Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 71d5d8dbf54dace8a559e593a2bc6011b7261af5 / . / include / authorization.hpp
blob: f8e74b9af029910f0cea1014adc3a8f13adac909 [file] [log] [blame]
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]1#pragma once
2
3#include "webroutes.hpp"
4
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]5#include <app.hpp>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]6#include <boost/algorithm/string/predicate.hpp>
7#include <boost/container/flat_set.hpp>
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]8#include <common.hpp>
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]9#include <forward_unauthorized.hpp>
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]10#include <http_request.hpp>
11#include <http_response.hpp>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]12#include <http_utility.hpp>
13#include <pam_authenticate.hpp>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]14
15#include <random>
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]16#include <utility>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]17
18namespace crow
19{
20
21namespace authorization
22{
23
24static void cleanupTempSession(Request& req)
25{
26 // TODO(ed) THis should really be handled by the persistent data
27 // middleware, but because it is upstream, it doesn't have access to the
28 // session information. Should the data middleware persist the current
29 // user session?
30 if (req.session != nullptr &&
31 req.session->persistence ==
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]32 persistent_data::PersistenceType::SINGLE_REQUEST)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]33 {
34 persistent_data::SessionStore::getInstance().removeSession(req.session);
35 }
36}
37
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]38#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]39static std::shared_ptr<persistent_data::UserSession>
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -0500[diff] [blame]40 performBasicAuth(const boost::asio::ip::address& clientIp,
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]41 std::string_view authHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]42{
43 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication";
44
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]45 if (!boost::starts_with(authHeader, "Basic "))
46 {
47 return nullptr;
48 }
49
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]50 std::string_view param = authHeader.substr(strlen("Basic "));
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]51 std::string authData;
52
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]53 if (!crow::utility::base64Decode(param, authData))
54 {
55 return nullptr;
56 }
57 std::size_t separator = authData.find(':');
58 if (separator == std::string::npos)
59 {
60 return nullptr;
61 }
62
63 std::string user = authData.substr(0, separator);
64 separator += 1;
65 if (separator > authData.size())
66 {
67 return nullptr;
68 }
69 std::string pass = authData.substr(separator);
70
71 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Authenticating user: " << user;
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -0500[diff] [blame]72 BMCWEB_LOG_DEBUG << "[AuthMiddleware] User IPAddress: "
73 << clientIp.to_string();
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]74
75 int pamrc = pamAuthenticateUser(user, pass);
76 bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
77 if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
78 {
79 return nullptr;
80 }
81
82 // TODO(ed) generateUserSession is a little expensive for basic
83 // auth, as it generates some random identifiers that will never be
84 // used. This should have a "fast" path for when user tokens aren't
85 // needed.
86 // This whole flow needs to be revisited anyway, as we can't be
87 // calling directly into pam for every request
Ed Tanouse05aec52022-01-25 10:28:56 -0800[diff] [blame]88 std::string unsupportedClientId;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]89 return persistent_data::SessionStore::getInstance().generateUserSession(
Jiaqing Zhao41d61c82021-12-07 13:21:47 +0800[diff] [blame]90 user, clientIp, unsupportedClientId,
Sunitha Harishd3239222021-02-24 15:33:29 +0530[diff] [blame]91 persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]92}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]93#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]94
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]95#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]96static std::shared_ptr<persistent_data::UserSession>
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]97 performTokenAuth(std::string_view authHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]98{
99 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication";
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]100 if (!boost::starts_with(authHeader, "Token "))
101 {
102 return nullptr;
103 }
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]104 std::string_view token = authHeader.substr(strlen("Token "));
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]105 auto sessionOut =
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]106 persistent_data::SessionStore::getInstance().loginSessionByToken(token);
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]107 return sessionOut;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]108}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]109#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]110
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]111#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]112static std::shared_ptr<persistent_data::UserSession>
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]113 performXtokenAuth(const boost::beast::http::header<true>& reqHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]114{
115 BMCWEB_LOG_DEBUG << "[AuthMiddleware] X-Auth-Token authentication";
116
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]117 std::string_view token = reqHeader["X-Auth-Token"];
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]118 if (token.empty())
119 {
120 return nullptr;
121 }
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]122 auto sessionOut =
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]123 persistent_data::SessionStore::getInstance().loginSessionByToken(token);
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]124 return sessionOut;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]125}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]126#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]127
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]128#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]129static std::shared_ptr<persistent_data::UserSession>
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]130 performCookieAuth(boost::beast::http::verb method,
131 const boost::beast::http::header<true>& reqHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]132{
133 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Cookie authentication";
134
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]135 std::string_view cookieValue = reqHeader["Cookie"];
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]136 if (cookieValue.empty())
137 {
138 return nullptr;
139 }
140
141 auto startIndex = cookieValue.find("SESSION=");
142 if (startIndex == std::string::npos)
143 {
144 return nullptr;
145 }
146 startIndex += sizeof("SESSION=") - 1;
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]147 auto endIndex = cookieValue.find(';', startIndex);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]148 if (endIndex == std::string::npos)
149 {
150 endIndex = cookieValue.size();
151 }
152 std::string_view authKey =
153 cookieValue.substr(startIndex, endIndex - startIndex);
154
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]155 std::shared_ptr<persistent_data::UserSession> sessionOut =
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]156 persistent_data::SessionStore::getInstance().loginSessionByToken(
157 authKey);
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]158 if (sessionOut == nullptr)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]159 {
160 return nullptr;
161 }
162#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION
163 // RFC7231 defines methods that need csrf protection
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]164 if (method != boost::beast::http::verb::get)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]165 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]166 std::string_view csrf = reqHeader["X-XSRF-TOKEN"];
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]167 // Make sure both tokens are filled
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]168 if (csrf.empty() || sessionOut->csrfToken.empty())
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]169 {
170 return nullptr;
171 }
172
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]173 if (csrf.size() != persistent_data::sessionTokenSize)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]174 {
175 return nullptr;
176 }
177 // Reject if csrf token not available
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]178 if (!crow::utility::constantTimeStringCompare(csrf,
179 sessionOut->csrfToken))
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]180 {
181 return nullptr;
182 }
183 }
184#endif
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]185 return sessionOut;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]186}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]187#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]188
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]189#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]190static std::shared_ptr<persistent_data::UserSession>
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]191 performTLSAuth(Response& res,
192 const boost::beast::http::header<true>& reqHeader,
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]193 const std::weak_ptr<persistent_data::UserSession>& session)
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]194{
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]195 if (auto sp = session.lock())
196 {
197 // set cookie only if this is req from the browser.
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]198 if (reqHeader["User-Agent"].empty())
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]199 {
200 BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
201 << " will be used for this request.";
202 return sp;
203 }
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]204 std::string_view cookieValue = reqHeader["Cookie"];
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]205 if (cookieValue.empty() ||
206 cookieValue.find("SESSION=") == std::string::npos)
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]207 {
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]208 // TODO: change this to not switch to cookie auth
Gunnar Mills636be392021-03-15 12:47:07 -0500[diff] [blame]209 res.addHeader(
210 "Set-Cookie",
211 "XSRF-TOKEN=" + sp->csrfToken +
212 "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
213 sp->sessionToken +
214 "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
215 "IsAuthenticated=true; Secure");
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]216 BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
217 << " with cookie will be used for this request.";
218 return sp;
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]219 }
220 }
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]221 return nullptr;
222}
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]223#endif
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]224
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]225// checks if request can be forwarded without authentication
Nan Zhou8682c5a2021-11-13 11:00:07 -0800[diff] [blame]226[[maybe_unused]] static bool isOnAllowlist(std::string_view url,
227 boost::beast::http::verb method)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]228{
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]229 if (boost::beast::http::verb::get == method)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]230 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]231 if (url == "/redfish/v1" || url == "/redfish/v1/" ||
232 url == "/redfish" || url == "/redfish/" ||
233 url == "/redfish/v1/odata" || url == "/redfish/v1/odata/")
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]234 {
235 return true;
236 }
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]237 if (crow::webroutes::routes.find(std::string(url)) !=
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]238 crow::webroutes::routes.end())
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]239 {
240 return true;
241 }
242 }
243
244 // it's allowed to POST on session collection & login without
245 // authentication
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]246 if (boost::beast::http::verb::post == method)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]247 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]248 if ((url == "/redfish/v1/SessionService/Sessions") ||
249 (url == "/redfish/v1/SessionService/Sessions/") ||
250 (url == "/login"))
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]251 {
252 return true;
253 }
254 }
255
256 return false;
257}
258
Nan Zhou8682c5a2021-11-13 11:00:07 -0800[diff] [blame]259[[maybe_unused]] static std::shared_ptr<persistent_data::UserSession>
260 authenticate(
261 boost::asio::ip::address& ipAddress [[maybe_unused]],
262 Response& res [[maybe_unused]], boost::beast::http::verb method,
263 const boost::beast::http::header<true>& reqHeader,
264 [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>&
265 session)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]266{
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]267 const persistent_data::AuthConfigMethods& authMethodsConfig =
268 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]269
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]270 std::shared_ptr<persistent_data::UserSession> sessionOut = nullptr;
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]271#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]272 if (authMethodsConfig.tls)
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]273 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]274 sessionOut = performTLSAuth(res, reqHeader, session);
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]275 }
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]276#endif
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]277#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]278 if (sessionOut == nullptr && authMethodsConfig.xtoken)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]279 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]280 sessionOut = performXtokenAuth(reqHeader);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]281 }
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]282#endif
283#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]284 if (sessionOut == nullptr && authMethodsConfig.cookie)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]285 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]286 sessionOut = performCookieAuth(method, reqHeader);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]287 }
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]288#endif
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]289 std::string_view authHeader = reqHeader["Authorization"];
Andrew Geissler1c801e12021-10-08 14:36:01 -0500[diff] [blame]290 BMCWEB_LOG_DEBUG << "authHeader=" << authHeader;
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]291
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]292 if (sessionOut == nullptr && authMethodsConfig.sessionToken)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]293 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]294#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]295 sessionOut = performTokenAuth(authHeader);
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]296#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]297 }
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]298 if (sessionOut == nullptr && authMethodsConfig.basic)
299 {
300#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
301 sessionOut = performBasicAuth(ipAddress, authHeader);
302#endif
303 }
304 if (sessionOut != nullptr)
305 {
306 return sessionOut;
307 }
308
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]309 return nullptr;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]310}
311
312} // namespace authorization
313} // namespace crow