Fix MTLS Auth
MTLS Auth was not in the authenticate header,
making it authenticate too late now (in handle) as
we now authenticate before reading the headers.
Move it to the authenticate header.
Tested: MTLS in Chrome and via scripting allowed
GETs on resources
Change-Id: Ia765efd5c588b497de010605b474f6bb886a9dd1
Signed-off-by: James Feist <james.feist@linux.intel.com>
diff --git a/http/http_connection.h b/http/http_connection.h
index 9cf225f..35bf99c 100644
--- a/http/http_connection.h
+++ b/http/http_connection.h
@@ -543,38 +543,6 @@
req->ioService = static_cast<decltype(req->ioService)>(
&adaptor.get_executor().context());
-#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
- if (auto sp = session.lock())
- {
- // set cookie only if this is req from the browser.
- if (req->getHeaderValue("User-Agent").empty())
- {
- BMCWEB_LOG_DEBUG << this << " TLS session: " << sp->uniqueId
- << " will be used for this request.";
- req->session = sp;
- }
- else
- {
- std::string_view cookieValue =
- req->getHeaderValue("Cookie");
- if (cookieValue.empty() ||
- cookieValue.find("SESSION=") == std::string::npos)
- {
- res.addHeader("Set-Cookie",
- "XSRF-TOKEN=" + sp->csrfToken +
- "; Secure\r\nSet-Cookie: SESSION=" +
- sp->sessionToken +
- "; Secure; HttpOnly\r\nSet-Cookie: "
- "IsAuthenticated=true; Secure");
- BMCWEB_LOG_DEBUG
- << this << " TLS session: " << sp->uniqueId
- << " with cookie will be used for this request.";
- req->session = sp;
- }
- }
- }
-#endif // BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
-
detail::middlewareCallHelper<
0U, decltype(ctx), decltype(*middlewares), Middlewares...>(
*middlewares, *req, res, ctx);
@@ -767,7 +735,7 @@
{
req->url = req->url.substr(0, index);
}
- crow::authorization::authenticate(*req, res);
+ crow::authorization::authenticate(*req, res, session);
bool loggedIn = req && req->session;
if (loggedIn)
@@ -976,9 +944,7 @@
std::optional<crow::Request> req;
crow::Response res;
-#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
std::weak_ptr<crow::persistent_data::UserSession> session;
-#endif // BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
const std::string& serverName;
diff --git a/include/authorization.hpp b/include/authorization.hpp
index 8237bc4..c00090b 100644
--- a/include/authorization.hpp
+++ b/include/authorization.hpp
@@ -163,6 +163,44 @@
return session;
}
+static const std::shared_ptr<crow::persistent_data::UserSession>
+ performTLSAuth(const crow::Request& req, Response& res,
+ std::weak_ptr<crow::persistent_data::UserSession> session)
+{
+#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
+ if (auto sp = session.lock())
+ {
+ // set cookie only if this is req from the browser.
+ if (req.getHeaderValue("User-Agent").empty())
+ {
+ BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
+ << " will be used for this request.";
+ return sp;
+ }
+ else
+ {
+ std::string_view cookieValue = req.getHeaderValue("Cookie");
+ if (cookieValue.empty() ||
+ cookieValue.find("SESSION=") == std::string::npos)
+ {
+ // TODO: change this to not switch to cookie auth
+ res.addHeader(
+ "Set-Cookie",
+ "XSRF-TOKEN=" + sp->csrfToken +
+ "; Secure\r\nSet-Cookie: SESSION=" + sp->sessionToken +
+ "; Secure; HttpOnly\r\nSet-Cookie: "
+ "IsAuthenticated=true; Secure");
+ BMCWEB_LOG_DEBUG
+ << " TLS session: " << sp->uniqueId
+ << " with cookie will be used for this request.";
+ return sp;
+ }
+ }
+ }
+#endif
+ return nullptr;
+}
+
// checks if request can be forwarded without authentication
static bool isOnWhitelist(const crow::Request& req)
{
@@ -197,7 +235,9 @@
return false;
}
-static void authenticate(crow::Request& req, Response& res)
+static void
+ authenticate(crow::Request& req, Response& res,
+ std::weak_ptr<crow::persistent_data::UserSession> session)
{
if (isOnWhitelist(req))
{
@@ -208,6 +248,10 @@
crow::persistent_data::SessionStore::getInstance()
.getAuthMethodsConfig();
+ if (req.session == nullptr && authMethodsConfig.tls)
+ {
+ req.session = performTLSAuth(req, res, session);
+ }
if (req.session == nullptr && authMethodsConfig.xtoken)
{
req.session = performXtokenAuth(req);