commit ade2fe78b9907e5fa9d96d615f7682dade19e8c8
author Karol Niczyj <karol.niczyj@intel.com> Wed Apr 27 18:04:58 2022 +0200
committer Bolesław Ogończyk Mąkowski <boleslawx.ogonczyk-makowski@intel.com> Thu Jan 19 14:57:31 2023 +0000
tree 2e98acd6d1b54509e7bf39ef2d150e1a43940c84
parent 2b73119c57d054d1a0d67b376ae5651fccfae5ba

Removed checking cookie in mTLS authentication

mTLS authentication should have the highest priority (according to code
in [1]) so it shouldn't be affected by cookies. If you provide a valid
certificate and a dummy cookie value, request will fail which means
cookies had higher priority than mTLS.

Tested:
Follow the guide in [2] to create a valid certificate for a user that
can access some resource (for example /redfish/v1/Chassis) and make two
requests:

curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis

curl --cert client-cert.pem --key client-key.pem -vvv --cacert
CA-cert.pem https://BMC_IP/redfish/v1/Chassis -H "Cookie: SESSION=123"

Before this change second request would fail with "401 Unauthorized"

[1]: https://github.com/openbmc/bmcweb/blob/bb759e3aeaadfec9f3aac4485f253bcc8a523e4c/include/authentication.hpp#L275
[2]: https://github.com/openbmc/docs/blob/f4febd002df578bad816239b70950f84ea4567e8/security/TLS-configuration.md

Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
Signed-off-by: Boleslaw Ogonczyk Makowski <boleslawx.ogonczyk-makowski@intel.com>
Change-Id: I5d6267332b7b97c11f638850108e671d0baa26fd

include/authentication.hpp

diff --git a/include/authentication.hpp b/include/authentication.hpp
index 93e9c8d..716b4bb 100644
--- a/include/authentication.hpp
+++ b/include/authentication.hpp
@@ -199,22 +199,16 @@
                              << " will be used for this request.";
             return sp;
         }
-        std::string_view cookieValue = reqHeader["Cookie"];
-        if (cookieValue.empty() ||
-            cookieValue.find("SESSION=") == std::string::npos)
-        {
-            // TODO: change this to not switch to cookie auth
-            res.addHeader(
-                "Set-Cookie",
-                "XSRF-TOKEN=" + sp->csrfToken +
-                    "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
-                    sp->sessionToken +
-                    "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
-                    "IsAuthenticated=true; Secure");
-            BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
-                             << " with cookie will be used for this request.";
-            return sp;
-        }
+        // TODO: change this to not switch to cookie auth
+        res.addHeader("Set-Cookie",
+                      "XSRF-TOKEN=" + sp->csrfToken +
+                          "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
+                          sp->sessionToken +
+                          "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
+                          "IsAuthenticated=true; Secure");
+        BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
+                         << " with cookie will be used for this request.";
+        return sp;
     }
     return nullptr;
 }