Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 9b46bc0b4c0c58c426e9bfb5a7d90250862ca9d2 / . / include / forward_unauthorized.hpp
blob: 07fb2b5bd05540d398c0efd377a7431633282088 [file] [log] [blame]
Ed Tanous40e9b922024-09-10 13:50:16 -0700[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
2// SPDX-FileCopyrightText: Copyright OpenBMC Authors
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]3#pragma once
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]4#include "http_request.hpp"
5#include "http_response.hpp"
6#include "http_utility.hpp"
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]7
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]8#include <boost/url/format.hpp>
9#include <boost/url/url.hpp>
10
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]11namespace forward_unauthorized
12{
13
Ed Tanouscf9e4172022-12-21 09:30:16 -0800[diff] [blame]14// NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables)
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]15static bool hasWebuiRoute = false;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]16
Ed Tanousc127a0f2022-05-11 15:23:59 -0700[diff] [blame]17inline void sendUnauthorized(std::string_view url,
18 std::string_view xRequestedWith,
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]19 std::string_view accept, crow::Response& res)
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]20{
21 // If it's a browser connecting, don't send the HTTP authenticate
22 // header, to avoid possible CSRF attacks with basic auth
Ed Tanous4a0e1a02022-09-21 15:28:04 -0700[diff] [blame]23 if (http_helpers::isContentTypeAllowed(
24 accept, http_helpers::ContentType::HTML, false /*allowWildcard*/))
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]25 {
26 // If we have a webui installed, redirect to that login page
27 if (hasWebuiRoute)
28 {
Patrick Williamsbd79bce2024-08-16 15:22:20 -0400[diff] [blame]29 boost::urls::url forward =
30 boost::urls::format("/?next={}#/login", url);
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]31 res.result(boost::beast::http::status::temporary_redirect);
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]32 res.addHeader(boost::beast::http::field::location,
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]33 forward.buffer());
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]34 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]35 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]36 // If we don't have a webui installed, just return an unauthorized
37 // body
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]38 res.result(boost::beast::http::status::unauthorized);
Ed Tanous27b0cf92023-08-07 12:02:40 -0700[diff] [blame]39 res.write(
40 "No authentication provided, and no login UI present to forward to.");
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]41 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]42 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]43
44 res.result(boost::beast::http::status::unauthorized);
45
46 // XHR requests from a browser will set the X-Requested-With header when
47 // doing their requests, even though they might not be requesting html.
48 if (!xRequestedWith.empty())
49 {
50 return;
51 }
52 // if basic auth is disabled, don't propose it.
53 if (!persistent_data::SessionStore::getInstance()
54 .getAuthMethodsConfig()
55 .basic)
56 {
57 return;
58 }
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]59 res.addHeader(boost::beast::http::field::www_authenticate, "Basic");
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]60}
61} // namespace forward_unauthorized