1d055a34aSNan Zhou #pragma once 2d055a34aSNan Zhou 3d055a34aSNan Zhou #include "webroutes.hpp" 4d055a34aSNan Zhou 5d055a34aSNan Zhou #include <app.hpp> 6d055a34aSNan Zhou #include <boost/container/flat_set.hpp> 7d055a34aSNan Zhou #include <common.hpp> 8d055a34aSNan Zhou #include <forward_unauthorized.hpp> 9d055a34aSNan Zhou #include <http_request.hpp> 10d055a34aSNan Zhou #include <http_response.hpp> 11d055a34aSNan Zhou #include <http_utility.hpp> 12d055a34aSNan Zhou #include <pam_authenticate.hpp> 13d055a34aSNan Zhou 14d055a34aSNan Zhou #include <random> 15d055a34aSNan Zhou #include <utility> 16d055a34aSNan Zhou 17d055a34aSNan Zhou namespace crow 18d055a34aSNan Zhou { 19d055a34aSNan Zhou 20d055a34aSNan Zhou namespace authentication 21d055a34aSNan Zhou { 22d055a34aSNan Zhou 2302cad96eSEd Tanous static void cleanupTempSession(const Request& req) 24d055a34aSNan Zhou { 25d055a34aSNan Zhou // TODO(ed) THis should really be handled by the persistent data 26d055a34aSNan Zhou // middleware, but because it is upstream, it doesn't have access to the 27d055a34aSNan Zhou // session information. Should the data middleware persist the current 28d055a34aSNan Zhou // user session? 29d055a34aSNan Zhou if (req.session != nullptr && 30d055a34aSNan Zhou req.session->persistence == 31d055a34aSNan Zhou persistent_data::PersistenceType::SINGLE_REQUEST) 32d055a34aSNan Zhou { 33d055a34aSNan Zhou persistent_data::SessionStore::getInstance().removeSession(req.session); 34d055a34aSNan Zhou } 35d055a34aSNan Zhou } 36d055a34aSNan Zhou 37d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION 38d055a34aSNan Zhou static std::shared_ptr<persistent_data::UserSession> 39d055a34aSNan Zhou performBasicAuth(const boost::asio::ip::address& clientIp, 40d055a34aSNan Zhou std::string_view authHeader) 41d055a34aSNan Zhou { 42d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication"; 43d055a34aSNan Zhou 4411ba3979SEd Tanous if (!authHeader.starts_with("Basic ")) 45d055a34aSNan Zhou { 46d055a34aSNan Zhou return nullptr; 47d055a34aSNan Zhou } 48d055a34aSNan Zhou 49d055a34aSNan Zhou std::string_view param = authHeader.substr(strlen("Basic ")); 50d055a34aSNan Zhou std::string authData; 51d055a34aSNan Zhou 52d055a34aSNan Zhou if (!crow::utility::base64Decode(param, authData)) 53d055a34aSNan Zhou { 54d055a34aSNan Zhou return nullptr; 55d055a34aSNan Zhou } 56d055a34aSNan Zhou std::size_t separator = authData.find(':'); 57d055a34aSNan Zhou if (separator == std::string::npos) 58d055a34aSNan Zhou { 59d055a34aSNan Zhou return nullptr; 60d055a34aSNan Zhou } 61d055a34aSNan Zhou 62d055a34aSNan Zhou std::string user = authData.substr(0, separator); 63d055a34aSNan Zhou separator += 1; 64d055a34aSNan Zhou if (separator > authData.size()) 65d055a34aSNan Zhou { 66d055a34aSNan Zhou return nullptr; 67d055a34aSNan Zhou } 68d055a34aSNan Zhou std::string pass = authData.substr(separator); 69d055a34aSNan Zhou 70d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "[AuthMiddleware] Authenticating user: " << user; 71d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "[AuthMiddleware] User IPAddress: " 72d055a34aSNan Zhou << clientIp.to_string(); 73d055a34aSNan Zhou 74d055a34aSNan Zhou int pamrc = pamAuthenticateUser(user, pass); 75d055a34aSNan Zhou bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD; 76d055a34aSNan Zhou if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly) 77d055a34aSNan Zhou { 78d055a34aSNan Zhou return nullptr; 79d055a34aSNan Zhou } 80d055a34aSNan Zhou 81d055a34aSNan Zhou // TODO(ed) generateUserSession is a little expensive for basic 82d055a34aSNan Zhou // auth, as it generates some random identifiers that will never be 83d055a34aSNan Zhou // used. This should have a "fast" path for when user tokens aren't 84d055a34aSNan Zhou // needed. 85d055a34aSNan Zhou // This whole flow needs to be revisited anyway, as we can't be 86d055a34aSNan Zhou // calling directly into pam for every request 87d055a34aSNan Zhou std::string unsupportedClientId; 88d055a34aSNan Zhou return persistent_data::SessionStore::getInstance().generateUserSession( 89d055a34aSNan Zhou user, clientIp, unsupportedClientId, 90d055a34aSNan Zhou persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly); 91d055a34aSNan Zhou } 92d055a34aSNan Zhou #endif 93d055a34aSNan Zhou 94d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION 95d055a34aSNan Zhou static std::shared_ptr<persistent_data::UserSession> 96d055a34aSNan Zhou performTokenAuth(std::string_view authHeader) 97d055a34aSNan Zhou { 98d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication"; 9911ba3979SEd Tanous if (!authHeader.starts_with("Token ")) 100d055a34aSNan Zhou { 101d055a34aSNan Zhou return nullptr; 102d055a34aSNan Zhou } 103d055a34aSNan Zhou std::string_view token = authHeader.substr(strlen("Token ")); 104d055a34aSNan Zhou auto sessionOut = 105d055a34aSNan Zhou persistent_data::SessionStore::getInstance().loginSessionByToken(token); 106d055a34aSNan Zhou return sessionOut; 107d055a34aSNan Zhou } 108d055a34aSNan Zhou #endif 109d055a34aSNan Zhou 110d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 111d055a34aSNan Zhou static std::shared_ptr<persistent_data::UserSession> 112d055a34aSNan Zhou performXtokenAuth(const boost::beast::http::header<true>& reqHeader) 113d055a34aSNan Zhou { 114d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "[AuthMiddleware] X-Auth-Token authentication"; 115d055a34aSNan Zhou 116d055a34aSNan Zhou std::string_view token = reqHeader["X-Auth-Token"]; 117d055a34aSNan Zhou if (token.empty()) 118d055a34aSNan Zhou { 119d055a34aSNan Zhou return nullptr; 120d055a34aSNan Zhou } 121d055a34aSNan Zhou auto sessionOut = 122d055a34aSNan Zhou persistent_data::SessionStore::getInstance().loginSessionByToken(token); 123d055a34aSNan Zhou return sessionOut; 124d055a34aSNan Zhou } 125d055a34aSNan Zhou #endif 126d055a34aSNan Zhou 127d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 128d055a34aSNan Zhou static std::shared_ptr<persistent_data::UserSession> 129d055a34aSNan Zhou performCookieAuth(boost::beast::http::verb method, 130d055a34aSNan Zhou const boost::beast::http::header<true>& reqHeader) 131d055a34aSNan Zhou { 132d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "[AuthMiddleware] Cookie authentication"; 133d055a34aSNan Zhou 134d055a34aSNan Zhou std::string_view cookieValue = reqHeader["Cookie"]; 135d055a34aSNan Zhou if (cookieValue.empty()) 136d055a34aSNan Zhou { 137d055a34aSNan Zhou return nullptr; 138d055a34aSNan Zhou } 139d055a34aSNan Zhou 140d055a34aSNan Zhou auto startIndex = cookieValue.find("SESSION="); 141d055a34aSNan Zhou if (startIndex == std::string::npos) 142d055a34aSNan Zhou { 143d055a34aSNan Zhou return nullptr; 144d055a34aSNan Zhou } 145d055a34aSNan Zhou startIndex += sizeof("SESSION=") - 1; 146d055a34aSNan Zhou auto endIndex = cookieValue.find(';', startIndex); 147d055a34aSNan Zhou if (endIndex == std::string::npos) 148d055a34aSNan Zhou { 149d055a34aSNan Zhou endIndex = cookieValue.size(); 150d055a34aSNan Zhou } 151d055a34aSNan Zhou std::string_view authKey = 152d055a34aSNan Zhou cookieValue.substr(startIndex, endIndex - startIndex); 153d055a34aSNan Zhou 154d055a34aSNan Zhou std::shared_ptr<persistent_data::UserSession> sessionOut = 155d055a34aSNan Zhou persistent_data::SessionStore::getInstance().loginSessionByToken( 156d055a34aSNan Zhou authKey); 157d055a34aSNan Zhou if (sessionOut == nullptr) 158d055a34aSNan Zhou { 159d055a34aSNan Zhou return nullptr; 160d055a34aSNan Zhou } 161d055a34aSNan Zhou #ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION 162d055a34aSNan Zhou // RFC7231 defines methods that need csrf protection 163d055a34aSNan Zhou if (method != boost::beast::http::verb::get) 164d055a34aSNan Zhou { 165d055a34aSNan Zhou std::string_view csrf = reqHeader["X-XSRF-TOKEN"]; 166d055a34aSNan Zhou // Make sure both tokens are filled 167d055a34aSNan Zhou if (csrf.empty() || sessionOut->csrfToken.empty()) 168d055a34aSNan Zhou { 169d055a34aSNan Zhou return nullptr; 170d055a34aSNan Zhou } 171d055a34aSNan Zhou 172d055a34aSNan Zhou if (csrf.size() != persistent_data::sessionTokenSize) 173d055a34aSNan Zhou { 174d055a34aSNan Zhou return nullptr; 175d055a34aSNan Zhou } 176d055a34aSNan Zhou // Reject if csrf token not available 177d055a34aSNan Zhou if (!crow::utility::constantTimeStringCompare(csrf, 178d055a34aSNan Zhou sessionOut->csrfToken)) 179d055a34aSNan Zhou { 180d055a34aSNan Zhou return nullptr; 181d055a34aSNan Zhou } 182d055a34aSNan Zhou } 183d055a34aSNan Zhou #endif 184d055a34aSNan Zhou return sessionOut; 185d055a34aSNan Zhou } 186d055a34aSNan Zhou #endif 187d055a34aSNan Zhou 188d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 189d055a34aSNan Zhou static std::shared_ptr<persistent_data::UserSession> 190d055a34aSNan Zhou performTLSAuth(Response& res, 191d055a34aSNan Zhou const boost::beast::http::header<true>& reqHeader, 192d055a34aSNan Zhou const std::weak_ptr<persistent_data::UserSession>& session) 193d055a34aSNan Zhou { 194d055a34aSNan Zhou if (auto sp = session.lock()) 195d055a34aSNan Zhou { 196d055a34aSNan Zhou // set cookie only if this is req from the browser. 197d055a34aSNan Zhou if (reqHeader["User-Agent"].empty()) 198d055a34aSNan Zhou { 199d055a34aSNan Zhou BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId 200d055a34aSNan Zhou << " will be used for this request."; 201d055a34aSNan Zhou return sp; 202d055a34aSNan Zhou } 203d055a34aSNan Zhou std::string_view cookieValue = reqHeader["Cookie"]; 204d055a34aSNan Zhou if (cookieValue.empty() || 205d055a34aSNan Zhou cookieValue.find("SESSION=") == std::string::npos) 206d055a34aSNan Zhou { 207d055a34aSNan Zhou // TODO: change this to not switch to cookie auth 208d055a34aSNan Zhou res.addHeader( 209d055a34aSNan Zhou "Set-Cookie", 210d055a34aSNan Zhou "XSRF-TOKEN=" + sp->csrfToken + 211d055a34aSNan Zhou "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" + 212d055a34aSNan Zhou sp->sessionToken + 213d055a34aSNan Zhou "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: " 214d055a34aSNan Zhou "IsAuthenticated=true; Secure"); 215d055a34aSNan Zhou BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId 216d055a34aSNan Zhou << " with cookie will be used for this request."; 217d055a34aSNan Zhou return sp; 218d055a34aSNan Zhou } 219d055a34aSNan Zhou } 220d055a34aSNan Zhou return nullptr; 221d055a34aSNan Zhou } 222d055a34aSNan Zhou #endif 223d055a34aSNan Zhou 224d055a34aSNan Zhou // checks if request can be forwarded without authentication 225d055a34aSNan Zhou [[maybe_unused]] static bool isOnAllowlist(std::string_view url, 226d055a34aSNan Zhou boost::beast::http::verb method) 227d055a34aSNan Zhou { 228d055a34aSNan Zhou if (boost::beast::http::verb::get == method) 229d055a34aSNan Zhou { 230d055a34aSNan Zhou if (url == "/redfish/v1" || url == "/redfish/v1/" || 231d055a34aSNan Zhou url == "/redfish" || url == "/redfish/" || 232d055a34aSNan Zhou url == "/redfish/v1/odata" || url == "/redfish/v1/odata/") 233d055a34aSNan Zhou { 234d055a34aSNan Zhou return true; 235d055a34aSNan Zhou } 236d055a34aSNan Zhou if (crow::webroutes::routes.find(std::string(url)) != 237d055a34aSNan Zhou crow::webroutes::routes.end()) 238d055a34aSNan Zhou { 239d055a34aSNan Zhou return true; 240d055a34aSNan Zhou } 241d055a34aSNan Zhou } 242d055a34aSNan Zhou 243d055a34aSNan Zhou // it's allowed to POST on session collection & login without 244d055a34aSNan Zhou // authentication 245d055a34aSNan Zhou if (boost::beast::http::verb::post == method) 246d055a34aSNan Zhou { 247d055a34aSNan Zhou if ((url == "/redfish/v1/SessionService/Sessions") || 248d055a34aSNan Zhou (url == "/redfish/v1/SessionService/Sessions/") || 249d055a34aSNan Zhou (url == "/redfish/v1/SessionService/Sessions/Members") || 250d055a34aSNan Zhou (url == "/redfish/v1/SessionService/Sessions/Members/") || 251d055a34aSNan Zhou (url == "/login")) 252d055a34aSNan Zhou { 253d055a34aSNan Zhou return true; 254d055a34aSNan Zhou } 255d055a34aSNan Zhou } 256d055a34aSNan Zhou 257d055a34aSNan Zhou return false; 258d055a34aSNan Zhou } 259d055a34aSNan Zhou 260d055a34aSNan Zhou [[maybe_unused]] static std::shared_ptr<persistent_data::UserSession> 261d055a34aSNan Zhou authenticate( 26202cad96eSEd Tanous const boost::asio::ip::address& ipAddress [[maybe_unused]], 263*3acced2cSNan Zhou Response& res [[maybe_unused]], 264*3acced2cSNan Zhou boost::beast::http::verb method [[maybe_unused]], 265d055a34aSNan Zhou const boost::beast::http::header<true>& reqHeader, 266d055a34aSNan Zhou [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>& 267d055a34aSNan Zhou session) 268d055a34aSNan Zhou { 269d055a34aSNan Zhou const persistent_data::AuthConfigMethods& authMethodsConfig = 270d055a34aSNan Zhou persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); 271d055a34aSNan Zhou 272d055a34aSNan Zhou std::shared_ptr<persistent_data::UserSession> sessionOut = nullptr; 273d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 274d055a34aSNan Zhou if (authMethodsConfig.tls) 275d055a34aSNan Zhou { 276d055a34aSNan Zhou sessionOut = performTLSAuth(res, reqHeader, session); 277d055a34aSNan Zhou } 278d055a34aSNan Zhou #endif 279d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_XTOKEN_AUTHENTICATION 280d055a34aSNan Zhou if (sessionOut == nullptr && authMethodsConfig.xtoken) 281d055a34aSNan Zhou { 282d055a34aSNan Zhou sessionOut = performXtokenAuth(reqHeader); 283d055a34aSNan Zhou } 284d055a34aSNan Zhou #endif 285d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_COOKIE_AUTHENTICATION 286d055a34aSNan Zhou if (sessionOut == nullptr && authMethodsConfig.cookie) 287d055a34aSNan Zhou { 288d055a34aSNan Zhou sessionOut = performCookieAuth(method, reqHeader); 289d055a34aSNan Zhou } 290d055a34aSNan Zhou #endif 291d055a34aSNan Zhou std::string_view authHeader = reqHeader["Authorization"]; 292d055a34aSNan Zhou BMCWEB_LOG_DEBUG << "authHeader=" << authHeader; 293d055a34aSNan Zhou 294d055a34aSNan Zhou if (sessionOut == nullptr && authMethodsConfig.sessionToken) 295d055a34aSNan Zhou { 296d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION 297d055a34aSNan Zhou sessionOut = performTokenAuth(authHeader); 298d055a34aSNan Zhou #endif 299d055a34aSNan Zhou } 300d055a34aSNan Zhou if (sessionOut == nullptr && authMethodsConfig.basic) 301d055a34aSNan Zhou { 302d055a34aSNan Zhou #ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION 303d055a34aSNan Zhou sessionOut = performBasicAuth(ipAddress, authHeader); 304d055a34aSNan Zhou #endif 305d055a34aSNan Zhou } 306d055a34aSNan Zhou if (sessionOut != nullptr) 307d055a34aSNan Zhou { 308d055a34aSNan Zhou return sessionOut; 309d055a34aSNan Zhou } 310d055a34aSNan Zhou 311d055a34aSNan Zhou return nullptr; 312d055a34aSNan Zhou } 313d055a34aSNan Zhou 314d055a34aSNan Zhou } // namespace authentication 315d055a34aSNan Zhou } // namespace crow 316