Revert "Auth methods configuration"
This reverts commit 0ff64dc2cd3a15b4204a477ad2eb5219d66e6110.
Reason for revert: <breaks redfish validator, <edmx:Reference Uri="/redfish/v1/schema/OemAccountService_v1.xml"> but the file name unversioned static/redfish/v1/schema/OemAccountService.xml>
Change-Id: I696dd09bf519e364f5f529a674e047a8eeead578
Signed-off-by: James Feist <james.feist@linux.intel.com>
diff --git a/include/persistent_data_middleware.hpp b/include/persistent_data_middleware.hpp
index 348079b..c368ab2 100644
--- a/include/persistent_data_middleware.hpp
+++ b/include/persistent_data_middleware.hpp
@@ -100,12 +100,6 @@
systemUuid = *jSystemUuid;
}
}
- else if (item.key() == "auth_config")
- {
- SessionStore::getInstance()
- .getAuthMethodsConfig()
- .fromJson(item.value());
- }
else if (item.key() == "sessions")
{
for (const auto& elem : item.value())
@@ -169,7 +163,6 @@
nlohmann::json data{
{"sessions", SessionStore::getInstance().authTokens},
- {"auth_config", SessionStore::getInstance().getAuthMethodsConfig()},
{"system_uuid", systemUuid},
{"revision", jsonRevision}};
persistentFile << data;
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 7493494..df65d61 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -339,43 +339,6 @@
}
};
-struct AuthConfigMethods
-{
- bool xtoken = true;
- bool cookie = true;
- bool sessionToken = true;
- bool basic = true;
-
- void fromJson(const nlohmann::json& j)
- {
- for (const auto& element : j.items())
- {
- const bool* value = element.value().get_ptr<const bool*>();
- if (value == nullptr)
- {
- continue;
- }
-
- if (element.key() == "XToken")
- {
- xtoken = *value;
- }
- else if (element.key() == "Cookie")
- {
- cookie = *value;
- }
- else if (element.key() == "SessionToken")
- {
- sessionToken = *value;
- }
- else if (element.key() == "BasicAuth")
- {
- basic = *value;
- }
- }
- }
-};
-
class Middleware;
class SessionStore
@@ -482,17 +445,6 @@
return ret;
}
- void updateAuthMethodsConfig(const AuthConfigMethods& config)
- {
- authMethodsConfig = config;
- needWrite = true;
- }
-
- AuthConfigMethods& getAuthMethodsConfig()
- {
- return authMethodsConfig;
- }
-
bool needsWrite()
{
return needWrite;
@@ -549,7 +501,6 @@
std::random_device rd;
bool needWrite{false};
std::chrono::minutes timeoutInMinutes;
- AuthConfigMethods authMethodsConfig;
};
} // namespace persistent_data
@@ -575,16 +526,4 @@
}
}
};
-
-template <> struct adl_serializer<crow::persistent_data::AuthConfigMethods>
-{
- static void to_json(nlohmann::json& j,
- const crow::persistent_data::AuthConfigMethods& c)
- {
- j = nlohmann::json{{"XToken", c.xtoken},
- {"Cookie", c.cookie},
- {"SessionToken", c.sessionToken},
- {"BasicAuth", c.basic}};
- }
-};
} // namespace nlohmann
diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index 7e4e3bb..0a44050 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -31,15 +31,8 @@
return;
}
- const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
- crow::persistent_data::SessionStore::getInstance()
- .getAuthMethodsConfig();
-
- if (req.session == nullptr && authMethodsConfig.xtoken)
- {
- req.session = performXtokenAuth(req);
- }
- if (req.session == nullptr && authMethodsConfig.cookie)
+ req.session = performXtokenAuth(req);
+ if (req.session == nullptr)
{
req.session = performCookieAuth(req);
}
@@ -49,13 +42,11 @@
if (!authHeader.empty())
{
// Reject any kind of auth other than basic or token
- if (boost::starts_with(authHeader, "Token ") &&
- authMethodsConfig.sessionToken)
+ if (boost::starts_with(authHeader, "Token "))
{
req.session = performTokenAuth(authHeader);
}
- else if (boost::starts_with(authHeader, "Basic ") &&
- authMethodsConfig.basic)
+ else if (boost::starts_with(authHeader, "Basic "))
{
req.session = performBasicAuth(authHeader);
}
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index f8647b9..07efeb5 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -505,8 +505,7 @@
class AccountService : public Node
{
public:
- AccountService(CrowApp& app) :
- Node(app, "/redfish/v1/AccountService/"), app(app)
+ AccountService(CrowApp& app) : Node(app, "/redfish/v1/AccountService/")
{
entityPrivileges = {
{boost::beast::http::verb::get,
@@ -840,65 +839,6 @@
ldapEnableInterface, "Enabled", std::variant<bool>(serviceEnabled));
}
- void handleAuthMethodsPatch(nlohmann::json& input,
- const std::shared_ptr<AsyncResp>& asyncResp)
- {
- std::optional<bool> basicAuth;
- std::optional<bool> cookie;
- std::optional<bool> sessionToken;
- std::optional<bool> xToken;
-
- if (!json_util::readJson(input, asyncResp->res, "BasicAuth", basicAuth,
- "Cookie", cookie, "SessionToken", sessionToken,
- "XToken", xToken))
- {
- BMCWEB_LOG_ERROR << "Cannot read values from AuthMethod tag";
- return;
- }
-
- // Make a copy of methods configuration
- crow::persistent_data::AuthConfigMethods authMethodsConfig =
- crow::persistent_data::SessionStore::getInstance()
- .getAuthMethodsConfig();
-
- if (basicAuth)
- {
- authMethodsConfig.basic = *basicAuth;
- }
-
- if (cookie)
- {
- authMethodsConfig.cookie = *cookie;
- }
-
- if (sessionToken)
- {
- authMethodsConfig.sessionToken = *sessionToken;
- }
-
- if (xToken)
- {
- authMethodsConfig.xtoken = *xToken;
- }
-
- if (!authMethodsConfig.basic && !authMethodsConfig.cookie &&
- !authMethodsConfig.sessionToken && !authMethodsConfig.xtoken)
- {
- // Do not allow user to disable everything
- messages::actionNotSupported(asyncResp->res,
- "of disabling all available methods");
- return;
- }
-
- crow::persistent_data::SessionStore::getInstance()
- .updateAuthMethodsConfig(authMethodsConfig);
- // Save configuration immediately
- app.template getMiddleware<crow::persistent_data::Middleware>()
- .writeData();
-
- messages::success(asyncResp->res);
- }
-
/**
* @brief Get the required values from the given JSON, validates the
* value and create the LDAP config object.
@@ -1075,10 +1015,6 @@
void doGet(crow::Response& res, const crow::Request& req,
const std::vector<std::string>& params) override
{
- const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
- crow::persistent_data::SessionStore::getInstance()
- .getAuthMethodsConfig();
-
auto asyncResp = std::make_shared<AsyncResp>(res);
res.jsonValue = {
{"@odata.context", "/redfish/v1/"
@@ -1094,16 +1030,6 @@
{"Accounts",
{{"@odata.id", "/redfish/v1/AccountService/Accounts"}}},
{"Roles", {{"@odata.id", "/redfish/v1/AccountService/Roles"}}},
- {"Oem",
- {{"OpenBMC",
- {{"@odata.type", "#OemAccountService.v1_0_0.AccountService"},
- {"AuthMethods",
- {
- {"BasicAuth", authMethodsConfig.basic},
- {"SessionToken", authMethodsConfig.sessionToken},
- {"XToken", authMethodsConfig.xtoken},
- {"Cookie", authMethodsConfig.cookie},
- }}}}}},
{"LDAP",
{{"Certificates",
{{"@odata.id",
@@ -1181,14 +1107,13 @@
std::optional<uint16_t> maxPasswordLength;
std::optional<nlohmann::json> ldapObject;
std::optional<nlohmann::json> activeDirectoryObject;
- std::optional<nlohmann::json> oemObject;
- if (!json_util::readJson(
- req, res, "AccountLockoutDuration", unlockTimeout,
- "AccountLockoutThreshold", lockoutThreshold,
- "MaxPasswordLength", maxPasswordLength, "MinPasswordLength",
- minPasswordLength, "LDAP", ldapObject, "ActiveDirectory",
- activeDirectoryObject, "Oem", oemObject))
+ if (!json_util::readJson(req, res, "AccountLockoutDuration",
+ unlockTimeout, "AccountLockoutThreshold",
+ lockoutThreshold, "MaxPasswordLength",
+ maxPasswordLength, "MinPasswordLength",
+ minPasswordLength, "LDAP", ldapObject,
+ "ActiveDirectory", activeDirectoryObject))
{
return;
}
@@ -1208,22 +1133,6 @@
handleLDAPPatch(*ldapObject, asyncResp, req, params, "LDAP");
}
- if (std::optional<nlohmann::json> oemOpenBMCObject;
- oemObject &&
- json_util::readJson(*oemObject, res, "OpenBMC", oemOpenBMCObject))
- {
- if (std::optional<nlohmann::json> authMethodsObject;
- oemOpenBMCObject &&
- json_util::readJson(*oemOpenBMCObject, res, "AuthMethods",
- authMethodsObject))
- {
- if (authMethodsObject)
- {
- handleAuthMethodsPatch(*authMethodsObject, asyncResp);
- }
- }
- }
-
if (activeDirectoryObject)
{
handleLDAPPatch(*activeDirectoryObject, asyncResp, req, params,
@@ -1264,8 +1173,6 @@
std::variant<uint16_t>(*lockoutThreshold));
}
}
-
- CrowApp& app;
};
class AccountsCollection : public Node
diff --git a/static/redfish/v1/$metadata/index.xml b/static/redfish/v1/$metadata/index.xml
index 4804e48..7383365 100644
--- a/static/redfish/v1/$metadata/index.xml
+++ b/static/redfish/v1/$metadata/index.xml
@@ -1045,10 +1045,6 @@
<edmx:Include Namespace="NetworkPort.v1_2_2"/>
<edmx:Include Namespace="NetworkPort.v1_2_3"/>
</edmx:Reference>
- <edmx:Reference Uri="/redfish/v1/schema/OemAccountService_v1.xml">
- <edmx:Include Namespace="OemAccountService"/>
- <edmx:Include Namespace="OemAccountService.v1_0_0"/>
- </edmx:Reference>
<edmx:Reference Uri="/redfish/v1/schema/NetworkPortCollection_v1.xml">
<edmx:Include Namespace="NetworkPortCollection"/>
</edmx:Reference>
diff --git a/static/redfish/v1/JsonSchemas/OemAccountService/index.json b/static/redfish/v1/JsonSchemas/OemAccountService/index.json
deleted file mode 100644
index 5283170..0000000
--- a/static/redfish/v1/JsonSchemas/OemAccountService/index.json
+++ /dev/null
@@ -1,102 +0,0 @@
-{
- "$id": "http://redfish.dmtf.org/schemas/v1/OemAccountService.v1_0_0.json",
- "$schema": "http://redfish.dmtf.org/schemas/v1/redfish-schema-v1.json",
- "copyright": "Copyright 2014-2019 DMTF. For the full DMTF copyright policy, see http://www.dmtf.org/about/policies/copyright",
- "definitions": {
- "AccountService": {
- "additionalProperties": false,
- "description": "OEM Extension for AccountService",
- "longDescription": "OEM Extension for AccountService providing info about TLS Auth.",
- "patternProperties": {
- "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": {
- "description": "This property shall specify a valid odata or Redfish property.",
- "type": [
- "array",
- "boolean",
- "integer",
- "number",
- "null",
- "object",
- "string"
- ]
- }
- },
- "properties": {
- "AuthMethods": {
- "anyOf": [
- {
- "$ref": "#/definitions/AuthMethodsConfig"
- },
- {
- "type": "null"
- }
- ],
- "description": "Authorization Methods configuration.",
- "longDescription": "Configuration describing which auth methods are enabled."
- }
- },
- "type": "object"
- },
- "AuthMethodsConfig": {
- "additionalProperties": false,
- "description": "Authorization Methods configuration.",
- "longDescription": "Configuration describing which auth methods are enabled.",
- "patternProperties": {
- "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": {
- "description": "This property shall specify a valid odata or Redfish property.",
- "type": [
- "array",
- "boolean",
- "integer",
- "number",
- "null",
- "object",
- "string"
- ]
- }
- },
- "properties": {
- "BasicAuth": {
- "description": "Indicates whether BasicAuth authorization is enabled.",
- "longDescription": "The value of this property shall be a boolean indicating whether BasicAuth authorization is enabled.",
- "readonly": false,
- "type": [
- "boolean",
- "null"
- ]
- },
- "Cookie": {
- "description": "Indicates whether Cookie authorization is enabled.",
- "longDescription": "The value of this property shall be a boolean indicating whether Cookie authorization is enabled.",
- "readonly": false,
- "type": [
- "boolean",
- "null"
- ]
- },
- "SessionToken": {
- "description": "Indicates whether SessionToken authorization is enabled.",
- "longDescription": "The value of this property shall be a boolean indicating whether SessionToken authorization is enabled.",
- "readonly": false,
- "type": [
- "boolean",
- "null"
- ]
- },
- "XToken": {
- "description": "Indicates whether XToken authorization is enabled.",
- "longDescription": "The value of this property shall be a boolean indicating whether XToken authorization is enabled.",
- "readonly": false,
- "type": [
- "boolean",
- "null"
- ]
- }
- },
- "type": "object"
- }
- },
- "owningEntity": "OpenBMC",
- "release": "1.0",
- "title": "#OemAccountService.v1_0_0"
-}
\ No newline at end of file
diff --git a/static/redfish/v1/schema/OemAccountService.xml b/static/redfish/v1/schema/OemAccountService.xml
deleted file mode 100644
index 626097b..0000000
--- a/static/redfish/v1/schema/OemAccountService.xml
+++ /dev/null
@@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<edmx:Edmx xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx" Version="4.0">
-
- <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Core.V1.xml">
- <edmx:Include Namespace="Org.OData.Core.V1" Alias="OData"/>
- </edmx:Reference>
- <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Measures.V1.xml">
- <edmx:Include Namespace="Org.OData.Measures.V1" Alias="Measures"/>
- </edmx:Reference>
- <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/RedfishExtensions_v1.xml">
- <edmx:Include Namespace="RedfishExtensions.v1_0_0" Alias="Redfish"/>
- </edmx:Reference>
- <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/Resource_v1.xml">
- <edmx:Include Namespace="Resource"/>
- <edmx:Include Namespace="Resource.v1_0_0"/>
- </edmx:Reference>
-
- <edmx:DataServices>
-
- <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="OemAccountService">
- <Annotation Term="Redfish.OwningEntity" String="OpenBMC"/>
- </Schema>
-
- <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="OemAccountService.v1_0_0">
- <Annotation Term="Redfish.OwningEntity" String="OpenBMC"/>
- <Annotation Term="Redfish.Release" String="1.0"/>
-
- <ComplexType Name="AuthMethodsConfig">
- <Annotation Term="OData.AdditionalProperties" Bool="false"/>
- <Annotation Term="OData.Description" String="Authorization Methods configuration."/>
- <Annotation Term="OData.LongDescription" String="Configuration describing which auth methods are enabled."/>
-
- <Property Name="BasicAuth" Type="Edm.Boolean">
- <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
- <Annotation Term="OData.Description" String="Indicates whether BasicAuth authorization is enabled."/>
- <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether BasicAuth authorization is enabled."/>
- </Property>
-
- <Property Name="Cookie" Type="Edm.Boolean">
- <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
- <Annotation Term="OData.Description" String="Indicates whether Cookie authorization is enabled."/>
- <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether Cookie authorization is enabled."/>
- </Property>
-
- <Property Name="SessionToken" Type="Edm.Boolean">
- <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
- <Annotation Term="OData.Description" String="Indicates whether SessionToken authorization is enabled."/>
- <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether SessionToken authorization is enabled."/>
- </Property>
-
- <Property Name="XToken" Type="Edm.Boolean">
- <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/>
- <Annotation Term="OData.Description" String="Indicates whether XToken authorization is enabled."/>
- <Annotation Term="OData.LongDescription" String="The value of this property shall be a boolean indicating whether XToken authorization is enabled."/>
- </Property>
- </ComplexType>
-
- <!--Base entity type for array members-->
- <EntityType Name="AccountService" BaseType="Resource.OemObject" Abstract="true">
- <Annotation Term="OData.Description" String="OEM Extension for AccountService"/>
- <Annotation Term="OData.LongDescription" String="OEM Extension for AccountService providing info about TLS Auth."/>
-
- <Property Name="AuthMethods" Type="OemAccountService.v1_0_0.AuthMethodsConfig">
- <Annotation Term="OData.Description" String="Authorization Methods configuration."/>
- <Annotation Term="OData.LongDescription" String="Configuration describing which auth methods are enabled."/>
- </Property>
- </EntityType>
- </Schema>
-
- </edmx:DataServices>
-</edmx:Edmx>