Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 59b98b2222fddbea3d6f678d9e94006521f0c381^! / . / include / forward_unauthorized.hpp
commit59b98b2222fddbea3d6f678d9e94006521f0c381[log] [tgz]
authorJohn Edward Broadbent <jebr@google.com>Tue Jul 13 15:36:32 2021 -0700
committerEd Tanous <ed@tanous.net>Thu Sep 09 02:22:38 2021 +0000
tree44a79228f34c6ae0ce2b333c2f524256f8469872
parent7bb985eeb0930905c2f4d551e895dd5293094931 [diff] [blame]
Change ownership of boost::req to crow::req

req is being created later, in the connection life cycle. req was
holding many important values when it was passed to authenticate, so the
authenticate call had to be refactored to includes all the data req was
holding.

Also uses of req before handle have been changed to direct calls to
boot::parse

Tested:
Made a request that did not require authentication
$ curl -vvvv --insecure "https://192.168.7.2:18080/redfish/v1"
Got correct service root

Made a unauthenticated request (Chassis)
$ curl -c cjar -b cjar -k -H "Content-Type: application/json" -X GET https://192.168.7.2:18080/redfish/v1/Chassis
Unauthenticated

Made a log-in request
$ curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST https://192.168.7.2:18080/login -d "{\"data\": [ \"root\", \"0penBmc\" ] }"

Made (same) Chassis request
$ curl -c cjar -b cjar -k -H "Content-Type: application/json" -X GET https://192.168.7.2:18080/redfish/v1/Chassis

Tested the websockets using scripts/websocket_test.py
Websockets continued to work after this change.

Followed the mTLS instructions here https://github.com/openbmc/docs/blob/master/security/TLS-configuration.md
mTLS continues to work after this change.

Change-Id: I78f78063be0331be00b66349d5d184847add1708
Signed-off-by: John Edward Broadbent <jebr@google.com>

diff --git a/include/forward_unauthorized.hpp b/include/forward_unauthorized.hpp
index 46a25d4..29fef33 100644
--- a/include/forward_unauthorized.hpp
+++ b/include/forward_unauthorized.hpp

@@ -8,18 +8,19 @@
 
 static bool hasWebuiRoute = false;
 
-inline void sendUnauthorized(const crow::Request& req, crow::Response& res)
+inline void sendUnauthorized(std::string_view url, std::string_view userAgent,
+                             std::string_view accept, crow::Response& res)
 {
     // If it's a browser connecting, don't send the HTTP authenticate
     // header, to avoid possible CSRF attacks with basic auth
-    if (http_helpers::requestPrefersHtml(req))
+    if (http_helpers::requestPrefersHtml(accept))
     {
         // If we have a webui installed, redirect to that login page
         if (hasWebuiRoute)
         {
             res.result(boost::beast::http::status::temporary_redirect);
             res.addHeader("Location",
-                          "/#/login?next=" + http_helpers::urlEncode(req.url));
+                          "/#/login?next=" + http_helpers::urlEncode(url));
         }
         else
         {
@@ -35,7 +36,7 @@
         // only send the WWW-authenticate header if this isn't a xhr
         // from the browser.  Most scripts, tend to not set a user-agent header.
         // So key off that to know whether or not we need to suggest basic auth
-        if (req.getHeaderValue("User-Agent").empty())
+        if (userAgent.empty())
         {
             res.addHeader("WWW-Authenticate", "Basic");
         }