Fixing mTLS switches
This commit is a fix for revert:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27205
The mTLS will work only when:
* Compilation flag BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION is
enabled and,
* AccountService->Oem->OpenBMC->AuthMethods->TLS is set and,
* at least one certificate is uploaded to TrustStore.
To enforce a new mTLS settings after switching AuthMethods->TLS
all awaiting for acceptance connections are dropped.
In case of authorized mTLS requests a cookie with XSRF-TOKEN entry
and SESSION is added to response. It will force the X-XSRF-TOKEN
challenge in case of applications supporting cookies like web
browsers.
Also some minor log messages changes were made in this commit.
Tested:
validator_service run with status: 'Validation has succeeded'.
Tests were made with Chrome browser Version 78.0.3904.108.
The certificate popup appears only when mTLS is enabled in CMake,
the TLS option is set and at least one CA certificate is present.
In other cases mTLS is not active and there is no popup for certs.
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I778b848b767356b60386694f802a89b3c1f6cb14
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 6e74f25..f461521 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -4,6 +4,7 @@
#include <boost/uuid/uuid.hpp>
#include <boost/uuid/uuid_generators.hpp>
#include <boost/uuid/uuid_io.hpp>
+#include <csignal>
#include <dbus_singleton.hpp>
#include <nlohmann/json.hpp>
#include <pam_authenticate.hpp>
@@ -496,8 +497,14 @@
void updateAuthMethodsConfig(const AuthConfigMethods& config)
{
+ bool isTLSchanged = (authMethodsConfig.tls != config.tls);
authMethodsConfig = config;
needWrite = true;
+ if (isTLSchanged)
+ {
+ // recreate socket connections with new settings
+ std::raise(SIGHUP);
+ }
}
AuthConfigMethods& getAuthMethodsConfig()