commit 78158631aeab5b77ea9a5f566508285cb839fadf
author Zbigniew Kurzynski <zbigniew.kurzynski@intel.com> Tue Nov 05 12:57:37 2019 +0100
committer Zbigniew Kurzynski <zbigniew.kurzynski@intel.com> Thu Nov 07 06:39:29 2019 +0000
tree 71d49ec71414858c532c121df98c9b6b629e7987
parent 1f8c7b5d6a679a38b82261060310b876079d0f8b

Auth methods configuration

Added Oem extension for AccountService allowing user to configure
which authentication methods should be enabled. User is now able
to turn on and off authentication methods like BasicAuth, XToken, etc.
User is not allowed to turn off all of the methods at once - at least
one method has to be active to prevent lock-out. This configuration
is persistent, will be saved on file-system and will be loaded on
bmcweb's restart.

Tested:
No regression found in manual testing. By default everything works as before,
and disabling auth method prevents user to authenticate by it. Tested that
user is not allowed to disable all the methods - either in one PATCH or by
disabling them one at a time.
ServiceValidator run with success.

This change is a fix for this request:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/23590/18

which was revert here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26869

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I66b5ad423746f1992070a14f2983a07b1320190e

include/token_authorization_middleware.hpp

diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index 0a44050..7e4e3bb 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -31,8 +31,15 @@
             return;
         }
 
-        req.session = performXtokenAuth(req);
-        if (req.session == nullptr)
+        const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
+            crow::persistent_data::SessionStore::getInstance()
+                .getAuthMethodsConfig();
+
+        if (req.session == nullptr && authMethodsConfig.xtoken)
+        {
+            req.session = performXtokenAuth(req);
+        }
+        if (req.session == nullptr && authMethodsConfig.cookie)
         {
             req.session = performCookieAuth(req);
         }
@@ -42,11 +49,13 @@
             if (!authHeader.empty())
             {
                 // Reject any kind of auth other than basic or token
-                if (boost::starts_with(authHeader, "Token "))
+                if (boost::starts_with(authHeader, "Token ") &&
+                    authMethodsConfig.sessionToken)
                 {
                     req.session = performTokenAuth(authHeader);
                 }
-                else if (boost::starts_with(authHeader, "Basic "))
+                else if (boost::starts_with(authHeader, "Basic ") &&
+                         authMethodsConfig.basic)
                 {
                     req.session = performBasicAuth(authHeader);
                 }