Corrects issues in session
The previous commit https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45175
caused an issue with sessions, that is addressed by this change.
Tested:
Ed Tanous tested:
redfishtool -S Always -A Basic -u root -p 0penBmc -r 192.168.7.2 raw
GET /redfish/v1/Managers/bmc
redfishtool -S Always -A Session -u root -p 0penBmc -r 192.168.7.2 raw
GET /redfish/v1/Managers/bmc
Both return the the manager.
Signed-off-by: John Edward Broadbent <jebr@google.com>
Change-Id: Ic00989286444baad88745cc1925602449372d1ac
diff --git a/include/authorization.hpp b/include/authorization.hpp
index ecbdca0..ecc83fc 100644
--- a/include/authorization.hpp
+++ b/include/authorization.hpp
@@ -42,8 +42,14 @@
{
BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication";
- std::string authData;
+ if (!boost::starts_with(authHeader, "Basic "))
+ {
+ return nullptr;
+ }
+
std::string_view param = authHeader.substr(strlen("Basic "));
+ std::string authData;
+
if (!crow::utility::base64Decode(param, authData))
{
return nullptr;
@@ -91,7 +97,10 @@
performTokenAuth(std::string_view authHeader)
{
BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication";
-
+ if (!boost::starts_with(authHeader, "Token "))
+ {
+ return nullptr;
+ }
std::string_view token = authHeader.substr(strlen("Token "));
auto sessionOut =
persistent_data::SessionStore::getInstance().loginSessionByToken(token);
@@ -280,29 +289,25 @@
}
#endif
std::string_view authHeader = reqHeader["Authorization"];
+ BMCWEB_LOG_ERROR << "authHeader=" << authHeader;
- if (!authHeader.empty())
+ if (sessionOut == nullptr && authMethodsConfig.sessionToken)
{
- // Reject any kind of auth other than basic or token
- if (boost::starts_with(authHeader, "Token ") &&
- authMethodsConfig.sessionToken)
- {
#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
- sessionOut = performTokenAuth(authHeader);
+ sessionOut = performTokenAuth(authHeader);
#endif
- }
- else if (boost::starts_with(authHeader, "Basic ") &&
- authMethodsConfig.basic)
- {
-#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
- sessionOut = performBasicAuth(ipAddress, authHeader);
-#endif
- }
- if (sessionOut != nullptr)
- {
- return sessionOut;
- }
}
+ if (sessionOut == nullptr && authMethodsConfig.basic)
+ {
+#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
+ sessionOut = performBasicAuth(ipAddress, authHeader);
+#endif
+ }
+ if (sessionOut != nullptr)
+ {
+ return sessionOut;
+ }
+
BMCWEB_LOG_WARNING << "[AuthMiddleware] authorization failed";
forward_unauthorized::sendUnauthorized(url, reqHeader["User-Agent"],
reqHeader["accept"], res);