diff options
author | James Feist <james.feist@linux.intel.com> | 2019-11-04 21:19:48 +0000 |
---|---|---|
committer | James Feist <james.feist@linux.intel.com> | 2019-11-04 21:25:46 +0000 |
commit | eecd51a46e6d44ae3408d889ed037f4e4270d653 (patch) | |
tree | a0cbbd26cf1adc0d9c73623cf9b5df3a67b1bbe9 | |
parent | 2ad9c2f694b9a75b5f14f485ebab28bd32d0f575 (diff) | |
download | bmcweb-eecd51a46e6d44ae3408d889ed037f4e4270d653.tar.gz bmcweb-eecd51a46e6d44ae3408d889ed037f4e4270d653.zip |
Revert "Auth methods configuration"
This reverts commit 0ff64dc2cd3a15b4204a477ad2eb5219d66e6110.
Reason for revert: <breaks redfish validator, <edmx:Reference Uri="/redfish/v1/schema/OemAccountService_v1.xml"> but the file name unversioned static/redfish/v1/schema/OemAccountService.xml>
Change-Id: I696dd09bf519e364f5f529a674e047a8eeead578
Signed-off-by: James Feist <james.feist@linux.intel.com>
-rw-r--r-- | include/persistent_data_middleware.hpp | 7 | ||||
-rw-r--r-- | include/sessions.hpp | 61 | ||||
-rw-r--r-- | include/token_authorization_middleware.hpp | 17 | ||||
-rw-r--r-- | redfish-core/lib/account_service.hpp | 109 | ||||
-rw-r--r-- | static/redfish/v1/$metadata/index.xml | 4 | ||||
-rw-r--r-- | static/redfish/v1/JsonSchemas/OemAccountService/index.json | 102 | ||||
-rw-r--r-- | static/redfish/v1/schema/OemAccountService.xml | 71 |
7 files changed, 12 insertions, 359 deletions
diff --git a/include/persistent_data_middleware.hpp b/include/persistent_data_middleware.hpp index 348079b..c368ab2 100644 --- a/include/persistent_data_middleware.hpp +++ b/include/persistent_data_middleware.hpp @@ -100,12 +100,6 @@ class Middleware systemUuid = *jSystemUuid; } } - else if (item.key() == "auth_config") - { - SessionStore::getInstance() - .getAuthMethodsConfig() - .fromJson(item.value()); - } else if (item.key() == "sessions") { for (const auto& elem : item.value()) @@ -169,7 +163,6 @@ class Middleware nlohmann::json data{ {"sessions", SessionStore::getInstance().authTokens}, - {"auth_config", SessionStore::getInstance().getAuthMethodsConfig()}, {"system_uuid", systemUuid}, {"revision", jsonRevision}}; persistentFile << data; diff --git a/include/sessions.hpp b/include/sessions.hpp index 7493494..df65d61 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -339,43 +339,6 @@ struct UserSession } }; -struct AuthConfigMethods -{ - bool xtoken = true; - bool cookie = true; - bool sessionToken = true; - bool basic = true; - - void fromJson(const nlohmann::json& j) - { - for (const auto& element : j.items()) - { - const bool* value = element.value().get_ptr<const bool*>(); - if (value == nullptr) - { - continue; - } - - if (element.key() == "XToken") - { - xtoken = *value; - } - else if (element.key() == "Cookie") - { - cookie = *value; - } - else if (element.key() == "SessionToken") - { - sessionToken = *value; - } - else if (element.key() == "BasicAuth") - { - basic = *value; - } - } - } -}; - class Middleware; class SessionStore @@ -482,17 +445,6 @@ class SessionStore return ret; } - void updateAuthMethodsConfig(const AuthConfigMethods& config) - { - authMethodsConfig = config; - needWrite = true; - } - - AuthConfigMethods& getAuthMethodsConfig() - { - return authMethodsConfig; - } - bool needsWrite() { return needWrite; @@ -549,7 +501,6 @@ class SessionStore std::random_device rd; bool needWrite{false}; std::chrono::minutes timeoutInMinutes; - AuthConfigMethods authMethodsConfig; }; } // namespace persistent_data @@ -575,16 +526,4 @@ struct adl_serializer<std::shared_ptr<crow::persistent_data::UserSession>> } } }; - -template <> struct adl_serializer<crow::persistent_data::AuthConfigMethods> -{ - static void to_json(nlohmann::json& j, - const crow::persistent_data::AuthConfigMethods& c) - { - j = nlohmann::json{{"XToken", c.xtoken}, - {"Cookie", c.cookie}, - {"SessionToken", c.sessionToken}, - {"BasicAuth", c.basic}}; - } -}; } // namespace nlohmann diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp index 7e4e3bb..0a44050 100644 --- a/include/token_authorization_middleware.hpp +++ b/include/token_authorization_middleware.hpp @@ -31,15 +31,8 @@ class Middleware return; } - const crow::persistent_data::AuthConfigMethods& authMethodsConfig = - crow::persistent_data::SessionStore::getInstance() - .getAuthMethodsConfig(); - - if (req.session == nullptr && authMethodsConfig.xtoken) - { - req.session = performXtokenAuth(req); - } - if (req.session == nullptr && authMethodsConfig.cookie) + req.session = performXtokenAuth(req); + if (req.session == nullptr) { req.session = performCookieAuth(req); } @@ -49,13 +42,11 @@ class Middleware if (!authHeader.empty()) { // Reject any kind of auth other than basic or token - if (boost::starts_with(authHeader, "Token ") && - authMethodsConfig.sessionToken) + if (boost::starts_with(authHeader, "Token ")) { req.session = performTokenAuth(authHeader); } - else if (boost::starts_with(authHeader, "Basic ") && - authMethodsConfig.basic) + else if (boost::starts_with(authHeader, "Basic ")) { req.session = performBasicAuth(authHeader); } diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index f8647b9..07efeb5 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -505,8 +505,7 @@ inline void getLDAPConfigData(const std::string& ldapType, class AccountService : public Node { public: - AccountService(CrowApp& app) : - Node(app, "/redfish/v1/AccountService/"), app(app) + AccountService(CrowApp& app) : Node(app, "/redfish/v1/AccountService/") { entityPrivileges = { {boost::beast::http::verb::get, @@ -840,65 +839,6 @@ class AccountService : public Node ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled)); } - void handleAuthMethodsPatch(nlohmann::json& input, - const std::shared_ptr<AsyncResp>& asyncResp) - { - std::optional<bool> basicAuth; - std::optional<bool> cookie; - std::optional<bool> sessionToken; - std::optional<bool> xToken; - - if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth, - "Cookie", cookie, "SessionToken", sessionToken, - "XToken", xToken)) - { - BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag"; - return; - } - - // Make a copy of methods configuration - crow::persistent_data::AuthConfigMethods authMethodsConfig = - crow::persistent_data::SessionStore::getInstance() - .getAuthMethodsConfig(); - - if (basicAuth) - { - authMethodsConfig.basic = *basicAuth; - } - - if (cookie) - { - authMethodsConfig.cookie = *cookie; - } - - if (sessionToken) - { - authMethodsConfig.sessionToken = *sessionToken; - } - - if (xToken) - { - authMethodsConfig.xtoken = *xToken; - } - - if (!authMethodsConfig.basic && !authMethodsConfig.cookie && - !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken) - { - // Do not allow user to disable everything - messages::actionNotSupported(asyncResp->res, - "of disabling all available methods"); - return; - } - - crow::persistent_data::SessionStore::getInstance() - .updateAuthMethodsConfig(authMethodsConfig); - // Save configuration immediately - app.template getMiddleware<crow::persistent_data::Middleware>() - .writeData(); - - messages::success(asyncResp->res); - } - /** * @brief Get the required values from the given JSON, validates the * value and create the LDAP config object. @@ -1075,10 +1015,6 @@ class AccountService : public Node void doGet(crow::Response& res, const crow::Request& req, const std::vector<std::string>& params) override { - const crow::persistent_data::AuthConfigMethods& authMethodsConfig = - crow::persistent_data::SessionStore::getInstance() - .getAuthMethodsConfig(); - auto asyncResp = std::make_shared<AsyncResp>(res); res.jsonValue = { {"@odata.context", "/redfish/v1/" @@ -1094,16 +1030,6 @@ class AccountService : public Node {"Accounts", {{"@odata.id", "/redfish/v1/AccountService/Accounts"}}}, {"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}}, - {"Oem", - {{"OpenBMC", - {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"}, - {"AuthMethods", - { - {"BasicAuth", authMethodsConfig.basic}, - {"SessionToken", authMethodsConfig.sessionToken}, - {"XToken", authMethodsConfig.xtoken}, - {"Cookie", authMethodsConfig.cookie}, - }}}}}}, {"LDAP", {{"Certificates", {{"@odata.id", @@ -1181,14 +1107,13 @@ class AccountService : public Node std::optional<uint16_t> maxPasswordLength; std::optional<nlohmann::json> ldapObject; std::optional<nlohmann::json> activeDirectoryObject; - std::optional<nlohmann::json> oemObject; - - if (!json_util::readJson( - req, res, "AccountLockoutDuration", unlockTimeout, - "AccountLockoutThreshold", lockoutThreshold, - "MaxPasswordLength", maxPasswordLength, "MinPasswordLength", - minPasswordLength, "LDAP", ldapObject, "ActiveDirectory", - activeDirectoryObject, "Oem", oemObject)) + + if (!json_util::readJson(req, res, "AccountLockoutDuration", + unlockTimeout, "AccountLockoutThreshold", + lockoutThreshold, "MaxPasswordLength", + maxPasswordLength, "MinPasswordLength", + minPasswordLength, "LDAP", ldapObject, + "ActiveDirectory", activeDirectoryObject)) { return; } @@ -1208,22 +1133,6 @@ class AccountService : public Node handleLDAPPatch(*ldapObject, asyncResp, req, params, "LDAP"); } - if (std::optional<nlohmann::json> oemOpenBMCObject; - oemObject && - json_util::readJson(*oemObject, res, "OpenBMC", oemOpenBMCObject)) - { - if (std::optional<nlohmann::json> authMethodsObject; - oemOpenBMCObject && - json_util::readJson(*oemOpenBMCObject, res, "AuthMethods", - authMethodsObject)) - { - if (authMethodsObject) - { - handleAuthMethodsPatch(*authMethodsObject, asyncResp); - } - } - } - if (activeDirectoryObject) { handleLDAPPatch(*activeDirectoryObject, asyncResp, req, params, @@ -1264,8 +1173,6 @@ class AccountService : public Node std::variant<uint16_t>(*lockoutThreshold)); } } - - CrowApp& app; }; class AccountsCollection : public Node diff --git a/static/redfish/v1/$metadata/index.xml b/static/redfish/v1/$metadata/index.xml index 4804e48..7383365 100644 --- a/static/redfish/v1/$metadata/index.xml +++ b/static/redfish/v1/$metadata/index.xml @@ -1045,10 +1045,6 @@ <edmx:Include Namespace="NetworkPort.v1_2_2"/> <edmx:Include Namespace="NetworkPort.v1_2_3"/> </edmx:Reference> - <edmx:Reference Uri="/redfish/v1/schema/OemAccountService_v1.xml"> - <edmx:Include Namespace="OemAccountService"/> - <edmx:Include Namespace="OemAccountService.v1_0_0"/> - </edmx:Reference> <edmx:Reference Uri="/redfish/v1/schema/NetworkPortCollection_v1.xml"> <edmx:Include Namespace="NetworkPortCollection"/> </edmx:Reference> diff --git a/static/redfish/v1/JsonSchemas/OemAccountService/index.json b/static/redfish/v1/JsonSchemas/OemAccountService/index.json deleted file mode 100644 index 5283170..0000000 --- a/static/redfish/v1/JsonSchemas/OemAccountService/index.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$id": "http://redfish.dmtf.org/schemas/v1/OemAccountService.v1_0_0.json", - "$schema": "http://redfish.dmtf.org/schemas/v1/redfish-schema-v1.json", - "copyright": "Copyright 2014-2019 DMTF. For the full DMTF copyright policy, see http://www.dmtf.org/about/policies/copyright", - "definitions": { - "AccountService": { - "additionalProperties": false, - "description": "OEM Extension for AccountService", - "longDescription": "OEM Extension for AccountService providing info about TLS Auth.", - "patternProperties": { - "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { - "description": "This property shall specify a valid odata or Redfish property.", - "type": [ - "array", - "boolean", - "integer", - "number", - "null", - "object", - "string" - ] - } - }, - "properties": { - "AuthMethods": { - "anyOf": [ - { - "$ref": "#/definitions/AuthMethodsConfig" - }, - { - "type": "null" - } - ], - "description": "Authorization Methods configuration.", - "longDescription": "Configuration describing which auth methods are enabled." - } - }, - "type": "object" - }, - "AuthMethodsConfig": { - "additionalProperties": false, - "description": "Authorization Methods configuration.", - "longDescription": "Configuration describing which auth methods are enabled.", - "patternProperties": { - "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { - "description": "This property shall specify a valid odata or Redfish property.", - "type": [ - "array", - "boolean", - "integer", - "number", - "null", - "object", - "string" - ] - } - }, - "properties": { - "BasicAuth": { - "description": "Indicates whether BasicAuth authorization is enabled.", - "longDescription": "The value of this property shall be a boolean indicating whether BasicAuth authorization is enabled.", - "readonly": false, - "type": [ - "boolean", - "null" - ] - }, - "Cookie": { - "description": "Indicates whether Cookie authorization is enabled.", - "longDescription": "The value of this property shall be a boolean indicating whether Cookie authorization is enabled.", - "readonly": false, - "type": [ - "boolean", - "null" - ] - }, - "SessionToken": { - "description": "Indicates whether SessionToken authorization is enabled.", - "longDescription": "The value of this property shall be a boolean indicating whether SessionToken authorization is enabled.", - "readonly": false, - "type": [ - "boolean", - "null" - ] - }, - "XToken": { - "description": "Indicates whether XToken authorization is enabled.", - "longDescription": "The value of this property shall be a boolean indicating whether XToken authorization is enabled.", - "readonly": false, - "type": [ - "boolean", - "null" - ] - } - }, - "type": "object" - } - }, - "owningEntity": "OpenBMC", - "release": "1.0", - "title": "#OemAccountService.v1_0_0" -}
\ No newline at end of file diff --git a/static/redfish/v1/schema/OemAccountService.xml b/static/redfish/v1/schema/OemAccountService.xml deleted file mode 100644 index 626097b..0000000 --- a/static/redfish/v1/schema/OemAccountService.xml +++ /dev/null @@ -1,71 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<edmx:Edmx xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx" Version="4.0"> - - <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Core.V1.xml"> - <edmx:Include Namespace="Org.OData.Core.V1" Alias="OData"/> - </edmx:Reference> - <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Measures.V1.xml"> - <edmx:Include Namespace="Org.OData.Measures.V1" Alias="Measures"/> - </edmx:Reference> - <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/RedfishExtensions_v1.xml"> - <edmx:Include Namespace="RedfishExtensions.v1_0_0" Alias="Redfish"/> - </edmx:Reference> - <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/Resource_v1.xml"> - <edmx:Include Namespace="Resource"/> - <edmx:Include Namespace="Resource.v1_0_0"/> - </edmx:Reference> - - <edmx:DataServices> - - <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="OemAccountService"> - <Annotation Term="Redfish.OwningEntity" String="OpenBMC"/> - </Schema> - - <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="OemAccountService.v1_0_0"> - <Annotation Term="Redfish.OwningEntity" String="OpenBMC"/> - <Annotation Term="Redfish.Release" String="1.0"/> - - <ComplexType Name="AuthMethodsConfig"> - <Annotation Term="OData.AdditionalProperties" Bool="false"/> - <Annotation Term="OData.Description" String="Authorization Methods configuration."/> - <Annotation Term="OData.LongDescription" String="Configuration describing which auth methods are enabled."/> - - <Property Name="BasicAuth" Type="Edm.Boolean"> - <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> - <Annotation Term="OData.Description" String="Indicates whether BasicAuth authorization is enabled."/> - <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether BasicAuth authorization is enabled."/> - </Property> - - <Property Name="Cookie" Type="Edm.Boolean"> - <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> - <Annotation Term="OData.Description" String="Indicates whether Cookie authorization is enabled."/> - <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether Cookie authorization is enabled."/> - </Property> - - <Property Name="SessionToken" Type="Edm.Boolean"> - <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> - <Annotation Term="OData.Description" String="Indicates whether SessionToken authorization is enabled."/> - <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether SessionToken authorization is enabled."/> - </Property> - - <Property Name="XToken" Type="Edm.Boolean"> - <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> - <Annotation Term="OData.Description" String="Indicates whether XToken authorization is enabled."/> - <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether XToken authorization is enabled."/> - </Property> - </ComplexType> - - <!--Base entity type for array members--> - <EntityType Name="AccountService" BaseType="Resource.OemObject" Abstract="true"> - <Annotation Term="OData.Description" String="OEM Extension for AccountService"/> - <Annotation Term="OData.LongDescription" String="OEM Extension for AccountService providing info about TLS Auth."/> - - <Property Name="AuthMethods" Type="OemAccountService.v1_0_0.AuthMethodsConfig"> - <Annotation Term="OData.Description" String="Authorization Methods configuration."/> - <Annotation Term="OData.LongDescription" String="Configuration describing which auth methods are enabled."/> - </Property> - </EntityType> - </Schema> - - </edmx:DataServices> -</edmx:Edmx> |