Removed checking cookie in mTLS authentication
mTLS authentication should have the highest priority (according to code
in [1]) so it shouldn't be affected by cookies. If you provide a valid
certificate and a dummy cookie value, request will fail which means
cookies had higher priority than mTLS.
Tested:
Follow the guide in [2] to create a valid certificate for a user that
can access some resource (for example /redfish/v1/Chassis) and make two
requests:
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis
curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis -H "Cookie: SESSION=123"
Before this change second request would fail with "401 Unauthorized"
[1]: https://github.com/openbmc/bmcweb/blob/bb759e3aeaadfec9f3aac4485f253bcc8a523e4c/include/authentication.hpp#L275
[2]: https://github.com/openbmc/docs/blob/f4febd002df578bad816239b70950f84ea4567e8/security/TLS-configuration.md
Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
Signed-off-by: Boleslaw Ogonczyk Makowski <boleslawx.ogonczyk-makowski@intel.com>
Change-Id: I5d6267332b7b97c11f638850108e671d0baa26fd
diff --git a/include/authentication.hpp b/include/authentication.hpp
index 93e9c8d..716b4bb 100644
--- a/include/authentication.hpp
+++ b/include/authentication.hpp
@@ -199,22 +199,16 @@
<< " will be used for this request.";
return sp;
}
- std::string_view cookieValue = reqHeader["Cookie"];
- if (cookieValue.empty() ||
- cookieValue.find("SESSION=") == std::string::npos)
- {
- // TODO: change this to not switch to cookie auth
- res.addHeader(
- "Set-Cookie",
- "XSRF-TOKEN=" + sp->csrfToken +
- "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
- sp->sessionToken +
- "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
- "IsAuthenticated=true; Secure");
- BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
- << " with cookie will be used for this request.";
- return sp;
- }
+ // TODO: change this to not switch to cookie auth
+ res.addHeader("Set-Cookie",
+ "XSRF-TOKEN=" + sp->csrfToken +
+ "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
+ sp->sessionToken +
+ "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
+ "IsAuthenticated=true; Secure");
+ BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
+ << " with cookie will be used for this request.";
+ return sp;
}
return nullptr;
}