Refactor HTTP Server Authentication code

Signed-off-by: Leonty Chudinov <[email protected]>
zowe · Sep 8, 2020 · d036319 · d036319
1 parent ef72720
commit d036319
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/c/httpserver.c b/c/httpserver.c
@@ -92,6 +92,7 @@ typedef struct AuthResponse_tag {
   union {
     SAFAuthStatus safStatus;
   } responseDetails;
+  bool authDataFound;
 } AuthResponse;
 
 /* FIX THIS: a temporary "low profile" way of hiding printfs. Improves
@@ -2485,6 +2486,7 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo
 
     authResponse->type = AUTH_TYPE_RACF;
     authResponse->responseDetails.safStatus = status.safStatus;
+    authResponse->authDataFound = (bool)authDataFound;
 
     if (pwdCheckRC != 0) {
 #ifdef DEBUG_AUTH
@@ -2868,7 +2870,7 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
   response->sessionCookie = NULL;
 
   AUTH_TRACE("AUTH: tokenCookieText: %s\n",(tokenCookieText ? tokenCookieText : "<noAuthToken>"));
-
+  authResponse->authDataFound = authDataFound || (tokenCookieText != NULL);
   if (tokenCookieText){
     zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3,
            "serviceAuthNativeWithSessionToken: tokenCookieText: %s\n",
@@ -2933,7 +2935,8 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
 
 static int serviceAuthWithJwt(HttpService *service,
                               HttpRequest *request,
-                              HttpResponse *response) {
+                              HttpResponse *response,
+                              AuthResponse *authResponse) {
   HttpHeader *const authorizationHeader = getHeader(request, "Authorization");
   char *jwtTokenText = getCookieValue(request,JWT_COOKIE_NAME);
 
@@ -2971,6 +2974,7 @@ static int serviceAuthWithJwt(HttpService *service,
   if (request->authToken == NULL) {
     return FALSE;
   }
+  authResponse->authDataFound = TRUE;
 
   JwtContext *const jwtContext = service->server->config->jwtContext;
   if (jwtContext == NULL) {
@@ -3232,7 +3236,7 @@ static int handleHttpService(HttpServer *server,
 
   int clearSessionToken = FALSE;
 
-  AuthResponse authResponse;
+  AuthResponse authResponse = {0};
 
   switch (service->authType){
 
@@ -3259,7 +3263,7 @@ static int handleHttpService(HttpServer *server,
     switch (server->config->authTokenType) {
     case SERVICE_AUTH_TOKEN_TYPE_JWT:
     case SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK:
-      request->authenticated = serviceAuthWithJwt(service, request, response);
+      request->authenticated = serviceAuthWithJwt(service, request, response, &authResponse);
 
       if (request->authenticated  ||
           service->server->config->authTokenType
@@ -3275,9 +3279,12 @@ static int handleHttpService(HttpServer *server,
 #ifdef DEBUG
   printf("service=%s authenticated=%d\n",service->name,request->authenticated);
 #endif
+  AUTH_TRACE("request->authenticated %s, authResponse.authDataFound %s\n",
+              request->authenticated ? "true" : "false",
+              authResponse.authDataFound ? "true" : "false");
   if (request->authenticated == FALSE){
-    if (service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL) {
-      // Allow the service to decide when to respond with HTTP 401
+    if (service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL && !authResponse.authDataFound) {
+      AUTH_TRACE("Allow the service to handle the request because auth is optional and authData not found\n");
       serveRequest(service, response, request);
     } else {
       respondWithAuthError(response, &authResponse);