Auth methods configuration
Added Oem extension for AccountService allowing user to configure
which authentication methods should be enabled. User is now able
to turn on and off authentication methods like BasicAuth, XToken, etc.
User is not allowed to turn off all of the methods at once - at least
one method has to be active to prevent lock-out. This configuration
is persistent, will be saved on file-system and will be loaded on
bmcweb's restart.
Tested:
No regression found in manual testing. By default everything works as before,
and disabling auth method prevents user to authenticate by it. Tested that
user is not allowed to disable all the methods - either in one PATCH or by
disabling them one at a time.
ServiceValidator run with success.
Change-Id: I3a775d783ac05998d17b8e91800962bffd8cab52
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 07efeb5..f8647b9 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -505,7 +505,8 @@
class AccountService : public Node
{
public:
- AccountService(CrowApp& app) : Node(app, "/redfish/v1/AccountService/")
+ AccountService(CrowApp& app) :
+ Node(app, "/redfish/v1/AccountService/"), app(app)
{
entityPrivileges = {
{boost::beast::http::verb::get,
@@ -839,6 +840,65 @@
ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
}
+ void handleAuthMethodsPatch(nlohmann::json& input,
+ const std::shared_ptr<AsyncResp>& asyncResp)
+ {
+ std::optional<bool> basicAuth;
+ std::optional<bool> cookie;
+ std::optional<bool> sessionToken;
+ std::optional<bool> xToken;
+
+ if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
+ "Cookie", cookie, "SessionToken", sessionToken,
+ "XToken", xToken))
+ {
+ BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
+ return;
+ }
+
+ // Make a copy of methods configuration
+ crow::persistent_data::AuthConfigMethods authMethodsConfig =
+ crow::persistent_data::SessionStore::getInstance()
+ .getAuthMethodsConfig();
+
+ if (basicAuth)
+ {
+ authMethodsConfig.basic = *basicAuth;
+ }
+
+ if (cookie)
+ {
+ authMethodsConfig.cookie = *cookie;
+ }
+
+ if (sessionToken)
+ {
+ authMethodsConfig.sessionToken = *sessionToken;
+ }
+
+ if (xToken)
+ {
+ authMethodsConfig.xtoken = *xToken;
+ }
+
+ if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
+ !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken)
+ {
+ // Do not allow user to disable everything
+ messages::actionNotSupported(asyncResp->res,
+ "of disabling all available methods");
+ return;
+ }
+
+ crow::persistent_data::SessionStore::getInstance()
+ .updateAuthMethodsConfig(authMethodsConfig);
+ // Save configuration immediately
+ app.template getMiddleware<crow::persistent_data::Middleware>()
+ .writeData();
+
+ messages::success(asyncResp->res);
+ }
+
/**
* @brief Get the required values from the given JSON, validates the
* value and create the LDAP config object.
@@ -1015,6 +1075,10 @@
void doGet(crow::Response& res, const crow::Request& req,
const std::vector<std::string>& params) override
{
+ const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
+ crow::persistent_data::SessionStore::getInstance()
+ .getAuthMethodsConfig();
+
auto asyncResp = std::make_shared<AsyncResp>(res);
res.jsonValue = {
{"@odata.context", "/redfish/v1/"
@@ -1030,6 +1094,16 @@
{"Accounts",
{{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
{"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
+ {"Oem",
+ {{"OpenBMC",
+ {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
+ {"AuthMethods",
+ {
+ {"BasicAuth", authMethodsConfig.basic},
+ {"SessionToken", authMethodsConfig.sessionToken},
+ {"XToken", authMethodsConfig.xtoken},
+ {"Cookie", authMethodsConfig.cookie},
+ }}}}}},
{"LDAP",
{{"Certificates",
{{"@odata.id",
@@ -1107,13 +1181,14 @@
std::optional<uint16_t> maxPasswordLength;
std::optional<nlohmann::json> ldapObject;
std::optional<nlohmann::json> activeDirectoryObject;
+ std::optional<nlohmann::json> oemObject;
- if (!json_util::readJson(req, res, "AccountLockoutDuration",
- unlockTimeout, "AccountLockoutThreshold",
- lockoutThreshold, "MaxPasswordLength",
- maxPasswordLength, "MinPasswordLength",
- minPasswordLength, "LDAP", ldapObject,
- "ActiveDirectory", activeDirectoryObject))
+ if (!json_util::readJson(
+ req, res, "AccountLockoutDuration", unlockTimeout,
+ "AccountLockoutThreshold", lockoutThreshold,
+ "MaxPasswordLength", maxPasswordLength, "MinPasswordLength",
+ minPasswordLength, "LDAP", ldapObject, "ActiveDirectory",
+ activeDirectoryObject, "Oem", oemObject))
{
return;
}
@@ -1133,6 +1208,22 @@
handleLDAPPatch(*ldapObject, asyncResp, req, params, "LDAP");
}
+ if (std::optional<nlohmann::json> oemOpenBMCObject;
+ oemObject &&
+ json_util::readJson(*oemObject, res, "OpenBMC", oemOpenBMCObject))
+ {
+ if (std::optional<nlohmann::json> authMethodsObject;
+ oemOpenBMCObject &&
+ json_util::readJson(*oemOpenBMCObject, res, "AuthMethods",
+ authMethodsObject))
+ {
+ if (authMethodsObject)
+ {
+ handleAuthMethodsPatch(*authMethodsObject, asyncResp);
+ }
+ }
+ }
+
if (activeDirectoryObject)
{
handleLDAPPatch(*activeDirectoryObject, asyncResp, req, params,
@@ -1173,6 +1264,8 @@
std::variant<uint16_t>(*lockoutThreshold));
}
}
+
+ CrowApp& app;
};
class AccountsCollection : public Node