From 501f1e58ea6fdf97163ce4ea05fbaf1861a62b79 Mon Sep 17 00:00:00 2001
From: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Date: Wed, 2 Oct 2019 11:22:11 +0200
Subject: TLS method configuration

User is now able to turn on and off the TLS authentication method.

Tested:
No regression found in manual testing. By default everything works
as before, and disabling TLS method prevents user to authenticate
by it.

Tested with Redfish Service Validator, version 1.2.8

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: Ib7be1af659db568caa7e5b97e3844617586d7754
---
 http/http_connection.h                                     |  9 +++++++++
 include/sessions.hpp                                       |  8 +++++++-
 redfish-core/lib/account_service.hpp                       | 12 ++++++++++--
 static/redfish/v1/JsonSchemas/OemAccountService/index.json |  9 +++++++++
 static/redfish/v1/schema/OemAccountService_v1.xml          |  6 ++++++
 5 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/http/http_connection.h b/http/http_connection.h
index 78805a6..70def8a 100644
--- a/http/http_connection.h
+++ b/http/http_connection.h
@@ -267,6 +267,15 @@ class Connection
 #ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
         adaptor.set_verify_callback(
             [this](bool preverified, boost::asio::ssl::verify_context& ctx) {
+                // do nothing if TLS is disabled
+                if (!crow::persistent_data::SessionStore::getInstance()
+                         .getAuthMethodsConfig()
+                         .tls)
+                {
+                    BMCWEB_LOG_DEBUG << "TLS auth_config is disabled";
+                    return true;
+                }
+
                 // We always return true to allow full auth flow
                 if (!preverified)
                 {
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 7493494..f58c676 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -345,6 +345,7 @@ struct AuthConfigMethods
     bool cookie = true;
     bool sessionToken = true;
     bool basic = true;
+    bool tls = true;
 
     void fromJson(const nlohmann::json& j)
     {
@@ -372,6 +373,10 @@ struct AuthConfigMethods
             {
                 basic = *value;
             }
+            else if (element.key() == "TLS")
+            {
+                tls = *value;
+            }
         }
     }
 };
@@ -584,7 +589,8 @@ template <> struct adl_serializer<crow::persistent_data::AuthConfigMethods>
         j = nlohmann::json{{"XToken", c.xtoken},
                            {"Cookie", c.cookie},
                            {"SessionToken", c.sessionToken},
-                           {"BasicAuth", c.basic}};
+                           {"BasicAuth", c.basic},
+                           {"TLS", c.tls}};
     }
 };
 } // namespace nlohmann
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 8f28ea4..637be86 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -895,10 +895,11 @@ class AccountService : public Node
         std::optional<bool> cookie;
         std::optional<bool> sessionToken;
         std::optional<bool> xToken;
+        std::optional<bool> tls;
 
         if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
                                  "Cookie", cookie, "SessionToken", sessionToken,
-                                 "XToken", xToken))
+                                 "XToken", xToken, "TLS", tls))
         {
             BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
             return;
@@ -929,8 +930,14 @@ class AccountService : public Node
             authMethodsConfig.xtoken = *xToken;
         }
 
+        if (tls)
+        {
+            authMethodsConfig.tls = *tls;
+        }
+
         if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
-            !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken)
+            !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
+            !authMethodsConfig.tls)
         {
             // Do not allow user to disable everything
             messages::actionNotSupported(asyncResp->res,
@@ -1151,6 +1158,7 @@ class AccountService : public Node
                      {"SessionToken", authMethodsConfig.sessionToken},
                      {"XToken", authMethodsConfig.xtoken},
                      {"Cookie", authMethodsConfig.cookie},
+                     {"TLS", authMethodsConfig.tls},
                  }}}}}},
             {"LDAP",
              {{"Certificates",
diff --git a/static/redfish/v1/JsonSchemas/OemAccountService/index.json b/static/redfish/v1/JsonSchemas/OemAccountService/index.json
index 5283170..2311d83 100644
--- a/static/redfish/v1/JsonSchemas/OemAccountService/index.json
+++ b/static/redfish/v1/JsonSchemas/OemAccountService/index.json
@@ -83,6 +83,15 @@
                         "null"
                     ]
                 },
+                "TLS": {
+                    "description": "Indicates whether TLS authorization is enabled.",
+                    "longDescription": "The value of this property shall be a boolean indicating whether TLS authorization is enabled.",
+                    "readonly": false,
+                    "type": [
+                        "boolean",
+                        "null"
+                    ]
+                },
                 "XToken": {
                     "description": "Indicates whether XToken authorization is enabled.",
                     "longDescription": "The value of this property shall be a boolean indicating whether XToken authorization is enabled.",
diff --git a/static/redfish/v1/schema/OemAccountService_v1.xml b/static/redfish/v1/schema/OemAccountService_v1.xml
index 626097b..c5783ca 100644
--- a/static/redfish/v1/schema/OemAccountService_v1.xml
+++ b/static/redfish/v1/schema/OemAccountService_v1.xml
@@ -53,6 +53,12 @@
           <Annotation Term="OData.Description" String="Indicates whether XToken authorization is enabled."/>
           <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether XToken authorization is enabled."/>
         </Property>
+
+        <Property Name="TLS" Type="Edm.Boolean">
+          <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
+          <Annotation Term="OData.Description" String="Indicates whether TLS authorization is enabled."/>
+          <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether TLS authorization is enabled."/>
+        </Property>
       </ComplexType>
 
       <!--Base entity type for array members-->
-- 
cgit v1.2.1