Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor HTTP Server Authentication code #169

Open
wants to merge 2 commits into
base: v1.x/staging
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 20 additions & 7 deletions c/httpserver.c
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ typedef struct AuthResponse_tag {
union {
SAFAuthStatus safStatus;
} responseDetails;
bool authDataFound;
} AuthResponse;

/* FIX THIS: a temporary "low profile" way of hiding printfs. Improves
Expand Down Expand Up @@ -2485,6 +2486,7 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo

authResponse->type = AUTH_TYPE_RACF;
authResponse->responseDetails.safStatus = status.safStatus;
authResponse->authDataFound = authDataFound;

if (pwdCheckRC != 0) {
#ifdef DEBUG_AUTH
Expand Down Expand Up @@ -2868,7 +2870,7 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
response->sessionCookie = NULL;

AUTH_TRACE("AUTH: tokenCookieText: %s\n",(tokenCookieText ? tokenCookieText : "<noAuthToken>"));

authResponse->authDataFound = authDataFound || (tokenCookieText != NULL);
if (tokenCookieText){
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3,
"serviceAuthNativeWithSessionToken: tokenCookieText: %s\n",
Expand Down Expand Up @@ -2933,7 +2935,8 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *

static int serviceAuthWithJwt(HttpService *service,
HttpRequest *request,
HttpResponse *response) {
HttpResponse *response,
AuthResponse *authResponse) {
HttpHeader *const authorizationHeader = getHeader(request, "Authorization");
char *jwtTokenText = getCookieValue(request,JWT_COOKIE_NAME);

Expand Down Expand Up @@ -2971,6 +2974,7 @@ static int serviceAuthWithJwt(HttpService *service,
if (request->authToken == NULL) {
return FALSE;
}
authResponse->authDataFound = true;

JwtContext *const jwtContext = service->server->config->jwtContext;
if (jwtContext == NULL) {
Expand Down Expand Up @@ -3232,12 +3236,12 @@ static int handleHttpService(HttpServer *server,

int clearSessionToken = FALSE;

AuthResponse authResponse;
AuthResponse authResponse = {0};

switch (service->authType){

case SERVICE_AUTH_NONE:
request->authenticated = TRUE;
request->authenticated = FALSE;
break;
case SERVICE_AUTH_SAF:
/* SAF Authentication just checks that user is known at ALL to SAF.
Expand All @@ -3259,7 +3263,7 @@ static int handleHttpService(HttpServer *server,
switch (server->config->authTokenType) {
case SERVICE_AUTH_TOKEN_TYPE_JWT:
case SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK:
request->authenticated = serviceAuthWithJwt(service, request, response);
request->authenticated = serviceAuthWithJwt(service, request, response, &authResponse);

if (request->authenticated ||
service->server->config->authTokenType
Expand All @@ -3275,9 +3279,18 @@ static int handleHttpService(HttpServer *server,
#ifdef DEBUG
printf("service=%s authenticated=%d\n",service->name,request->authenticated);
#endif
bool isAuthOptional = service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL;
bool allowUnauthenticated = (service->authType == SERVICE_AUTH_NONE) ||
(isAuthOptional && !authResponse.authDataFound);
AUTH_TRACE("authType %d, authenticated %s, authFlagOptional %s, authDataFound %s, allowUnauthenticated %s\n",
service->authType,
request->authenticated ? "true" : "false",
isAuthOptional ? "true" : "false",
authResponse.authDataFound ? "true" : "false",
allowUnauthenticated ? "true" : "false"
);
if (request->authenticated == FALSE){
if (service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL) {
// Allow the service to decide when to respond with HTTP 401
if (allowUnauthenticated) {
serveRequest(service, response, request);
} else {
respondWithAuthError(response, &authResponse);
Expand Down