"3281bcf157d2a5a7e12eea199e280fc21db3b3fb" (history) in projects: openbmc

Searched hist:"3281 bcf157d2a5a7e12eea199e280fc21db3b3fb" (Results 1 – 8 of 8) sorted by relevance

/openbmc/bmcweb/http/
H A D	http_server.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
H A D	app.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
H A D	http_connection.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
/openbmc/bmcweb/include/
H A D	authentication.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
H A D	persistent_data.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
H A D	ssl_key_handler.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
H A D	sessions.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>
/openbmc/bmcweb/redfish-core/lib/
H A D	account_service.hpp	diff 3281bcf157d2a5a7e12eea199e280fc21db3b3fb Tue Jun 25 18:02:05 CDT 2024 Ed Tanous <ed@tanous.net> Support RespondToUnauthenticatedClients PATCH RespondToUnauthenticatedClients allows users to explicitly select mTLS as their only authentication mechanism, thus significantly reducing their code exposure to unauthenticated clients. From the Redfish specification ``` The RespondToUnauthenticatedClients property within the ClientCertificate property within the MFA property of the AccountService resource controls the response behavior when an invalid certificate is provided by the client. • If the property contains true or is not supported by the service, the service shall not fail the TLS handshake. This is to allow the service to send error messages or unauthenticated resources to the client. • If the property contains false , the service shall fail the TLS handshake. ``` This commit implements that behavior. This also has some added benefits in that we no longer have to check the filesystem for every connection, as TLS is controlled explicitly, and not whether or not a root cert is in place. Note, this also implements a TODO to disable cookie auth when using mTLS. Clients can still use IsAuthenticated to determine if they are authenticated on request. Tested: Run scripts/generate_auth_certs.py to set up a root certificate and client certificate. This verifies that mTLS as optional has not been broken. Script succeeds. ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} ``` GET /redfish/v1 without a client certificate now fails with an ssl verification error GET /redfish/v1 with a client certificate returns the result ``` PATCH /redfish/v1/AccountService {"MultiFactorAuth": {"ClientCertificate": {"RespondToUnauthenticatedClients": false}}} With certificate returns non mTLS functionality. ``` Change-Id: I5a9d6d6b1698bff83ab62b1f760afed6555849c9 Signed-off-by: Ed Tanous <ed@tanous.net>

Project(s)

Full Search
Definition
Symbol
File Path
History
Type