xref: /openbmc/bmcweb/include/authentication.hpp (revision 16d95ec693094b005a27feebe49007f446a0135d)
1 #pragma once
2 
3 #include "forward_unauthorized.hpp"
4 #include "http_request.hpp"
5 #include "http_response.hpp"
6 #include "http_utility.hpp"
7 #include "pam_authenticate.hpp"
8 #include "webroutes.hpp"
9 
10 #include <boost/container/flat_set.hpp>
11 
12 #include <random>
13 #include <utility>
14 
15 namespace crow
16 {
17 
18 namespace authentication
19 {
20 
21 inline void cleanupTempSession(const Request& req)
22 {
23     // TODO(ed) THis should really be handled by the persistent data
24     // middleware, but because it is upstream, it doesn't have access to the
25     // session information.  Should the data middleware persist the current
26     // user session?
27     if (req.session != nullptr &&
28         req.session->persistence ==
29             persistent_data::PersistenceType::SINGLE_REQUEST)
30     {
31         persistent_data::SessionStore::getInstance().removeSession(req.session);
32     }
33 }
34 
35 inline std::shared_ptr<persistent_data::UserSession>
36     performBasicAuth(const boost::asio::ip::address& clientIp,
37                      std::string_view authHeader)
38 {
39     BMCWEB_LOG_DEBUG("[AuthMiddleware] Basic authentication");
40 
41     if (!authHeader.starts_with("Basic "))
42     {
43         return nullptr;
44     }
45 
46     std::string_view param = authHeader.substr(strlen("Basic "));
47     std::string authData;
48 
49     if (!crow::utility::base64Decode(param, authData))
50     {
51         return nullptr;
52     }
53     std::size_t separator = authData.find(':');
54     if (separator == std::string::npos)
55     {
56         return nullptr;
57     }
58 
59     std::string user = authData.substr(0, separator);
60     separator += 1;
61     if (separator > authData.size())
62     {
63         return nullptr;
64     }
65     std::string pass = authData.substr(separator);
66 
67     BMCWEB_LOG_DEBUG("[AuthMiddleware] Authenticating user: {}", user);
68     BMCWEB_LOG_DEBUG("[AuthMiddleware] User IPAddress: {}",
69                      clientIp.to_string());
70 
71     int pamrc = pamAuthenticateUser(user, pass);
72     bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
73     if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
74     {
75         return nullptr;
76     }
77 
78     // TODO(ed) generateUserSession is a little expensive for basic
79     // auth, as it generates some random identifiers that will never be
80     // used.  This should have a "fast" path for when user tokens aren't
81     // needed.
82     // This whole flow needs to be revisited anyway, as we can't be
83     // calling directly into pam for every request
84     return persistent_data::SessionStore::getInstance().generateUserSession(
85         user, clientIp, std::nullopt,
86         persistent_data::PersistenceType::SINGLE_REQUEST, isConfigureSelfOnly);
87 }
88 
89 inline std::shared_ptr<persistent_data::UserSession>
90     performTokenAuth(std::string_view authHeader)
91 {
92     BMCWEB_LOG_DEBUG("[AuthMiddleware] Token authentication");
93     if (!authHeader.starts_with("Token "))
94     {
95         return nullptr;
96     }
97     std::string_view token = authHeader.substr(strlen("Token "));
98     auto sessionOut =
99         persistent_data::SessionStore::getInstance().loginSessionByToken(token);
100     return sessionOut;
101 }
102 
103 inline std::shared_ptr<persistent_data::UserSession>
104     performXtokenAuth(const boost::beast::http::header<true>& reqHeader)
105 {
106     BMCWEB_LOG_DEBUG("[AuthMiddleware] X-Auth-Token authentication");
107 
108     std::string_view token = reqHeader["X-Auth-Token"];
109     if (token.empty())
110     {
111         return nullptr;
112     }
113     auto sessionOut =
114         persistent_data::SessionStore::getInstance().loginSessionByToken(token);
115     return sessionOut;
116 }
117 
118 inline std::shared_ptr<persistent_data::UserSession>
119     performCookieAuth(boost::beast::http::verb method [[maybe_unused]],
120                       const boost::beast::http::header<true>& reqHeader)
121 {
122     using headers = boost::beast::http::header<true>;
123     std::pair<headers::const_iterator, headers::const_iterator> cookies =
124         reqHeader.equal_range(boost::beast::http::field::cookie);
125 
126     for (auto it = cookies.first; it != cookies.second; it++)
127     {
128         std::string_view cookieValue = it->value();
129         BMCWEB_LOG_DEBUG("Checking cookie {}", cookieValue);
130         auto startIndex = cookieValue.find("SESSION=");
131         if (startIndex == std::string::npos)
132         {
133             BMCWEB_LOG_DEBUG(
134                 "Cookie was present, but didn't look like a session {}",
135                 cookieValue);
136             continue;
137         }
138         startIndex += sizeof("SESSION=") - 1;
139         auto endIndex = cookieValue.find(';', startIndex);
140         if (endIndex == std::string::npos)
141         {
142             endIndex = cookieValue.size();
143         }
144         std::string_view authKey = cookieValue.substr(startIndex,
145                                                       endIndex - startIndex);
146 
147         std::shared_ptr<persistent_data::UserSession> sessionOut =
148             persistent_data::SessionStore::getInstance().loginSessionByToken(
149                 authKey);
150         if (sessionOut == nullptr)
151         {
152             return nullptr;
153         }
154         sessionOut->cookieAuth = true;
155 
156         if constexpr (!BMCWEB_INSECURE_DISABLE_CSRF)
157         {
158             // RFC7231 defines methods that need csrf protection
159             if (method != boost::beast::http::verb::get)
160             {
161                 std::string_view csrf = reqHeader["X-XSRF-TOKEN"];
162                 // Make sure both tokens are filled
163                 if (csrf.empty() || sessionOut->csrfToken.empty())
164                 {
165                     return nullptr;
166                 }
167 
168                 if (csrf.size() != persistent_data::sessionTokenSize)
169                 {
170                     return nullptr;
171                 }
172                 // Reject if csrf token not available
173                 if (!crow::utility::constantTimeStringCompare(
174                         csrf, sessionOut->csrfToken))
175                 {
176                     return nullptr;
177                 }
178             }
179         }
180         return sessionOut;
181     }
182     return nullptr;
183 }
184 
185 inline std::shared_ptr<persistent_data::UserSession>
186     performTLSAuth(Response& res,
187                    const boost::beast::http::header<true>& reqHeader,
188                    const std::weak_ptr<persistent_data::UserSession>& session)
189 {
190     if (auto sp = session.lock())
191     {
192         // set cookie only if this is req from the browser.
193         if (reqHeader["User-Agent"].empty())
194         {
195             BMCWEB_LOG_DEBUG(" TLS session: {} will be used for this request.",
196                              sp->uniqueId);
197             return sp;
198         }
199         // TODO: change this to not switch to cookie auth
200         res.addHeader(boost::beast::http::field::set_cookie,
201                       "XSRF-TOKEN=" + sp->csrfToken +
202                           "; SameSite=Strict; Secure");
203         res.addHeader(boost::beast::http::field::set_cookie,
204                       "SESSION=" + sp->sessionToken +
205                           "; SameSite=Strict; Secure; HttpOnly");
206         res.addHeader(boost::beast::http::field::set_cookie,
207                       "IsAuthenticated=true; Secure");
208         BMCWEB_LOG_DEBUG(
209             " TLS session: {} with cookie will be used for this request.",
210             sp->uniqueId);
211         return sp;
212     }
213     return nullptr;
214 }
215 
216 // checks if request can be forwarded without authentication
217 inline bool isOnAllowlist(std::string_view url, boost::beast::http::verb method)
218 {
219     // Handle the case where the router registers routes as both ending with /
220     // and not.
221     if (url.ends_with('/') && url != "/")
222     {
223         url.remove_suffix(1);
224     }
225     if (boost::beast::http::verb::get == method)
226     {
227         if ((url == "/redfish") ||          //
228             (url == "/redfish/v1") ||       //
229             (url == "/redfish/v1/odata") || //
230             (url == "/redfish/v1/$metadata"))
231         {
232             return true;
233         }
234         if (crow::webroutes::routes.find(std::string(url)) !=
235             crow::webroutes::routes.end())
236         {
237             return true;
238         }
239     }
240 
241     // it's allowed to POST on session collection & login without
242     // authentication
243     if (boost::beast::http::verb::post == method)
244     {
245         if ((url == "/redfish/v1/SessionService/Sessions") ||
246             (url == "/redfish/v1/SessionService/Sessions/Members") ||
247             (url == "/login"))
248         {
249             return true;
250         }
251     }
252 
253     return false;
254 }
255 
256 inline std::shared_ptr<persistent_data::UserSession> authenticate(
257     const boost::asio::ip::address& ipAddress [[maybe_unused]],
258     Response& res [[maybe_unused]],
259     boost::beast::http::verb method [[maybe_unused]],
260     const boost::beast::http::header<true>& reqHeader,
261     [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>&
262         session)
263 {
264     const persistent_data::AuthConfigMethods& authMethodsConfig =
265         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
266 
267     std::shared_ptr<persistent_data::UserSession> sessionOut = nullptr;
268     if constexpr (BMCWEB_MUTUAL_TLS_AUTH)
269     {
270         if (authMethodsConfig.tls)
271         {
272             sessionOut = performTLSAuth(res, reqHeader, session);
273         }
274     }
275     if constexpr (BMCWEB_XTOKEN_AUTH)
276     {
277         if (sessionOut == nullptr && authMethodsConfig.xtoken)
278         {
279             sessionOut = performXtokenAuth(reqHeader);
280         }
281     }
282     if constexpr (BMCWEB_COOKIE_AUTH)
283     {
284         if (sessionOut == nullptr && authMethodsConfig.cookie)
285         {
286             sessionOut = performCookieAuth(method, reqHeader);
287         }
288     }
289     std::string_view authHeader = reqHeader["Authorization"];
290     BMCWEB_LOG_DEBUG("authHeader={}", authHeader);
291     if constexpr (BMCWEB_SESSION_AUTH)
292     {
293         if (sessionOut == nullptr && authMethodsConfig.sessionToken)
294         {
295             sessionOut = performTokenAuth(authHeader);
296         }
297     }
298     if constexpr (BMCWEB_BASIC_AUTH)
299     {
300         if (sessionOut == nullptr && authMethodsConfig.basic)
301         {
302             sessionOut = performBasicAuth(ipAddress, authHeader);
303         }
304     }
305     if (sessionOut != nullptr)
306     {
307         return sessionOut;
308     }
309 
310     return nullptr;
311 }
312 
313 } // namespace authentication
314 } // namespace crow
315