diff options
author | Zbigniew Kurzynski <zbigniew.kurzynski@intel.com> | 2019-10-02 11:22:11 +0200 |
---|---|---|
committer | Zbigniew Kurzynski <zbigniew.kurzynski@intel.com> | 2019-11-12 07:39:07 +0000 |
commit | 501f1e58ea6fdf97163ce4ea05fbaf1861a62b79 (patch) | |
tree | 6f617b9e3c29ae4cf7d1b505eefe1444a19ab54d | |
parent | e9e6d240ab85e515f8d264e39b47a75043b73374 (diff) | |
download | bmcweb-501f1e58ea6fdf97163ce4ea05fbaf1861a62b79.tar.gz bmcweb-501f1e58ea6fdf97163ce4ea05fbaf1861a62b79.zip |
TLS method configuration
User is now able to turn on and off the TLS authentication method.
Tested:
No regression found in manual testing. By default everything works
as before, and disabling TLS method prevents user to authenticate
by it.
Tested with Redfish Service Validator, version 1.2.8
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: Ib7be1af659db568caa7e5b97e3844617586d7754
-rw-r--r-- | http/http_connection.h | 9 | ||||
-rw-r--r-- | include/sessions.hpp | 8 | ||||
-rw-r--r-- | redfish-core/lib/account_service.hpp | 12 | ||||
-rw-r--r-- | static/redfish/v1/JsonSchemas/OemAccountService/index.json | 9 | ||||
-rw-r--r-- | static/redfish/v1/schema/OemAccountService_v1.xml | 6 |
5 files changed, 41 insertions, 3 deletions
diff --git a/http/http_connection.h b/http/http_connection.h index 78805a6..70def8a 100644 --- a/http/http_connection.h +++ b/http/http_connection.h @@ -267,6 +267,15 @@ class Connection #ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION adaptor.set_verify_callback( [this](bool preverified, boost::asio::ssl::verify_context& ctx) { + // do nothing if TLS is disabled + if (!crow::persistent_data::SessionStore::getInstance() + .getAuthMethodsConfig() + .tls) + { + BMCWEB_LOG_DEBUG << "TLS auth_config is disabled"; + return true; + } + // We always return true to allow full auth flow if (!preverified) { diff --git a/include/sessions.hpp b/include/sessions.hpp index 7493494..f58c676 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -345,6 +345,7 @@ struct AuthConfigMethods bool cookie = true; bool sessionToken = true; bool basic = true; + bool tls = true; void fromJson(const nlohmann::json& j) { @@ -372,6 +373,10 @@ struct AuthConfigMethods { basic = *value; } + else if (element.key() == "TLS") + { + tls = *value; + } } } }; @@ -584,7 +589,8 @@ template <> struct adl_serializer<crow::persistent_data::AuthConfigMethods> j = nlohmann::json{{"XToken", c.xtoken}, {"Cookie", c.cookie}, {"SessionToken", c.sessionToken}, - {"BasicAuth", c.basic}}; + {"BasicAuth", c.basic}, + {"TLS", c.tls}}; } }; } // namespace nlohmann diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 8f28ea4..637be86 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -895,10 +895,11 @@ class AccountService : public Node std::optional<bool> cookie; std::optional<bool> sessionToken; std::optional<bool> xToken; + std::optional<bool> tls; if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, "Cookie", cookie, "SessionToken", sessionToken, - "XToken", xToken)) + "XToken", xToken, "TLS", tls)) { BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; return; @@ -929,8 +930,14 @@ class AccountService : public Node authMethodsConfig.xtoken = *xToken; } + if (tls) + { + authMethodsConfig.tls = *tls; + } + if (!authMethodsConfig.basic && !authMethodsConfig.cookie && - !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken) + !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken && + !authMethodsConfig.tls) { // Do not allow user to disable everything messages::actionNotSupported(asyncResp->res, @@ -1151,6 +1158,7 @@ class AccountService : public Node {"SessionToken", authMethodsConfig.sessionToken}, {"XToken", authMethodsConfig.xtoken}, {"Cookie", authMethodsConfig.cookie}, + {"TLS", authMethodsConfig.tls}, }}}}}}, {"LDAP", {{"Certificates", diff --git a/static/redfish/v1/JsonSchemas/OemAccountService/index.json b/static/redfish/v1/JsonSchemas/OemAccountService/index.json index 5283170..2311d83 100644 --- a/static/redfish/v1/JsonSchemas/OemAccountService/index.json +++ b/static/redfish/v1/JsonSchemas/OemAccountService/index.json @@ -83,6 +83,15 @@ "null" ] }, + "TLS": { + "description": "Indicates whether TLS authorization is enabled.", + "longDescription": "The value of this property shall be a boolean indicating whether TLS authorization is enabled.", + "readonly": false, + "type": [ + "boolean", + "null" + ] + }, "XToken": { "description": "Indicates whether XToken authorization is enabled.", "longDescription": "The value of this property shall be a boolean indicating whether XToken authorization is enabled.", diff --git a/static/redfish/v1/schema/OemAccountService_v1.xml b/static/redfish/v1/schema/OemAccountService_v1.xml index 626097b..c5783ca 100644 --- a/static/redfish/v1/schema/OemAccountService_v1.xml +++ b/static/redfish/v1/schema/OemAccountService_v1.xml @@ -53,6 +53,12 @@ <Annotation Term="OData.Description" String="Indicates whether XToken authorization is enabled."/> <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether XToken authorization is enabled."/> </Property> + + <Property Name="TLS" Type="Edm.Boolean"> + <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> + <Annotation Term="OData.Description" String="Indicates whether TLS authorization is enabled."/> + <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether TLS authorization is enabled."/> + </Property> </ComplexType> <!--Base entity type for array members--> |