Auth methods configuration
Added Oem extension for AccountService allowing user to configure
which authentication methods should be enabled. User is now able
to turn on and off authentication methods like BasicAuth, XToken, etc.
User is not allowed to turn off all of the methods at once - at least
one method has to be active to prevent lock-out. This configuration
is persistent, will be saved on file-system and will be loaded on
bmcweb's restart.
Tested:
No regression found in manual testing. By default everything works as before,
and disabling auth method prevents user to authenticate by it. Tested that
user is not allowed to disable all the methods - either in one PATCH or by
disabling them one at a time.
ServiceValidator run with success.
Change-Id: I3a775d783ac05998d17b8e91800962bffd8cab52
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
diff --git a/include/sessions.hpp b/include/sessions.hpp
index df65d61..7493494 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -339,6 +339,43 @@
}
};
+struct AuthConfigMethods
+{
+ bool xtoken = true;
+ bool cookie = true;
+ bool sessionToken = true;
+ bool basic = true;
+
+ void fromJson(const nlohmann::json& j)
+ {
+ for (const auto& element : j.items())
+ {
+ const bool* value = element.value().get_ptr<const bool*>();
+ if (value == nullptr)
+ {
+ continue;
+ }
+
+ if (element.key() == "XToken")
+ {
+ xtoken = *value;
+ }
+ else if (element.key() == "Cookie")
+ {
+ cookie = *value;
+ }
+ else if (element.key() == "SessionToken")
+ {
+ sessionToken = *value;
+ }
+ else if (element.key() == "BasicAuth")
+ {
+ basic = *value;
+ }
+ }
+ }
+};
+
class Middleware;
class SessionStore
@@ -445,6 +482,17 @@
return ret;
}
+ void updateAuthMethodsConfig(const AuthConfigMethods& config)
+ {
+ authMethodsConfig = config;
+ needWrite = true;
+ }
+
+ AuthConfigMethods& getAuthMethodsConfig()
+ {
+ return authMethodsConfig;
+ }
+
bool needsWrite()
{
return needWrite;
@@ -501,6 +549,7 @@
std::random_device rd;
bool needWrite{false};
std::chrono::minutes timeoutInMinutes;
+ AuthConfigMethods authMethodsConfig;
};
} // namespace persistent_data
@@ -526,4 +575,16 @@
}
}
};
+
+template <> struct adl_serializer<crow::persistent_data::AuthConfigMethods>
+{
+ static void to_json(nlohmann::json& j,
+ const crow::persistent_data::AuthConfigMethods& c)
+ {
+ j = nlohmann::json{{"XToken", c.xtoken},
+ {"Cookie", c.cookie},
+ {"SessionToken", c.sessionToken},
+ {"BasicAuth", c.basic}};
+ }
+};
} // namespace nlohmann