remove meta mtls parse mode
as we have successfully merged patches that enable UserPrincipalName
parse mode, we can start removing Meta only parse mode. This commit
is intended to remove MTLSCommonNameParseMode::Meta from the upstream
code
Tested:
- build bmcweb
- deploy to a device that already use UPN
- check if it works fine by sending curl request /AccountService
Change-Id: Idcf4340a2a9940f035aea41cd30ef4df7bd95530
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>
diff --git a/http/mutual_tls.cpp b/http/mutual_tls.cpp
index 209c929..3d170a2 100644
--- a/http/mutual_tls.cpp
+++ b/http/mutual_tls.cpp
@@ -26,7 +26,6 @@
}
#include "logging.hpp"
-#include "mutual_tls_meta.hpp"
#include <boost/asio/ip/address.hpp>
#include <boost/asio/ssl/verify_context.hpp>
@@ -145,18 +144,6 @@
return ret;
}
-std::string getMetaUserNameFromCert(X509* cert)
-{
- // Meta Inc. CommonName parsing
- std::optional<std::string_view> sslUserMeta =
- mtlsMetaParseSslUser(getCommonNameFromCert(cert));
- if (!sslUserMeta)
- {
- return "";
- }
- return std::string{*sslUserMeta};
-}
-
std::string getUsernameFromCert(X509* cert)
{
const persistent_data::AuthConfigMethods& authMethodsConfig =
@@ -183,13 +170,6 @@
{
return getCommonNameFromCert(cert);
}
- case persistent_data::MTLSCommonNameParseMode::Meta:
- {
- if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
- {
- return getMetaUserNameFromCert(cert);
- }
- }
default:
{
return "";
diff --git a/http/mutual_tls_meta.hpp b/http/mutual_tls_meta.hpp
deleted file mode 100644
index 861c209..0000000
--- a/http/mutual_tls_meta.hpp
+++ /dev/null
@@ -1,76 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: Copyright OpenBMC Authors
-#pragma once
-
-#include "logging.hpp"
-
-#include <cstddef>
-#include <format>
-#include <optional>
-#include <string>
-#include <string_view>
-
-inline std::optional<std::string_view> mtlsMetaParseSslUser(
- std::string_view sslUser)
-{
- // Parses a Meta internal TLS client certificate Subject CN in
- // '<entityType>:<entity>[/<hostname>]' format and returns the resulting
- // POSIX-compatible local user name on success, null otherwise.
- //
- // Only entityType = "user" is supported for now.
- //
- // Example client subject CN -> local user name:
- // "user:a_username/hostname" -> "a_username"
-
- // Parse entityType
- size_t colonIndex = sslUser.find(':');
- if (colonIndex == std::string_view::npos)
- {
- BMCWEB_LOG_WARNING("Invalid Meta TLS client cert Subject CN: '{}'",
- sslUser);
- return std::nullopt;
- }
-
- std::string_view entityType = sslUser.substr(0, colonIndex);
- sslUser.remove_prefix(colonIndex + 1);
- if (entityType != "user")
- {
- BMCWEB_LOG_WARNING(
- "Invalid/unsupported entityType='{}' in Meta TLS client cert Subject CN: '{}'",
- entityType, sslUser);
- return std::nullopt;
- }
-
- // Parse entity
- size_t slashIndex = sslUser.find('/');
- std::string_view entity;
- if (slashIndex == std::string_view::npos)
- {
- // No '/' character, Subject CN is just '<entityType>:<entity>'
- entity = sslUser;
- }
- else
- {
- // Subject CN ends with /<hostname>
- entity = sslUser.substr(0, slashIndex);
- sslUser.remove_prefix(slashIndex + 1);
-
- if (entity.find_first_not_of(
- "abcdefghijklmnopqrstuvwxyz0123456789_-.") != std::string::npos)
- {
- BMCWEB_LOG_WARNING(
- "Invalid entity='{}' in Meta TLS client cert Subject CN: '{}'",
- entity, sslUser);
- return std::nullopt;
- }
- }
-
- if (entity.empty())
- {
- BMCWEB_LOG_DEBUG("Invalid Meta TLS client cert Subject CN: '{}'",
- sslUser);
- return std::nullopt;
- }
-
- return entity;
-}
diff --git a/http/mutual_tls_private.hpp b/http/mutual_tls_private.hpp
index c28a99e..c2acb78 100644
--- a/http/mutual_tls_private.hpp
+++ b/http/mutual_tls_private.hpp
@@ -11,8 +11,6 @@
std::string getUPNFromCert(X509* peerCert, std::string_view hostname);
-std::string getMetaUserNameFromCert(X509* cert);
-
std::string getUsernameFromCert(X509* cert);
bool isUPNMatch(std::string_view upn, std::string_view hostname);
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 22aa3ad..2c9613a 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -161,7 +161,6 @@
// Intentional gap for future DMTF-defined enums
// OEM parsing modes for various OEMs
- Meta = 100,
};
inline MTLSCommonNameParseMode getMTLSCommonNameParseMode(std::string_view name)
@@ -179,13 +178,6 @@
{
return MTLSCommonNameParseMode::UserPrincipalName;
}
- if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
- {
- if (name == "Meta")
- {
- return MTLSCommonNameParseMode::Meta;
- }
- }
return MTLSCommonNameParseMode::Invalid;
}
@@ -250,9 +242,7 @@
MTLSCommonNameParseMode tmpMTLSCommonNameParseMode =
static_cast<MTLSCommonNameParseMode>(*intValue);
if (tmpMTLSCommonNameParseMode <=
- MTLSCommonNameParseMode::UserPrincipalName ||
- tmpMTLSCommonNameParseMode ==
- MTLSCommonNameParseMode::Meta)
+ MTLSCommonNameParseMode::UserPrincipalName)
{
mTLSCommonNameParsingMode = tmpMTLSCommonNameParseMode;
}
diff --git a/meson.build b/meson.build
index 74c0492..e28a1b1 100644
--- a/meson.build
+++ b/meson.build
@@ -431,7 +431,6 @@
'test/http/http_connection_test.cpp',
'test/http/http_response_test.cpp',
'test/http/mutual_tls.cpp',
- 'test/http/mutual_tls_meta.cpp',
'test/http/parsing_test.cpp',
'test/http/router_test.cpp',
'test/http/server_sent_event_test.cpp',
diff --git a/meson.options b/meson.options
index 981fa8b..77aa237 100644
--- a/meson.options
+++ b/meson.options
@@ -250,11 +250,9 @@
option(
'mutual-tls-common-name-parsing-default',
type: 'combo',
- choices: ['CommonName', 'Whole', 'UserPrincipalName', 'Meta'],
- description: '''
- Parses the Subject CN in the format used by
- Meta Inc (see mutual_tls_meta.cpp for details)
- ''',
+ choices: ['CommonName', 'Whole', 'UserPrincipalName'],
+ description: '''Default MTLS parse mode to get username from the
+ client's x509 certificate''',
)
# BMCWEB_META_TLS_COMMON_NAME_PARSING
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 63c51a8..e530d3e 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1341,15 +1341,6 @@
return CertificateMappingAttribute::UserPrincipalName;
}
break;
-
- case MTLSCommonNameParseMode::Meta:
- {
- if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
- {
- return CertificateMappingAttribute::CommonName;
- }
- }
- break;
default:
{
return CertificateMappingAttribute::Invalid;
diff --git a/test/http/mutual_tls_meta.cpp b/test/http/mutual_tls_meta.cpp
deleted file mode 100644
index daff3be..0000000
--- a/test/http/mutual_tls_meta.cpp
+++ /dev/null
@@ -1,55 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: Copyright OpenBMC Authors
-#include "http/mutual_tls_meta.hpp"
-
-#include <optional>
-#include <string>
-#include <vector>
-
-#include <gtest/gtest.h>
-
-namespace redfish
-{
-namespace
-{
-
-TEST(MetaParseSslUser, userTest)
-{
- std::string sslUser = "user:kawajiri/hostname.facebook.com";
- EXPECT_EQ(mtlsMetaParseSslUser(sslUser), "kawajiri");
-}
-
-TEST(MetaParseSslUser, userNohostnameTest)
-{
- // hostname is optional
- std::string sslUser = "user:kawajiri";
- EXPECT_EQ(mtlsMetaParseSslUser(sslUser), "kawajiri");
-}
-
-TEST(MetaParseSslUser, invalidUsers)
-{
- std::vector<std::string> invalidSslUsers = {
- "",
- ":",
- ":/",
- "ijslakd",
- "user:",
- "user:/",
- "user:/hostname.facebook.com",
- "user:/hostname.facebook.c om",
- "user: space/hostname.facebook.com",
- "svc:",
- "svc:/",
- "svc:/hostname.facebook.com",
- "host:/",
- "host:unexpected_user/",
- };
-
- for (const std::string& sslUser : invalidSslUsers)
- {
- EXPECT_EQ(mtlsMetaParseSslUser(sslUser), std::nullopt);
- }
-}
-
-} // namespace
-} // namespace redfish