diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2018-03-22 15:44:39 -0700 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2018-04-22 18:16:47 +0000 |
| commit | bae064e493fcf02c233b0ec37666c31b9158cb09 (patch) | |
| tree | a6f7a87e6b48a71362b2dbc2ba6a4e2d74636305 /include | |
| parent | ac569ed67e29b083c7541c72958481cbebb2de04 (diff) | |
| download | bmcweb-bae064e493fcf02c233b0ec37666c31b9158cb09.tar.gz bmcweb-bae064e493fcf02c233b0ec37666c31b9158cb09.zip | |
Change order of authorization types
Basic authentication is very slow by virtue of the fact that it has to
call into pam. THis commit rearranges the flow to accomplish 2 things.
1. If a non-basic auth mechanism is provided, prefer that.
2. Check the whitelist first, before attempting to authenticate the
user.
Change-Id: Icfe5a218c00a2aeb53acd1ab00bb8cc568424d1d
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/token_authorization_middleware.hpp | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp index a5c3ef8..c89dcdd 100644 --- a/include/token_authorization_middleware.hpp +++ b/include/token_authorization_middleware.hpp @@ -22,21 +22,27 @@ class Middleware { }; void before_handle(crow::request& req, response& res, context& ctx) { - std::string auth_header = req.get_header_value("Authorization"); - if (auth_header != "") { - // Reject any kind of auth other than basic or token - if (boost::starts_with(auth_header, "Basic ")) { - ctx.session = perform_basic_auth(auth_header); - } else if (boost::starts_with(auth_header, "Token ")) { - ctx.session = perform_token_auth(auth_header); - } - } else if (req.headers.count("X-Auth-Token") == 1) { + if (is_on_whitelist(req)) { + return; + } + + if (req.headers.count("X-Auth-Token") == 1) { ctx.session = perform_xtoken_auth(req); } else if (req.headers.count("Cookie") == 1) { ctx.session = perform_cookie_auth(req); + } else { + std::string auth_header = req.get_header_value("Authorization"); + if (auth_header != "") { + // Reject any kind of auth other than basic or token + if (boost::starts_with(auth_header, "Token ")) { + ctx.session = perform_token_auth(auth_header); + } else if (boost::starts_with(auth_header, "Basic ")) { + ctx.session = perform_basic_auth(auth_header); + } + } } - if (ctx.session == nullptr && !is_on_whitelist(req)) { + if (ctx.session == nullptr) { CROW_LOG_WARNING << "[AuthMiddleware] authorization failed"; res.code = static_cast<int>(HttpRespCode::UNAUTHORIZED); res.add_header("WWW-Authenticate", "Basic"); @@ -203,7 +209,6 @@ void request_routes(Crow<Middlewares...>& app) { const std::string* password; bool looks_like_ibm = false; - // This object needs to be declared at this scope so the strings within // it are not destroyed before we can use them nlohmann::json login_credentials; @@ -268,20 +273,15 @@ void request_routes(Crow<Middlewares...>& app) { // IBM requires a very specific login structure, and doesn't // actually look at the status code. TODO(ed).... Fix that // upstream - nlohmann::json ret{{"data", "User '" + *username + "' logged in"}, - {"message", "200 OK"}, - {"status", "ok"}}; + res.json_value = {{"data", "User '" + *username + "' logged in"}, + {"message", "200 OK"}, + {"status", "ok"}}; res.add_header("Set-Cookie", "XSRF-TOKEN=" + session.csrf_token); res.add_header("Set-Cookie", "SESSION=" + session.session_token + "; Secure; HttpOnly"); - - res.write(ret.dump()); } else { // if content type is json, assume json token - nlohmann::json ret{{"token", session.session_token}}; - - res.write(ret.dump()); - res.add_header("Content-Type", "application/json"); + res.json_value = {{"token", session.session_token}}; } } |
