Store Request Fields that are needed later
Because of recent changes to how dbus authentication is done, Requests
might be moved out before they can be used. This commit is an attempt
to mitigate the problem without needing to revert that patch.
This commit does two relatively distinct things.
First, it moves basic auth types to a model where they're timed out
instead of removed on destruction. This removes the need for a Request
object to track that state, and arguably gives better behavior, as
basic auth sessions will survive through the timeout.
To prevent lots of basic auth sessions getting created, a basic auth
session is reused if it was:
1. Created by basic auth previously.
2. Created by the same user.
3. Created from the same source IP address.
Second, both connection classes now store the accept, and origin headers
from the request in the connection class itself, removing the need for
them.
Tested: HTML page now loads when pointing at a redfish URL with a
browser.
Change-Id: I623b43cbcbb43d9e65b408853660be09a5edb2b3
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/include/authentication.hpp b/include/authentication.hpp
index 2c3a08a..5c7ec19 100644
--- a/include/authentication.hpp
+++ b/include/authentication.hpp
@@ -19,20 +19,6 @@
namespace authentication
{
-inline void cleanupTempSession(const Request& req)
-{
- // TODO(ed) THis should really be handled by the persistent data
- // middleware, but because it is upstream, it doesn't have access to the
- // session information. Should the data middleware persist the current
- // user session?
- if (req.session != nullptr &&
- req.session->persistence ==
- persistent_data::PersistenceType::SINGLE_REQUEST)
- {
- persistent_data::SessionStore::getInstance().removeSession(req.session);
- }
-}
-
inline std::shared_ptr<persistent_data::UserSession>
performBasicAuth(const boost::asio::ip::address& clientIp,
std::string_view authHeader)
@@ -76,15 +62,29 @@
return nullptr;
}
- // TODO(ed) generateUserSession is a little expensive for basic
- // auth, as it generates some random identifiers that will never be
- // used. This should have a "fast" path for when user tokens aren't
- // needed.
- // This whole flow needs to be revisited anyway, as we can't be
- // calling directly into pam for every request
+ // Attempt to locate an existing Basic Auth session from the same ip address
+ // and user
+ for (auto& session :
+ persistent_data::SessionStore::getInstance().getSessions())
+ {
+ if (session->sessionType != persistent_data::SessionType::Basic)
+ {
+ continue;
+ }
+ if (session->clientIp != redfish::ip_util::toString(clientIp))
+ {
+ continue;
+ }
+ if (session->username != user)
+ {
+ continue;
+ }
+ return session;
+ }
+
return persistent_data::SessionStore::getInstance().generateUserSession(
- user, clientIp, std::nullopt,
- persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly);
+ user, clientIp, std::nullopt, persistent_data::SessionType::Basic,
+ isConfigureSelfOnly);
}
inline std::shared_ptr<persistent_data::UserSession>