else + bool basic = false; +#endif + +#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION + bool sessionToken = true; +#else + bool sessionToken = false; +#endif + +#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION bool xtoken = true; +#else + bool xtoken = false; +#endif + +#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION bool cookie = true; - bool sessionToken = true; - bool basic = true; +#else + bool cookie = false; +#endif + +#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION + bool tls = true; +#else bool tls = false; +#endif void fromJson(const nlohmann::json& j) { diff --git a/meson.build b/meson.build index a1e5d80691..529b9cbfcc 100644 --- a/meson.build +++ b/meson.build @@ -61,6 +61,10 @@ feature_map = { 'host-serial-socket' : '-DBMCWEB_ENABLE_HOST_SERIAL_WEBSOCKET', 'ibm-management-console' : '-DBMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE', 'kvm' : '-DBMCWEB_ENABLE_KVM' , +'basic-auth' : '-DBMCWEB_ENABLE_BASIC_AUTHENTICATION', +'session-auth' : '-DBMCWEB_ENABLE_SESSION_AUTHENTICATION', +'xtoken-auth' : '-DBMCWEB_ENABLE_XTOKEN_AUTHENTICATION', +'cookie-auth' : '-DBMCWEB_ENABLE_COOKIE_AUTHENTICATION', 'mutual-tls-auth' : '-DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION', 'pam' : '-DWEBSERVER_ENABLE_PAM', 'insecure-push-style-notification': '-DBMCWEB_INSECURE_ENABLE_HTTP_PUSH_STYLE_EVENTING', diff --git a/meson_options.txt b/meson_options.txt index eaad206eec..1298b968cd 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -15,6 +15,10 @@ option('redfish-dump-log', type : 'feature', value : 'disabled', description : ' option('redfish-dbus-log', type : 'feature', value : 'disabled', description : 'Enable DBUS log service transactions through Redfish. Paths are under \'/redfish/v1/Systems/system/LogServices/EventLog/Entries\'') option('redfish-provisioning-feature', type : 'feature', value : 'disabled', description : 'Enable provisioning feature support in redfish. Paths are under \'/redfish/v1/Systems/system/\'') option('bmcweb-logging', type : 'feature', value : 'disabled', description : 'Enable output the extended debug logs') +option('basic-auth', type : 'feature', value : 'enabled', description : '''Enable basic authentication''') +option('session-auth', type : 'feature', value : 'enabled', description : '''Enable session authentication''') +option('xtoken-auth', type : 'feature', value : 'enabled', description : '''Enable xtoken authentication''') +option('cookie-auth', type : 'feature', value : 'enabled', description : '''Enable cookie authentication''') option('mutual-tls-auth', type : 'feature', value : 'enabled', description : '''Enables authenticating users through TLS client certificates. The insecure-disable-ssl must be disabled for this option to take effect.''') option('ibm-management-console', type : 'feature', value : 'disabled', description : 'Enable the IBM management console specific functionality. Paths are under \'/ibm/v1/\'') option('http-body-limit', type: 'integer', min : 0, max : 512, value : 30, description : 'Specifies the http request body length limit') diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 5b06b37db9..71f9430701 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -916,26 +916,57 @@ class AccountService : public Node if (basicAuth) { +#ifndef BMCWEB_ENABLE_BASIC_AUTHENTICATION + messages::actionNotSupported( + asyncResp->res, "Setting BasicAuth when basic-auth feature " + "is disabled"); + return; +#endif authMethodsConfig.basic = *basicAuth; } if (cookie) { +#ifndef BMCWEB_ENABLE_COOKIE_AUTHENTICATION + messages::actionNotSupported( + asyncResp->res, "Setting Cookie when cookie-auth feature " + "is disabled"); + return; +#endif authMethodsConfig.cookie = *cookie; } if (sessionToken) { +#ifndef BMCWEB_ENABLE_SESSION_AUTHENTICATION + messages::actionNotSupported( + asyncResp->res, + "Setting SessionToken when session-auth feature " + "is disabled"); + return; +#endif authMethodsConfig.sessionToken = *sessionToken; } if (xToken) { +#ifndef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION + messages::actionNotSupported( + asyncResp->res, "Setting XToken when xtoken-auth feature " + "is disabled"); + return; +#endif authMethodsConfig.xtoken = *xToken; } if (tls) { +#ifndef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION + messages::actionNotSupported( + asyncResp->res, "Setting TLS when mutual-tls-auth feature " + "is disabled"); + return; +#endif authMethodsConfig.tls = *tls; } -- cgit v1.2.3