TLS method configuration
User is now able to turn on and off the TLS authentication method.
Tested:
No regression found in manual testing. By default everything works
as before, and disabling TLS method prevents user to authenticate
by it.
Tested with Redfish Service Validator, version 1.2.8
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: Ib7be1af659db568caa7e5b97e3844617586d7754
diff --git a/http/http_connection.h b/http/http_connection.h
index 78805a6..70def8a 100644
--- a/http/http_connection.h
+++ b/http/http_connection.h
@@ -267,6 +267,15 @@
#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
adaptor.set_verify_callback(
[this](bool preverified, boost::asio::ssl::verify_context& ctx) {
+ // do nothing if TLS is disabled
+ if (!crow::persistent_data::SessionStore::getInstance()
+ .getAuthMethodsConfig()
+ .tls)
+ {
+ BMCWEB_LOG_DEBUG << "TLS auth_config is disabled";
+ return true;
+ }
+
// We always return true to allow full auth flow
if (!preverified)
{
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 7493494..f58c676 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -345,6 +345,7 @@
bool cookie = true;
bool sessionToken = true;
bool basic = true;
+ bool tls = true;
void fromJson(const nlohmann::json& j)
{
@@ -372,6 +373,10 @@
{
basic = *value;
}
+ else if (element.key() == "TLS")
+ {
+ tls = *value;
+ }
}
}
};
@@ -584,7 +589,8 @@
j = nlohmann::json{{"XToken", c.xtoken},
{"Cookie", c.cookie},
{"SessionToken", c.sessionToken},
- {"BasicAuth", c.basic}};
+ {"BasicAuth", c.basic},
+ {"TLS", c.tls}};
}
};
} // namespace nlohmann
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 8f28ea4..637be86 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -895,10 +895,11 @@
std::optional<bool> cookie;
std::optional<bool> sessionToken;
std::optional<bool> xToken;
+ std::optional<bool> tls;
if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
"Cookie", cookie, "SessionToken", sessionToken,
- "XToken", xToken))
+ "XToken", xToken, "TLS", tls))
{
BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
return;
@@ -929,8 +930,14 @@
authMethodsConfig.xtoken = *xToken;
}
+ if (tls)
+ {
+ authMethodsConfig.tls = *tls;
+ }
+
if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
- !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken)
+ !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken &&
+ !authMethodsConfig.tls)
{
// Do not allow user to disable everything
messages::actionNotSupported(asyncResp->res,
@@ -1151,6 +1158,7 @@
{"SessionToken", authMethodsConfig.sessionToken},
{"XToken", authMethodsConfig.xtoken},
{"Cookie", authMethodsConfig.cookie},
+ {"TLS", authMethodsConfig.tls},
}}}}}},
{"LDAP",
{{"Certificates",
diff --git a/static/redfish/v1/JsonSchemas/OemAccountService/index.json b/static/redfish/v1/JsonSchemas/OemAccountService/index.json
index 5283170..2311d83 100644
--- a/static/redfish/v1/JsonSchemas/OemAccountService/index.json
+++ b/static/redfish/v1/JsonSchemas/OemAccountService/index.json
@@ -83,6 +83,15 @@
"null"
]
},
+ "TLS": {
+ "description": "Indicates whether TLS authorization is enabled.",
+ "longDescription": "The value of this property shall be a boolean indicating whether TLS authorization is enabled.",
+ "readonly": false,
+ "type": [
+ "boolean",
+ "null"
+ ]
+ },
"XToken": {
"description": "Indicates whether XToken authorization is enabled.",
"longDescription": "The value of this property shall be a boolean indicating whether XToken authorization is enabled.",
diff --git a/static/redfish/v1/schema/OemAccountService_v1.xml b/static/redfish/v1/schema/OemAccountService_v1.xml
index 626097b..c5783ca 100644
--- a/static/redfish/v1/schema/OemAccountService_v1.xml
+++ b/static/redfish/v1/schema/OemAccountService_v1.xml
@@ -53,6 +53,12 @@
<Annotation Term="OData.Description" String="Indicates whether XToken authorization is enabled."/>
<Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether XToken authorization is enabled."/>
</Property>
+
+ <Property Name="TLS" Type="Edm.Boolean">
+ <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
+ <Annotation Term="OData.Description" String="Indicates whether TLS authorization is enabled."/>
+ <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether TLS authorization is enabled."/>
+ </Property>
</ComplexType>
<!--Base entity type for array members-->