Fix regression in metadata
Metadata payloads are no longer accessible without authentication due to
a regression caused by 090ab8e1042e14f7e5e02572ae2a2102677f1f00.
Add /redfish/v1/$metadata to the allow list, and use this as an
opportunity to refactor the isOnAllowList() code and simplify it.
Fixes #277
Tested: Redfish protocol validator $metadata tests now pass again.
```
curl -vvvv -k https://192.168.7.2/redfish/v1/\$metadata
```
Now succeeds.
Change-Id: I0cc3492f6184b2cad3281b22535d5089709c16a4
Signed-off-by: Ed Tanous <etanous@nvidia.com>
diff --git a/include/authentication.hpp b/include/authentication.hpp
index 0617cf3..215e464 100644
--- a/include/authentication.hpp
+++ b/include/authentication.hpp
@@ -216,11 +216,18 @@
// checks if request can be forwarded without authentication
inline bool isOnAllowlist(std::string_view url, boost::beast::http::verb method)
{
+ // Handle the case where the router registers routes as both ending with /
+ // and not.
+ if (url.ends_with('/'))
+ {
+ url.remove_suffix(1);
+ }
if (boost::beast::http::verb::get == method)
{
- if (url == "/redfish/v1" || url == "/redfish/v1/" ||
- url == "/redfish" || url == "/redfish/" ||
- url == "/redfish/v1/odata" || url == "/redfish/v1/odata/")
+ if ((url == "/redfish") || //
+ (url == "/redfish/v1") || //
+ (url == "/redfish/v1/odata") || //
+ (url == "/redfish/v1/$metadata"))
{
return true;
}
@@ -236,9 +243,7 @@
if (boost::beast::http::verb::post == method)
{
if ((url == "/redfish/v1/SessionService/Sessions") ||
- (url == "/redfish/v1/SessionService/Sessions/") ||
(url == "/redfish/v1/SessionService/Sessions/Members") ||
- (url == "/redfish/v1/SessionService/Sessions/Members/") ||
(url == "/login"))
{
return true;