commit a43ea82f71c6eaeeae8f28d0b0179d489decfd81
author Nan Zhou <nanzhoumails@gmail.com> Fri May 27 00:42:44 2022 +0000
committer Ed Tanous <ed@tanous.net> Tue May 31 15:50:05 2022 +0000
tree 56f6f4bb082deb42a67bce926297ff42f0370fcd
parent 1a1d5d6d06458f23e0c86aceda1c807c7553217a

meson option: make the insecure-disable-auth macro more accurate

The "auth" term is overloaded in meson option and macros. This commit
changes the macro from BMCWEB_INSECURE_DISABLE_AUTHENTICATION to
BMCWEB_INSECURE_DISABLE_AUTHX, given that if "insecure-disable-auth"
is enabled, both authentication and authorization are disabled.

Tested:
1. set 'insecure-disable-auth=enabled', no authz nor authn is performed,
no crash on AccountService as well.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Iddca1f866d16346bcc2017338fa6f077cb89cef9

http/http_connection.hpp

diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index 330c565..2ea3f18 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp
@@ -359,7 +359,7 @@
             completeRequest(res);
             return;
         }
-#ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#ifndef BMCWEB_INSECURE_DISABLE_AUTHX
         if (!crow::authentication::isOnAllowlist(req->url, req->method()) &&
             thisReq.session == nullptr)
         {
@@ -370,7 +370,7 @@
             completeRequest(res);
             return;
         }
-#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#endif // BMCWEB_INSECURE_DISABLE_AUTHX
         auto asyncResp = std::make_shared<bmcweb::AsyncResp>();
         BMCWEB_LOG_DEBUG << "Setting completion handler";
         asyncResp->res.setCompleteRequestHandler(
@@ -579,7 +579,7 @@
                     BMCWEB_LOG_DEBUG << "Unable to get client IP";
                 }
                 sessionIsFromTransport = false;
-#ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#ifndef BMCWEB_INSECURE_DISABLE_AUTHX
                 boost::beast::http::verb method = parser->get().method();
                 userSession = crow::authentication::authenticate(
                     ip, res, method, parser->get().base(), userSession);
@@ -600,7 +600,7 @@
 
                     BMCWEB_LOG_DEBUG << "Starting quick deadline";
                 }
-#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#endif // BMCWEB_INSECURE_DISABLE_AUTHX
 
                 doRead();
             });

meson.build

diff --git a/meson.build b/meson.build
index 33daf54..8724c62 100644
--- a/meson.build
+++ b/meson.build
@@ -65,7 +65,7 @@
   'google-api'                                  : '-DBMCWEB_ENABLE_GOOGLE_API',
   'host-serial-socket'                          : '-DBMCWEB_ENABLE_HOST_SERIAL_WEBSOCKET',
   'ibm-management-console'                      : '-DBMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE',
-  'insecure-disable-auth'                       : '-DBMCWEB_INSECURE_DISABLE_AUTHENTICATION',
+  'insecure-disable-auth'                       : '-DBMCWEB_INSECURE_DISABLE_AUTHX',
   'insecure-disable-csrf'                       : '-DBMCWEB_INSECURE_DISABLE_CSRF_PREVENTION',
   'insecure-disable-ssl'                        : '-DBMCWEB_INSECURE_DISABLE_SSL',
   'insecure-push-style-notification'            : '-DBMCWEB_INSECURE_ENABLE_HTTP_PUSH_STYLE_EVENTING',

meson_options.txt

diff --git a/meson_options.txt b/meson_options.txt
index c81f185..e731ab3 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -264,8 +264,8 @@
     'insecure-disable-auth',
     type: 'feature',
     value: 'disabled',
-    description: '''Disable authentication on all ports. Should be set to false
-                    for production systems'''
+    description: '''Disable authentication and authoriztion on all ports.
+                    Should be set to false for production systems.'''
 )
 
 option(

redfish-core/lib/account_service.hpp

diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index e675e82..99f126e 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1719,14 +1719,14 @@
             {
                 return;
             }
-#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHX
             // If authentication is disabled, there are no user accounts
             messages::resourceNotFound(asyncResp->res,
                                        "#ManagerAccount.v1_4_0.ManagerAccount",
                                        accountName);
             return;
 
-#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#endif // BMCWEB_INSECURE_DISABLE_AUTHX
             if (req.session == nullptr)
             {
                 messages::internalError(asyncResp->res);
@@ -1895,14 +1895,14 @@
                 {
                     return;
                 }
-#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHX
                 // If authentication is disabled, there are no user accounts
                 messages::resourceNotFound(
                     asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
                     username);
                 return;
 
-#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#endif // BMCWEB_INSECURE_DISABLE_AUTHX
                 std::optional<std::string> newUserName;
                 std::optional<std::string> password;
                 std::optional<bool> enabled;
@@ -1992,14 +1992,14 @@
                     return;
                 }
 
-#ifdef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#ifdef BMCWEB_INSECURE_DISABLE_AUTHX
                 // If authentication is disabled, there are no user accounts
                 messages::resourceNotFound(
                     asyncResp->res, "#ManagerAccount.v1_4_0.ManagerAccount",
                     username);
                 return;
 
-#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+#endif // BMCWEB_INSECURE_DISABLE_AUTHX
                 sdbusplus::message::object_path tempObjPath(rootUserDbusPath);
                 tempObjPath /= username;
                 const std::string userPath(tempObjPath);