Merge pull request #13807 from wangkx/h24136

HPCC-24136 Skip user authentication for unrestricted ESP sub-services

Reviewed-By: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Reviewed-By: Richard Chapman <rchapman@hpccsystems.com>

esp/bindings/http/platform/httpbinding.cpp

@@ -264,6 +264,8 @@ EspHttpBinding::EspHttpBinding(IPropertyTree* tree, const char *bindname, const
     if(m_challenge_realm.length() == 0)
         m_challenge_realm.append("ESP");
 
+    setUnrestrictedSSTypes();
+
     //Even for non-session based environment, the sessionIDCookieName may be used to
     //remove session related cookies cached in some browser page.
     sessionIDCookieName.setf("%s%d", SESSION_ID_COOKIE, m_port);
@@ -419,6 +421,23 @@ void EspHttpBinding::readUnrestrictedResources(const char* resources)
     }
 }
 
+//Set the subservice types (wsdl, xsd, etc) which do not need user authentication.
+void EspHttpBinding::setUnrestrictedSSTypes()
+{
+    unrestrictedSSTypes.insert(sub_serv_wsdl);
+    unrestrictedSSTypes.insert(sub_serv_xsd);
+    unrestrictedSSTypes.insert(sub_serv_reqsamplexml);
+    unrestrictedSSTypes.insert(sub_serv_respsamplexml);
+    unrestrictedSSTypes.insert(sub_serv_reqsamplejson);
+    unrestrictedSSTypes.insert(sub_serv_respsamplejson);
+}
+
+bool EspHttpBinding::isUnrestrictedSSType(sub_service ss) const
+{
+    auto search = unrestrictedSSTypes.find(ss);
+    return (search != unrestrictedSSTypes.end()); 
+}
+
 //Check whether the url is valid or not for redirect after authentication.
 bool EspHttpBinding::canRedirectAfterAuth(const char* url) const
 {

esp/bindings/http/platform/httpbinding.hpp

@@ -18,6 +18,7 @@
 #ifndef _HTTPBINDING_HPP__
 #define _HTTPBINDING_HPP__
 
+#include <set>
 #include "http/platform/httptransport.ipp"
 #include "espcache.hpp"
 
@@ -172,6 +173,7 @@ private:
     BoolHash                invalidURLsAfterAuth; //Those URLs should not be used for redirect after authenticated, such as /SMC/, /esp/login
     BoolHash                domainAuthResources;
     StringArray             domainAuthResourcesWildMatch;
+    std::set<sub_service>   unrestrictedSSTypes;
 
     void getXMLMessageTag(IEspContext& ctx, bool isRequest, const char *method, StringBuffer& tag);
 
@@ -387,6 +389,8 @@ public:
     }
     void readAuthDomainCfg(IPropertyTree* procCfg);
     void readUnrestrictedResources(const char* resources);
+    void setUnrestrictedSSTypes();
+    bool isUnrestrictedSSType(sub_service ss) const;
     void setABoolHash(const char* csv, BoolHash& hash) const;
     bool isCORSRequest(const char* originHeader);
     bool canRedirectAfterAuth(const char* url) const;

esp/bindings/http/platform/httpservice.cpp

@@ -1423,6 +1423,9 @@ EspAuthState CEspHttpServer::checkUserAuthPerSession(EspAuthRequest& authReq, St
     if (authReq.authBinding->isDomainAuthResources(authReq.httpPath.str()))
         return authSucceeded;//Give the permission to send out some pages used for login or logout.
 
+    if (authReq.authBinding->isUnrestrictedSSType(authReq.stype))
+        return authSucceeded;//Give the permission to send out some pages which do not need user authentication.
+
     if (!authorizationHeader.isEmpty() && !isServiceMethodReq(authReq, "esp", "login")
         && !isServiceMethodReq(authReq, "esp", "unlock"))
         return authUnknown;