Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / ae9031f0e8595ee88945ac565d10be0c3832ed01 / . / include / authentication.hpp
blob: 84875a9a1d96e7d6f84dbc4525e295f060e69a35 [file] [log] [blame]
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]1#pragma once
2
3#include "webroutes.hpp"
4
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]5#include <app.hpp>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]6#include <boost/container/flat_set.hpp>
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]7#include <common.hpp>
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]8#include <forward_unauthorized.hpp>
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]9#include <http_request.hpp>
10#include <http_response.hpp>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]11#include <http_utility.hpp>
12#include <pam_authenticate.hpp>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]13
14#include <random>
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]15#include <utility>
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]16
17namespace crow
18{
19
Nan Zhoud055a342022-05-25 01:15:34 +0000[diff] [blame]20namespace authentication
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]21{
22
Ed Tanous02cad962022-06-30 16:50:15 -0700[diff] [blame]23static void cleanupTempSession(const Request& req)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]24{
25 // TODO(ed) THis should really be handled by the persistent data
26 // middleware, but because it is upstream, it doesn't have access to the
27 // session information. Should the data middleware persist the current
28 // user session?
29 if (req.session != nullptr &&
30 req.session->persistence ==
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]31 persistent_data::PersistenceType::SINGLE_REQUEST)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]32 {
33 persistent_data::SessionStore::getInstance().removeSession(req.session);
34 }
35}
36
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]37#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]38static std::shared_ptr<persistent_data::UserSession>
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -0500[diff] [blame]39 performBasicAuth(const boost::asio::ip::address& clientIp,
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]40 std::string_view authHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]41{
42 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication";
43
Ed Tanous11ba3972022-07-11 09:50:41 -0700[diff] [blame]44 if (!authHeader.starts_with("Basic "))
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]45 {
46 return nullptr;
47 }
48
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]49 std::string_view param = authHeader.substr(strlen("Basic "));
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]50 std::string authData;
51
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]52 if (!crow::utility::base64Decode(param, authData))
53 {
54 return nullptr;
55 }
56 std::size_t separator = authData.find(':');
57 if (separator == std::string::npos)
58 {
59 return nullptr;
60 }
61
62 std::string user = authData.substr(0, separator);
63 separator += 1;
64 if (separator > authData.size())
65 {
66 return nullptr;
67 }
68 std::string pass = authData.substr(separator);
69
70 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Authenticating user: " << user;
Sunitha Harishc0ea7ae2020-10-30 02:37:30 -0500[diff] [blame]71 BMCWEB_LOG_DEBUG << "[AuthMiddleware] User IPAddress: "
72 << clientIp.to_string();
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]73
74 int pamrc = pamAuthenticateUser(user, pass);
75 bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
76 if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
77 {
78 return nullptr;
79 }
80
81 // TODO(ed) generateUserSession is a little expensive for basic
82 // auth, as it generates some random identifiers that will never be
83 // used. This should have a "fast" path for when user tokens aren't
84 // needed.
85 // This whole flow needs to be revisited anyway, as we can't be
86 // calling directly into pam for every request
87 return persistent_data::SessionStore::getInstance().generateUserSession(
Ed Tanousbb759e32022-08-02 17:07:54 -0700[diff] [blame]88 user, clientIp, std::nullopt,
Sunitha Harishd3239222021-02-24 15:33:29 +0530[diff] [blame]89 persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]90}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]91#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]92
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]93#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]94static std::shared_ptr<persistent_data::UserSession>
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]95 performTokenAuth(std::string_view authHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]96{
97 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication";
Ed Tanous11ba3972022-07-11 09:50:41 -0700[diff] [blame]98 if (!authHeader.starts_with("Token "))
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]99 {
100 return nullptr;
101 }
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]102 std::string_view token = authHeader.substr(strlen("Token "));
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]103 auto sessionOut =
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]104 persistent_data::SessionStore::getInstance().loginSessionByToken(token);
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]105 return sessionOut;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]106}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]107#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]108
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]109#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]110static std::shared_ptr<persistent_data::UserSession>
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]111 performXtokenAuth(const boost::beast::http::header<true>& reqHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]112{
113 BMCWEB_LOG_DEBUG << "[AuthMiddleware] X-Auth-Token authentication";
114
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]115 std::string_view token = reqHeader["X-Auth-Token"];
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]116 if (token.empty())
117 {
118 return nullptr;
119 }
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]120 auto sessionOut =
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]121 persistent_data::SessionStore::getInstance().loginSessionByToken(token);
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]122 return sessionOut;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]123}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]124#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]125
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]126#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]127static std::shared_ptr<persistent_data::UserSession>
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]128 performCookieAuth(boost::beast::http::verb method,
129 const boost::beast::http::header<true>& reqHeader)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]130{
131 BMCWEB_LOG_DEBUG << "[AuthMiddleware] Cookie authentication";
132
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]133 std::string_view cookieValue = reqHeader["Cookie"];
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]134 if (cookieValue.empty())
135 {
136 return nullptr;
137 }
138
139 auto startIndex = cookieValue.find("SESSION=");
140 if (startIndex == std::string::npos)
141 {
142 return nullptr;
143 }
144 startIndex += sizeof("SESSION=") - 1;
Ed Tanous81ce6092020-12-17 16:54:55 +0000[diff] [blame]145 auto endIndex = cookieValue.find(';', startIndex);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]146 if (endIndex == std::string::npos)
147 {
148 endIndex = cookieValue.size();
149 }
150 std::string_view authKey =
151 cookieValue.substr(startIndex, endIndex - startIndex);
152
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]153 std::shared_ptr<persistent_data::UserSession> sessionOut =
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]154 persistent_data::SessionStore::getInstance().loginSessionByToken(
155 authKey);
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]156 if (sessionOut == nullptr)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]157 {
158 return nullptr;
159 }
160#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION
161 // RFC7231 defines methods that need csrf protection
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]162 if (method != boost::beast::http::verb::get)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]163 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]164 std::string_view csrf = reqHeader["X-XSRF-TOKEN"];
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]165 // Make sure both tokens are filled
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]166 if (csrf.empty() || sessionOut->csrfToken.empty())
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]167 {
168 return nullptr;
169 }
170
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]171 if (csrf.size() != persistent_data::sessionTokenSize)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]172 {
173 return nullptr;
174 }
175 // Reject if csrf token not available
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]176 if (!crow::utility::constantTimeStringCompare(csrf,
177 sessionOut->csrfToken))
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]178 {
179 return nullptr;
180 }
181 }
182#endif
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]183 return sessionOut;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]184}
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]185#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]186
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]187#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]188static std::shared_ptr<persistent_data::UserSession>
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]189 performTLSAuth(Response& res,
190 const boost::beast::http::header<true>& reqHeader,
Ed Tanousb5a76932020-09-29 16:16:58 -0700[diff] [blame]191 const std::weak_ptr<persistent_data::UserSession>& session)
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]192{
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]193 if (auto sp = session.lock())
194 {
195 // set cookie only if this is req from the browser.
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]196 if (reqHeader["User-Agent"].empty())
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]197 {
198 BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
199 << " will be used for this request.";
200 return sp;
201 }
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]202 std::string_view cookieValue = reqHeader["Cookie"];
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]203 if (cookieValue.empty() ||
204 cookieValue.find("SESSION=") == std::string::npos)
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]205 {
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]206 // TODO: change this to not switch to cookie auth
Gunnar Mills636be392021-03-15 12:47:07 -0500[diff] [blame]207 res.addHeader(
208 "Set-Cookie",
209 "XSRF-TOKEN=" + sp->csrfToken +
210 "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
211 sp->sessionToken +
212 "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
213 "IsAuthenticated=true; Secure");
Ed Tanous3174e4d2020-10-07 11:41:22 -0700[diff] [blame]214 BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
215 << " with cookie will be used for this request.";
216 return sp;
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]217 }
218 }
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]219 return nullptr;
220}
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]221#endif
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]222
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]223// checks if request can be forwarded without authentication
Nan Zhou8682c5a2021-11-13 11:00:07 -0800[diff] [blame]224[[maybe_unused]] static bool isOnAllowlist(std::string_view url,
225 boost::beast::http::verb method)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]226{
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]227 if (boost::beast::http::verb::get == method)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]228 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]229 if (url == "/redfish/v1" || url == "/redfish/v1/" ||
230 url == "/redfish" || url == "/redfish/" ||
231 url == "/redfish/v1/odata" || url == "/redfish/v1/odata/")
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]232 {
233 return true;
234 }
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]235 if (crow::webroutes::routes.find(std::string(url)) !=
Ed Tanousd4d25792020-09-29 15:15:03 -0700[diff] [blame]236 crow::webroutes::routes.end())
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]237 {
238 return true;
239 }
240 }
241
242 // it's allowed to POST on session collection & login without
243 // authentication
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]244 if (boost::beast::http::verb::post == method)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]245 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]246 if ((url == "/redfish/v1/SessionService/Sessions") ||
247 (url == "/redfish/v1/SessionService/Sessions/") ||
Ed Tanouse76cd862022-03-14 09:12:00 -0700[diff] [blame]248 (url == "/redfish/v1/SessionService/Sessions/Members") ||
249 (url == "/redfish/v1/SessionService/Sessions/Members/") ||
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]250 (url == "/login"))
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]251 {
252 return true;
253 }
254 }
255
256 return false;
257}
258
Nan Zhou8682c5a2021-11-13 11:00:07 -0800[diff] [blame]259[[maybe_unused]] static std::shared_ptr<persistent_data::UserSession>
260 authenticate(
Ed Tanous02cad962022-06-30 16:50:15 -0700[diff] [blame]261 const boost::asio::ip::address& ipAddress [[maybe_unused]],
Nan Zhou3acced22022-07-12 23:21:02 +0000[diff] [blame]262 Response& res [[maybe_unused]],
263 boost::beast::http::verb method [[maybe_unused]],
Nan Zhou8682c5a2021-11-13 11:00:07 -0800[diff] [blame]264 const boost::beast::http::header<true>& reqHeader,
265 [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>&
266 session)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]267{
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]268 const persistent_data::AuthConfigMethods& authMethodsConfig =
269 persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]270
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]271 std::shared_ptr<persistent_data::UserSession> sessionOut = nullptr;
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]272#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]273 if (authMethodsConfig.tls)
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]274 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]275 sessionOut = performTLSAuth(res, reqHeader, session);
James Feist6964c982020-07-28 16:10:23 -0700[diff] [blame]276 }
Alexander Filippov96457602020-09-29 14:19:38 +0300[diff] [blame]277#endif
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]278#ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]279 if (sessionOut == nullptr && authMethodsConfig.xtoken)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]280 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]281 sessionOut = performXtokenAuth(reqHeader);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]282 }
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]283#endif
284#ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]285 if (sessionOut == nullptr && authMethodsConfig.cookie)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]286 {
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]287 sessionOut = performCookieAuth(method, reqHeader);
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]288 }
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]289#endif
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]290 std::string_view authHeader = reqHeader["Authorization"];
Andrew Geissler1c801e12021-10-08 14:36:01 -0500[diff] [blame]291 BMCWEB_LOG_DEBUG << "authHeader=" << authHeader;
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]292
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]293 if (sessionOut == nullptr && authMethodsConfig.sessionToken)
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]294 {
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]295#ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]296 sessionOut = performTokenAuth(authHeader);
Alan Kuof16f6262020-12-08 19:29:59 +0800[diff] [blame]297#endif
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]298 }
John Edward Broadbent97a056a2021-09-10 14:56:19 -0700[diff] [blame]299 if (sessionOut == nullptr && authMethodsConfig.basic)
300 {
301#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
302 sessionOut = performBasicAuth(ipAddress, authHeader);
303#endif
304 }
305 if (sessionOut != nullptr)
306 {
307 return sessionOut;
308 }
309
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]310 return nullptr;
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]311}
312
Nan Zhoud055a342022-05-25 01:15:34 +0000[diff] [blame]313} // namespace authentication
James Feist3909dc82020-04-03 10:58:55 -0700[diff] [blame]314} // namespace crow