Auth methods configuration

Added Oem extension for AccountService allowing user to configure
which authentication methods should be enabled. User is now able
to turn on and off authentication methods like BasicAuth, XToken, etc.
User is not allowed to turn off all of the methods at once - at least
one method has to be active to prevent lock-out. This configuration
is persistent, will be saved on file-system and will be loaded on
bmcweb's restart.

Tested:
No regression found in manual testing. By default everything works as before,
and disabling auth method prevents user to authenticate by it. Tested that
user is not allowed to disable all the methods - either in one PATCH or by
disabling them one at a time.
ServiceValidator run with success.

This change is a fix for this request:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/23590/18

which was revert here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26869

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I66b5ad423746f1992070a14f2983a07b1320190e

3 files changed, 81 insertions, 4 deletions

diff --git a/include/persistent_data_middleware.hpp b/include/persistent_data_middleware.hpp
index c368ab2..348079b 100644
--- a/include/persistent_data_middleware.hpp
+++ b/include/persistent_data_middleware.hpp
@@ -100,6 +100,12 @@ class Middleware
                             systemUuid = *jSystemUuid;
                         }
                     }
+                    else if (item.key() == "auth_config")
+                    {
+                        SessionStore::getInstance()
+                            .getAuthMethodsConfig()
+                            .fromJson(item.value());
+                    }
                     else if (item.key() == "sessions")
                     {
                         for (const auto& elem : item.value())
@@ -163,6 +169,7 @@ class Middleware
 
         nlohmann::json data{
             {"sessions", SessionStore::getInstance().authTokens},
+            {"auth_config", SessionStore::getInstance().getAuthMethodsConfig()},
             {"system_uuid", systemUuid},
             {"revision", jsonRevision}};
         persistentFile << data;
diff --git a/include/sessions.hpp b/include/sessions.hpp
index df65d61..7493494 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -339,6 +339,43 @@ struct UserSession
     }
 };
 
+struct AuthConfigMethods
+{
+    bool xtoken = true;
+    bool cookie = true;
+    bool sessionToken = true;
+    bool basic = true;
+
+    void fromJson(const nlohmann::json& j)
+    {
+        for (const auto& element : j.items())
+        {
+            const bool* value = element.value().get_ptr<const bool*>();
+            if (value == nullptr)
+            {
+                continue;
+            }
+
+            if (element.key() == "XToken")
+            {
+                xtoken = *value;
+            }
+            else if (element.key() == "Cookie")
+            {
+                cookie = *value;
+            }
+            else if (element.key() == "SessionToken")
+            {
+                sessionToken = *value;
+            }
+            else if (element.key() == "BasicAuth")
+            {
+                basic = *value;
+            }
+        }
+    }
+};
+
 class Middleware;
 
 class SessionStore
@@ -445,6 +482,17 @@ class SessionStore
         return ret;
     }
 
+    void updateAuthMethodsConfig(const AuthConfigMethods& config)
+    {
+        authMethodsConfig = config;
+        needWrite = true;
+    }
+
+    AuthConfigMethods& getAuthMethodsConfig()
+    {
+        return authMethodsConfig;
+    }
+
     bool needsWrite()
     {
         return needWrite;
@@ -501,6 +549,7 @@ class SessionStore
     std::random_device rd;
     bool needWrite{false};
     std::chrono::minutes timeoutInMinutes;
+    AuthConfigMethods authMethodsConfig;
 };
 
 } // namespace persistent_data
@@ -526,4 +575,16 @@ struct adl_serializer<std::shared_ptr<crow::persistent_data::UserSession>>
         }
     }
 };
+
+template <> struct adl_serializer<crow::persistent_data::AuthConfigMethods>
+{
+    static void to_json(nlohmann::json& j,
+                        const crow::persistent_data::AuthConfigMethods& c)
+    {
+        j = nlohmann::json{{"XToken", c.xtoken},
+                           {"Cookie", c.cookie},
+                           {"SessionToken", c.sessionToken},
+                           {"BasicAuth", c.basic}};
+    }
+};
 } // namespace nlohmann
diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index 0a44050..7e4e3bb 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -31,8 +31,15 @@ class Middleware
             return;
         }
 
-        req.session = performXtokenAuth(req);
-        if (req.session == nullptr)
+        const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
+            crow::persistent_data::SessionStore::getInstance()
+                .getAuthMethodsConfig();
+
+        if (req.session == nullptr && authMethodsConfig.xtoken)
+        {
+            req.session = performXtokenAuth(req);
+        }
+        if (req.session == nullptr && authMethodsConfig.cookie)
         {
             req.session = performCookieAuth(req);
         }
@@ -42,11 +49,13 @@ class Middleware
             if (!authHeader.empty())
             {
                 // Reject any kind of auth other than basic or token
-                if (boost::starts_with(authHeader, "Token "))
+                if (boost::starts_with(authHeader, "Token ") &&
+                    authMethodsConfig.sessionToken)
                 {
                     req.session = performTokenAuth(authHeader);
                 }
-                else if (boost::starts_with(authHeader, "Basic "))
+                else if (boost::starts_with(authHeader, "Basic ") &&
+                         authMethodsConfig.basic)
                 {
                     req.session = performBasicAuth(authHeader);
                 }