History log of /openbmc/bmcweb/http/mutual_tls.hpp (Results 1 – 10 of 10)
Revision Date Author Comments
# 724985ff 05-Jun-2024 Ed Tanous <ed@tanous.net>

Break out SSL key handler into a compile unit

This commit allows for no code to have to pull in openssl headers
directly. All openssl code is now included in compile units, or
transitively from boo

Break out SSL key handler into a compile unit

This commit allows for no code to have to pull in openssl headers
directly. All openssl code is now included in compile units, or
transitively from boost.

Because http2 is optional, no-unneeded-internal-declaration is needed to
prevent clang from marking the functions as unused. Chromium has
disabled this as well[1]

Tested:
Redfish service validator passes.

[1] https://issues.chromium.org/issues/40340369

Change-Id: I327e8ffa45941c2282db804d0be56cf64155e67d
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 89cda63d 16-Apr-2024 Ed Tanous <ed@tanous.net>

Store Request Fields that are needed later

Because of recent changes to how dbus authentication is done, Requests
might be moved out before they can be used. This commit is an attempt
to mitigate t

Store Request Fields that are needed later

Because of recent changes to how dbus authentication is done, Requests
might be moved out before they can be used. This commit is an attempt
to mitigate the problem without needing to revert that patch.

This commit does two relatively distinct things.

First, it moves basic auth types to a model where they're timed out
instead of removed on destruction. This removes the need for a Request
object to track that state, and arguably gives better behavior, as
basic auth sessions will survive through the timeout.
To prevent lots of basic auth sessions getting created, a basic auth
session is reused if it was:
1. Created by basic auth previously.
2. Created by the same user.
3. Created from the same source IP address.

Second, both connection classes now store the accept, and origin headers
from the request in the connection class itself, removing the need for
them.

Tested: HTML page now loads when pointing at a redfish URL with a
browser.

Change-Id: I623b43cbcbb43d9e65b408853660be09a5edb2b3
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 3ce3688a 09-Jun-2024 Ed Tanous <ed@tanous.net>

Mutual TLS parsing change at runtime

Redfish AccountService[1] defines methods for selecting how to map a
certificate CommonName attribute to a user. These are intended to be a
patch parameter.

Th

Mutual TLS parsing change at runtime

Redfish AccountService[1] defines methods for selecting how to map a
certificate CommonName attribute to a user. These are intended to be a
patch parameter.

This commit implements the Redfish defined schemas; The parsing mode is
stored in the bmcweb persistent configuration file as an integer enum,
with Mapping to the Redfish schema.

To handle OEM specific parsing modes, an enum value of 100+ is defined
to allow the additional OEM parameters. Unfortunately, Redfish doesn't
have a way to represent these today, so those modes are currently not
selectable at runtime.

Now that things are runtime selectable, this obsoletes the option
mutual-tls-common-name-parsing, as it is not longer required at compile
time.

Tested:
GET /redfish/v1/AccountService

returns MultiFactorAuth/ClientCertificate/CertificateMappingAttribute

PATCH /redfish/v1/AccountService
```
{"MultiFactorAuth": {"ClientCertificate": {"CertificateMappingAttribute":"CommonName"}}}
```

Returns 200

[1] https://github.com/DMTF/Redfish-Publications/blob/5b217908b5378b24e4f390c063427d7a707cd308/csdl/AccountService_v1.xml#L1631

Change-Id: I67db0dfa5245a9da973320aab666d12dbd9229e4
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 25b54dba 17-Apr-2024 Ed Tanous <ed@tanous.net>

Bring consistency to config options

The configuration options that exist in bmcweb are an amalgimation of
CROW options, CMAKE options using #define, pre-bmcweb ifdef mechanisms
and meson options usi

Bring consistency to config options

The configuration options that exist in bmcweb are an amalgimation of
CROW options, CMAKE options using #define, pre-bmcweb ifdef mechanisms
and meson options using a config file. This history has led to a lot of
different ways to configure code in the codebase itself, which has led
to problems, and issues in consistency.

ifdef options do no compile time checking of code not within the branch.
This is good when you have optional dependencies, but not great when
you're trying to ensure both options compile.

This commit moves all internal configuration options to:
1. A namespace called bmcweb
2. A naming scheme matching the meson option. hyphens are replaced with
underscores, and the option is uppercased. This consistent transform
allows matching up option keys with their code counterparts, without
naming changes.
3. All options are bool true = enabled, and any options with _ENABLED or
_DISABLED postfixes have those postfixes removed. (note, there are
still some options with disable in the name, those are left as-is)
4. All options are now constexpr booleans, without an explicit compare.

To accomplish this, unfortunately an option list in config/meson.build
is required, given that meson doesn't provide a way to dump all options,
as is a manual entry in bmcweb_config.h.in, in addition to the
meson_options. This obsoletes the map in the main meson.build, which
helps some of the complexity.

Now that we've done this, we have some rules that will be documented.
1. Runtime behavior changes should be added as a constexpr bool to
bmcweb_config.h
2. Options that require optionally pulling in a dependency shall use an
ifdef, defined in the primary meson.build. (note, there are no
options that currently meet this class, but it's included for
completeness.)

Note, that this consolidation means that at configure time, all options
are printed. This is a good thing and allows direct comparison of
configs in log files.

Tested: Code compiles
Server boots, and shows options configured in the default build. (HTTPS,
log level, etc)

Change-Id: I94e79a56bcdc01755036e4e7278c7e69e25809ce
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 6dbe9bea 14-Apr-2024 Ed Tanous <ed@tanous.net>

Remove OpenSSL warnings ignore

If we include OpenSSL in extern "C" blocks consistently, c++ warnings no
longer appear. This means we can remove the special case from meson.

Tested: Code compiles w

Remove OpenSSL warnings ignore

If we include OpenSSL in extern "C" blocks consistently, c++ warnings no
longer appear. This means we can remove the special case from meson.

Tested: Code compiles when built locally on an ubuntu 22.04 system.

Change-Id: I5add4113b32cd88b7fdd874174c845425a7c287a
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 0e373b53 31-Oct-2023 Marco Kawajiri <kawajiri@meta.com>

mutual-tls: Add support for Meta certificates

Meta Inc's client certificates use an internal Subject CN format
which AFAIK is specific to Meta and don't adhere to a known standard:

Subject: CN =

mutual-tls: Add support for Meta certificates

Meta Inc's client certificates use an internal Subject CN format
which AFAIK is specific to Meta and don't adhere to a known standard:

Subject: CN = <type>:<entity>/<hostname>

Commit adds the `mutual-tls-common-name-parsing=meta` option to, on
Meta builds, parse the Subject CN field and map either the <entity>
to a local user.

The <type> field determines what kind of client identity the cert
represents. Only type="user" is supported for now with <entity> being
the unixname of a Meta employee. For example, the Subject CN string
below maps to a local BMC user named "kawmarco":

Subject CN = "user:kawmarco/dev123.facebook.com"

Tested: Unit tests, built and tested on romulus using the script below:
https://gist.github.com/kawmarco/87170a8250020023d913ed5f7ed5c01f

Flags used in meta-ibm/meta-romulus/conf/layer.conf :
```
-Dbmcweb-logging='enabled'
-Dmutual-tls-common-name-parsing='meta'
```

Change-Id: I35ee9b92d163ce56815a5bd9cce5296ba1a44eef
Signed-off-by: Marco Kawajiri <kawajiri@meta.com>

show more ...


# 23f1c96e 05-Dec-2023 Ed Tanous <ed@tanous.net>

Simplify mutual TLS checks

bmcweb should be using the openssl primitives for these checks. There
are examples where we've known to have gotten the behavior incorrect, so
given that OpenSSL clearly

Simplify mutual TLS checks

bmcweb should be using the openssl primitives for these checks. There
are examples where we've known to have gotten the behavior incorrect, so
given that OpenSSL clearly should know these things better than we do,
use it.

Tested: unit tests pass.

Change-Id: I0bcd381a9e3c9a1e8e6dc39534e81fa698570689
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 62598e31 17-Jul-2023 Ed Tanous <ed@tanous.net>

Replace logging with std::format

std::format is a much more modern logging solution, and gives us a lot
more flexibility, and better compile times when doing logging.

Unfortunately, given its level

Replace logging with std::format

std::format is a much more modern logging solution, and gives us a lot
more flexibility, and better compile times when doing logging.

Unfortunately, given its level of compile time checks, it needs to be a
method, instead of the stream style logging we had before. This
requires a pretty substantial change. Fortunately, this change can be
largely automated, via the script included in this commit under
scripts/replace_logs.py. This is to aid people in moving their
patchsets over to the new form in the short period where old patches
will be based on the old logging. The intention is that this script
eventually goes away.

The old style logging (stream based) looked like.

BMCWEB_LOG_DEBUG << "Foo " << foo;

The new equivalent of the above would be:
BMCWEB_LOG_DEBUG("Foo {}", foo);

In the course of doing this, this also cleans up several ignored linter
errors, including macro usage, and array to pointer deconstruction.

Note, This patchset does remove the timestamp from the log message. In
practice, this was duplicated between journald and bmcweb, and there's
no need for both to exist.

One design decision of note is the addition of logPtr. Because the
compiler can't disambiguate between const char* and const MyThing*, it's
necessary to add an explicit cast to void*. This is identical to how
fmt handled it.

Tested: compiled with logging meson_option enabled, and launched bmcweb

Saw the usual logging, similar to what was present before:
```
[Error include/webassets.hpp:60] Unable to find or open /usr/share/www/ static file hosting disabled
[Debug include/persistent_data.hpp:133] Restored Session Timeout: 1800
[Debug redfish-core/include/event_service_manager.hpp:671] Old eventService config not exist
[Info src/webserver_main.cpp:59] Starting webserver on port 18080
[Error redfish-core/include/event_service_manager.hpp:1301] inotify_add_watch failed for redfish log file.
[Info src/webserver_main.cpp:137] Start Hostname Monitor Service...
```
Signed-off-by: Ed Tanous <ed@tanous.net>

Change-Id: I86a46aa2454be7fe80df608cb7e5573ca4029ec8

show more ...


# 3d7fc71e 10-May-2023 Patrick Williams <patrick@stwcx.xyz>

mutual-tls: fix clang-tidy warning

```
../http/mutual_tls.hpp:77:35: error: unsafe buffer access [-Werror,-Wunsafe-buffer-usage]
unsigned char usageChar = usage->data[i];
```

Signed-off-by:

mutual-tls: fix clang-tidy warning

```
../http/mutual_tls.hpp:77:35: error: unsafe buffer access [-Werror,-Wunsafe-buffer-usage]
unsigned char usageChar = usage->data[i];
```

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Icc6905f31fdd54b683fe7807eb72e9b78437b2d1

show more ...


# 7c8e064d 21-Feb-2022 Ed Tanous <edtanous@google.com>

Refactor mtls callbacks into their own file

Mutual TLS is non-trivial enough that it definitely shouldn't be done in
an inline lambda method. This commit moves the code.

Tested: WIP. This is a pr

Refactor mtls callbacks into their own file

Mutual TLS is non-trivial enough that it definitely shouldn't be done in
an inline lambda method. This commit moves the code.

Tested: WIP. This is a pretty negligible code move; Minimal touch
testing should be good.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I7a15a6bc66f4d8fb090411509549628f6d1045a5

show more ...