Auth methods configuration
Added Oem extension for AccountService allowing user to configure
which authentication methods should be enabled. User is now able
to turn on and off authentication methods like BasicAuth, XToken, etc.
User is not allowed to turn off all of the methods at once - at least
one method has to be active to prevent lock-out. This configuration
is persistent, will be saved on file-system and will be loaded on
bmcweb's restart.
Tested:
No regression found in manual testing. By default everything works as before,
and disabling auth method prevents user to authenticate by it. Tested that
user is not allowed to disable all the methods - either in one PATCH or by
disabling them one at a time.
ServiceValidator run with success.
This change is a fix for this request:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/23590/18
which was revert here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26869
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I66b5ad423746f1992070a14f2983a07b1320190e
diff --git a/static/redfish/v1/schema/OemAccountService_v1.xml b/static/redfish/v1/schema/OemAccountService_v1.xml
new file mode 100644
index 0000000..626097b
--- /dev/null
+++ b/static/redfish/v1/schema/OemAccountService_v1.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<edmx:Edmx xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx" Version="4.0">
+
+ <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Core.V1.xml">
+ <edmx:Include Namespace="Org.OData.Core.V1" Alias="OData"/>
+ </edmx:Reference>
+ <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Measures.V1.xml">
+ <edmx:Include Namespace="Org.OData.Measures.V1" Alias="Measures"/>
+ </edmx:Reference>
+ <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/RedfishExtensions_v1.xml">
+ <edmx:Include Namespace="RedfishExtensions.v1_0_0" Alias="Redfish"/>
+ </edmx:Reference>
+ <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/Resource_v1.xml">
+ <edmx:Include Namespace="Resource"/>
+ <edmx:Include Namespace="Resource.v1_0_0"/>
+ </edmx:Reference>
+
+ <edmx:DataServices>
+
+ <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="OemAccountService">
+ <Annotation Term="Redfish.OwningEntity" String="OpenBMC"/>
+ </Schema>
+
+ <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="OemAccountService.v1_0_0">
+ <Annotation Term="Redfish.OwningEntity" String="OpenBMC"/>
+ <Annotation Term="Redfish.Release" String="1.0"/>
+
+ <ComplexType Name="AuthMethodsConfig">
+ <Annotation Term="OData.AdditionalProperties" Bool="false"/>
+ <Annotation Term="OData.Description" String="Authorization Methods configuration."/>
+ <Annotation Term="OData.LongDescription" String="Configuration describing which auth methods are enabled."/>
+
+ <Property Name="BasicAuth" Type="Edm.Boolean">
+ <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
+ <Annotation Term="OData.Description" String="Indicates whether BasicAuth authorization is enabled."/>
+ <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether BasicAuth authorization is enabled."/>
+ </Property>
+
+ <Property Name="Cookie" Type="Edm.Boolean">
+ <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
+ <Annotation Term="OData.Description" String="Indicates whether Cookie authorization is enabled."/>
+ <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether Cookie authorization is enabled."/>
+ </Property>
+
+ <Property Name="SessionToken" Type="Edm.Boolean">
+ <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
+ <Annotation Term="OData.Description" String="Indicates whether SessionToken authorization is enabled."/>
+ <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether SessionToken authorization is enabled."/>
+ </Property>
+
+ <Property Name="XToken" Type="Edm.Boolean">
+ <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
+ <Annotation Term="OData.Description" String="Indicates whether XToken authorization is enabled."/>
+ <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether XToken authorization is enabled."/>
+ </Property>
+ </ComplexType>
+
+ <!--Base entity type for array members-->
+ <EntityType Name="AccountService" BaseType="Resource.OemObject" Abstract="true">
+ <Annotation Term="OData.Description" String="OEM Extension for AccountService"/>
+ <Annotation Term="OData.LongDescription" String="OEM Extension for AccountService providing info about TLS Auth."/>
+
+ <Property Name="AuthMethods" Type="OemAccountService.v1_0_0.AuthMethodsConfig">
+ <Annotation Term="OData.Description" String="Authorization Methods configuration."/>
+ <Annotation Term="OData.LongDescription" String="Configuration describing which auth methods are enabled."/>
+ </Property>
+ </EntityType>
+ </Schema>
+
+ </edmx:DataServices>
+</edmx:Edmx>