blob: c0a84b661a341816b850a4ddb9a8d0e208336d24 [file] [log] [blame]
James Feist3909dc82020-04-03 10:58:55 -07001#pragma once
2
3#include "webroutes.hpp"
4
Ed Tanous04e438c2020-10-03 08:06:26 -07005#include <app.hpp>
James Feist3909dc82020-04-03 10:58:55 -07006#include <boost/algorithm/string/predicate.hpp>
7#include <boost/container/flat_set.hpp>
Ed Tanous04e438c2020-10-03 08:06:26 -07008#include <common.hpp>
9#include <http_request.hpp>
10#include <http_response.hpp>
James Feist3909dc82020-04-03 10:58:55 -070011#include <http_utility.hpp>
12#include <pam_authenticate.hpp>
James Feist3909dc82020-04-03 10:58:55 -070013
14#include <random>
Ed Tanousb5a76932020-09-29 16:16:58 -070015#include <utility>
James Feist3909dc82020-04-03 10:58:55 -070016
17namespace crow
18{
19
20namespace authorization
21{
22
23static void cleanupTempSession(Request& req)
24{
25 // TODO(ed) THis should really be handled by the persistent data
26 // middleware, but because it is upstream, it doesn't have access to the
27 // session information. Should the data middleware persist the current
28 // user session?
29 if (req.session != nullptr &&
30 req.session->persistence ==
Ed Tanous52cc1122020-07-18 13:51:21 -070031 persistent_data::PersistenceType::SINGLE_REQUEST)
James Feist3909dc82020-04-03 10:58:55 -070032 {
33 persistent_data::SessionStore::getInstance().removeSession(req.session);
34 }
35}
36
Alan Kuof16f6262020-12-08 19:29:59 +080037#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -070038static std::shared_ptr<persistent_data::UserSession>
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -050039 performBasicAuth(const boost::asio::ip::address& clientIp,
40 std::string_view auth_header)
James Feist3909dc82020-04-03 10:58:55 -070041{
42 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication";
43
44 std::string authData;
45 std::string_view param = auth_header.substr(strlen("Basic "));
46 if (!crow::utility::base64Decode(param, authData))
47 {
48 return nullptr;
49 }
50 std::size_t separator = authData.find(':');
51 if (separator == std::string::npos)
52 {
53 return nullptr;
54 }
55
56 std::string user = authData.substr(0, separator);
57 separator += 1;
58 if (separator > authData.size())
59 {
60 return nullptr;
61 }
62 std::string pass = authData.substr(separator);
63
64 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Authenticating user: " << user;
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -050065 BMCWEB_LOG_DEBUG << "[AuthMiddleware] User IPAddress: "
66 << clientIp.to_string();
James Feist3909dc82020-04-03 10:58:55 -070067
68 int pamrc = pamAuthenticateUser(user, pass);
69 bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
70 if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
71 {
72 return nullptr;
73 }
74
75 // TODO(ed) generateUserSession is a little expensive for basic
76 // auth, as it generates some random identifiers that will never be
77 // used. This should have a "fast" path for when user tokens aren't
78 // needed.
79 // This whole flow needs to be revisited anyway, as we can't be
80 // calling directly into pam for every request
81 return persistent_data::SessionStore::getInstance().generateUserSession(
Ed Tanous52cc1122020-07-18 13:51:21 -070082 user, persistent_data::PersistenceType::SINGLE_REQUEST,
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -050083 isConfigureSelfOnly, clientIp.to_string());
James Feist3909dc82020-04-03 10:58:55 -070084}
Alan Kuof16f6262020-12-08 19:29:59 +080085#endif
James Feist3909dc82020-04-03 10:58:55 -070086
Alan Kuof16f6262020-12-08 19:29:59 +080087#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -070088static std::shared_ptr<persistent_data::UserSession>
James Feist3909dc82020-04-03 10:58:55 -070089 performTokenAuth(std::string_view auth_header)
90{
91 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication";
92
93 std::string_view token = auth_header.substr(strlen("Token "));
94 auto session =
95 persistent_data::SessionStore::getInstance().loginSessionByToken(token);
96 return session;
97}
Alan Kuof16f6262020-12-08 19:29:59 +080098#endif
James Feist3909dc82020-04-03 10:58:55 -070099
Alan Kuof16f6262020-12-08 19:29:59 +0800100#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700101static std::shared_ptr<persistent_data::UserSession>
James Feist3909dc82020-04-03 10:58:55 -0700102 performXtokenAuth(const crow::Request& req)
103{
104 BMCWEB_LOG_DEBUG << "[AuthMiddleware] X-Auth-Token authentication";
105
106 std::string_view token = req.getHeaderValue("X-Auth-Token");
107 if (token.empty())
108 {
109 return nullptr;
110 }
111 auto session =
112 persistent_data::SessionStore::getInstance().loginSessionByToken(token);
113 return session;
114}
Alan Kuof16f6262020-12-08 19:29:59 +0800115#endif
James Feist3909dc82020-04-03 10:58:55 -0700116
Alan Kuof16f6262020-12-08 19:29:59 +0800117#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700118static std::shared_ptr<persistent_data::UserSession>
James Feist3909dc82020-04-03 10:58:55 -0700119 performCookieAuth(const crow::Request& req)
120{
121 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Cookie authentication";
122
123 std::string_view cookieValue = req.getHeaderValue("Cookie");
124 if (cookieValue.empty())
125 {
126 return nullptr;
127 }
128
129 auto startIndex = cookieValue.find("SESSION=");
130 if (startIndex == std::string::npos)
131 {
132 return nullptr;
133 }
134 startIndex += sizeof("SESSION=") - 1;
135 auto endIndex = cookieValue.find(";", startIndex);
136 if (endIndex == std::string::npos)
137 {
138 endIndex = cookieValue.size();
139 }
140 std::string_view authKey =
141 cookieValue.substr(startIndex, endIndex - startIndex);
142
Ed Tanous3174e4d2020-10-07 11:41:22 -0700143 std::shared_ptr<persistent_data::UserSession> session =
James Feist3909dc82020-04-03 10:58:55 -0700144 persistent_data::SessionStore::getInstance().loginSessionByToken(
145 authKey);
146 if (session == nullptr)
147 {
148 return nullptr;
149 }
150#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION
151 // RFC7231 defines methods that need csrf protection
Ed Tanousb41187f2019-10-24 16:30:02 -0700152 if (req.method() != boost::beast::http::verb::get)
James Feist3909dc82020-04-03 10:58:55 -0700153 {
154 std::string_view csrf = req.getHeaderValue("X-XSRF-TOKEN");
155 // Make sure both tokens are filled
156 if (csrf.empty() || session->csrfToken.empty())
157 {
158 return nullptr;
159 }
160
Ed Tanous52cc1122020-07-18 13:51:21 -0700161 if (csrf.size() != persistent_data::sessionTokenSize)
James Feist3909dc82020-04-03 10:58:55 -0700162 {
163 return nullptr;
164 }
165 // Reject if csrf token not available
166 if (!crow::utility::constantTimeStringCompare(csrf, session->csrfToken))
167 {
168 return nullptr;
169 }
170 }
171#endif
172 return session;
173}
Alan Kuof16f6262020-12-08 19:29:59 +0800174#endif
James Feist3909dc82020-04-03 10:58:55 -0700175
Alexander Filippov96457602020-09-29 14:19:38 +0300176#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700177static std::shared_ptr<persistent_data::UserSession>
James Feist6964c982020-07-28 16:10:23 -0700178 performTLSAuth(const crow::Request& req, Response& res,
Ed Tanousb5a76932020-09-29 16:16:58 -0700179 const std::weak_ptr<persistent_data::UserSession>& session)
James Feist6964c982020-07-28 16:10:23 -0700180{
James Feist6964c982020-07-28 16:10:23 -0700181 if (auto sp = session.lock())
182 {
183 // set cookie only if this is req from the browser.
184 if (req.getHeaderValue("User-Agent").empty())
185 {
186 BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
187 << " will be used for this request.";
188 return sp;
189 }
Ed Tanous3174e4d2020-10-07 11:41:22 -0700190 std::string_view cookieValue = req.getHeaderValue("Cookie");
191 if (cookieValue.empty() ||
192 cookieValue.find("SESSION=") == std::string::npos)
James Feist6964c982020-07-28 16:10:23 -0700193 {
Ed Tanous3174e4d2020-10-07 11:41:22 -0700194 // TODO: change this to not switch to cookie auth
195 res.addHeader("Set-Cookie", "XSRF-TOKEN=" + sp->csrfToken +
196 "; Secure\r\nSet-Cookie: SESSION=" +
197 sp->sessionToken +
198 "; Secure; HttpOnly\r\nSet-Cookie: "
199 "IsAuthenticated=true; Secure");
200 BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
201 << " with cookie will be used for this request.";
202 return sp;
James Feist6964c982020-07-28 16:10:23 -0700203 }
204 }
James Feist6964c982020-07-28 16:10:23 -0700205 return nullptr;
206}
Alexander Filippov96457602020-09-29 14:19:38 +0300207#endif
James Feist6964c982020-07-28 16:10:23 -0700208
James Feist3909dc82020-04-03 10:58:55 -0700209// checks if request can be forwarded without authentication
210static bool isOnWhitelist(const crow::Request& req)
211{
212 // it's allowed to GET root node without authentication
Ed Tanousb41187f2019-10-24 16:30:02 -0700213 if (boost::beast::http::verb::get == req.method())
James Feist3909dc82020-04-03 10:58:55 -0700214 {
215 if (req.url == "/redfish/v1" || req.url == "/redfish/v1/" ||
216 req.url == "/redfish" || req.url == "/redfish/" ||
217 req.url == "/redfish/v1/odata" || req.url == "/redfish/v1/odata/")
218 {
219 return true;
220 }
Ed Tanousd4d25792020-09-29 15:15:03 -0700221 if (crow::webroutes::routes.find(std::string(req.url)) !=
222 crow::webroutes::routes.end())
James Feist3909dc82020-04-03 10:58:55 -0700223 {
224 return true;
225 }
226 }
227
228 // it's allowed to POST on session collection & login without
229 // authentication
Ed Tanousb41187f2019-10-24 16:30:02 -0700230 if (boost::beast::http::verb::post == req.method())
James Feist3909dc82020-04-03 10:58:55 -0700231 {
232 if ((req.url == "/redfish/v1/SessionService/Sessions") ||
233 (req.url == "/redfish/v1/SessionService/Sessions/") ||
234 (req.url == "/login"))
235 {
236 return true;
237 }
238 }
239
240 return false;
241}
242
Alexander Filippov96457602020-09-29 14:19:38 +0300243static void authenticate(
244 crow::Request& req, Response& res,
Ed Tanousf23b7292020-10-15 09:41:17 -0700245 [[maybe_unused]] const std::weak_ptr<persistent_data::UserSession>& session)
James Feist3909dc82020-04-03 10:58:55 -0700246{
247 if (isOnWhitelist(req))
248 {
249 return;
250 }
251
Ed Tanous52cc1122020-07-18 13:51:21 -0700252 const persistent_data::AuthConfigMethods& authMethodsConfig =
253 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
James Feist3909dc82020-04-03 10:58:55 -0700254
Alexander Filippov96457602020-09-29 14:19:38 +0300255#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
James Feist6964c982020-07-28 16:10:23 -0700256 if (req.session == nullptr && authMethodsConfig.tls)
257 {
Ed Tanousf23b7292020-10-15 09:41:17 -0700258 req.session = performTLSAuth(req, res, session);
James Feist6964c982020-07-28 16:10:23 -0700259 }
Alexander Filippov96457602020-09-29 14:19:38 +0300260#endif
Alan Kuof16f6262020-12-08 19:29:59 +0800261#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
James Feist3909dc82020-04-03 10:58:55 -0700262 if (req.session == nullptr && authMethodsConfig.xtoken)
263 {
264 req.session = performXtokenAuth(req);
265 }
Alan Kuof16f6262020-12-08 19:29:59 +0800266#endif
267#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
James Feist3909dc82020-04-03 10:58:55 -0700268 if (req.session == nullptr && authMethodsConfig.cookie)
269 {
270 req.session = performCookieAuth(req);
271 }
Alan Kuof16f6262020-12-08 19:29:59 +0800272#endif
James Feist3909dc82020-04-03 10:58:55 -0700273 if (req.session == nullptr)
274 {
275 std::string_view authHeader = req.getHeaderValue("Authorization");
276 if (!authHeader.empty())
277 {
278 // Reject any kind of auth other than basic or token
279 if (boost::starts_with(authHeader, "Token ") &&
280 authMethodsConfig.sessionToken)
281 {
Alan Kuof16f6262020-12-08 19:29:59 +0800282#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
James Feist3909dc82020-04-03 10:58:55 -0700283 req.session = performTokenAuth(authHeader);
Alan Kuof16f6262020-12-08 19:29:59 +0800284#endif
James Feist3909dc82020-04-03 10:58:55 -0700285 }
286 else if (boost::starts_with(authHeader, "Basic ") &&
287 authMethodsConfig.basic)
288 {
Alan Kuof16f6262020-12-08 19:29:59 +0800289#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -0500290 req.session = performBasicAuth(req.ipAddress, authHeader);
Alan Kuof16f6262020-12-08 19:29:59 +0800291#endif
James Feist3909dc82020-04-03 10:58:55 -0700292 }
293 }
294 }
295
296 if (req.session == nullptr)
297 {
298 BMCWEB_LOG_WARNING << "[AuthMiddleware] authorization failed";
299
300 // If it's a browser connecting, don't send the HTTP authenticate
301 // header, to avoid possible CSRF attacks with basic auth
302 if (http_helpers::requestPrefersHtml(req))
303 {
304 res.result(boost::beast::http::status::temporary_redirect);
305 res.addHeader("Location",
306 "/#/login?next=" + http_helpers::urlEncode(req.url));
307 }
308 else
309 {
310 res.result(boost::beast::http::status::unauthorized);
311 // only send the WWW-authenticate header if this isn't a xhr
312 // from the browser. most scripts,
313 if (req.getHeaderValue("User-Agent").empty())
314 {
315 res.addHeader("WWW-Authenticate", "Basic");
316 }
317 }
318
319 res.end();
320 return;
321 }
322}
323
324} // namespace authorization
325} // namespace crow