[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-3' - 2 commits - loolwsd.xml.in wsd/Admin.cpp wsd/Auth.cpp wsd/Auth.hpp wsd/FileServer.cpp wsd/LOOLWSD.cpp

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Fri Oct 5 14:37:31 UTC 2018 

 loolwsd.xml.in     |    1 +
 wsd/Admin.cpp      |    4 +---
 wsd/Auth.cpp       |    2 ++
 wsd/Auth.hpp       |    5 ++---
 wsd/FileServer.cpp |    5 ++---
 wsd/LOOLWSD.cpp    |   16 +++++++++++++++-
 6 files changed, 23 insertions(+), 10 deletions(-)

New commits:
commit 1d087b3545be712073ab52ed11352a6b686f7a63
Author:     Andras Timar <andras.timar at collabora.com>
AuthorDate: Mon Oct 1 20:17:35 2018 +0200
Commit:     Aron Budea <aron.budea at collabora.com>
CommitDate: Fri Oct 5 16:37:16 2018 +0200

    tdf#115163 allow bind to loopback interface
    
    Change-Id: I4808fb0fd685dfe990efd5fb739ee86f1276ffad
    Reviewed-on: https://gerrit.libreoffice.org/61412
    Reviewed-by: Aron Budea <aron.budea at collabora.com>
    Tested-by: Aron Budea <aron.budea at collabora.com>

diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index 587452ba4..26e5db7a8 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -68,6 +68,7 @@
 
     <net desc="Network settings">
       <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto>
+      <listen type="string" default="any" desc="Listen address that loolwsd binds to. Can be 'any' or 'loopback'.">any</listen>
       <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root>
       <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">
         <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index eca0644f6..b55ec5617 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -168,6 +168,9 @@ int ClientPortNumber = DEFAULT_CLIENT_PORT_NUMBER;
 /// Protocols to listen on
 Socket::Type ClientPortProto = Socket::Type::All;
 
+/// INET address to listen on
+ServerSocket::Type ClientListenAddr = ServerSocket::Type::Public;
+
 /// Port for prisoners to connect to
 int MasterPortNumber = DEFAULT_MASTER_PORT_NUMBER;
 
@@ -698,6 +701,7 @@ void LOOLWSD::initialize(Application& self)
             { "loleaflet_html", "loleaflet.html" },
             { "loleaflet_logging", "false" },
             { "net.proto", "all" },
+            { "net.listen", "any" },
             { "net.service_root", "" },
             { "num_prespawn_children", "1" },
             { "per_document.autosave_duration_secs", "300" },
@@ -874,6 +878,16 @@ void LOOLWSD::initialize(Application& self)
             LOG_WRN("Invalid protocol: " << proto);
     }
 
+    {
+        std::string listen = getConfigValue<std::string>(conf, "net.listen", "");
+        if (!Poco::icompare(listen, "any"))
+            ClientListenAddr = ServerSocket::Type::Public;
+        else if (!Poco::icompare(listen, "loopback"))
+            ClientListenAddr = ServerSocket::Type::Local;
+        else
+            LOG_WRN("Invalid listen address: " << listen << ". Falling back to default: 'any'" );
+    }
+
     // Prefix for the loolwsd pages; should not end with a '/'
     ServiceRoot = getPathFromConfig("net.service_root");
     while (ServiceRoot.length() > 0 && ServiceRoot[ServiceRoot.length() - 1] == '/')
@@ -2734,7 +2748,7 @@ private:
             factory = std::make_shared<PlainSocketFactory>();
 
         std::shared_ptr<ServerSocket> socket = getServerSocket(
-            ServerSocket::Type::Public, port, WebServerPoll, factory);
+            ClientListenAddr, port, WebServerPoll, factory);
         while (!socket)
         {
             ++port;
commit 86f50208829772934ce310be103ec9a36c862d7f
Author:     Andras Timar <andras.timar at collabora.com>
AuthorDate: Fri Sep 28 11:54:20 2018 +0200
Commit:     Aron Budea <aron.budea at collabora.com>
CommitDate: Fri Oct 5 16:37:11 2018 +0200

    don't use ssl key file for admin console auth, use a generated key instead
    
    Change-Id: I424afe0184a64b7f069d896bde6941e42b7b5531
    rational: setup is easier in case, when user does not use ssl in loolwsd config
    Reviewed-on: https://gerrit.libreoffice.org/61411
    Reviewed-by: Aron Budea <aron.budea at collabora.com>
    Tested-by: Aron Budea <aron.budea at collabora.com>

diff --git a/wsd/Admin.cpp b/wsd/Admin.cpp
index 9c24d2007..f93cf75b7 100644
--- a/wsd/Admin.cpp
+++ b/wsd/Admin.cpp
@@ -76,11 +76,9 @@ void AdminSocketHandler::handleMessage(bool /* fin */, WSOpCode /* code */,
         }
         std::string jwtToken;
         LOOLProtocol::getTokenString(tokens[1], "jwt", jwtToken);
-        const auto& config = Application::instance().config();
-        const auto sslKeyPath = config.getString("ssl.key_file_path", "");
 
         LOG_INF("Verifying JWT token: " << jwtToken);
-        JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin");
+        JWTAuth authAgent("admin", "admin", "admin");
         if (authAgent.verify(jwtToken))
         {
             LOG_TRC("JWT token is valid");
diff --git a/wsd/Auth.cpp b/wsd/Auth.cpp
index 088719d78..b1f76ae60 100644
--- a/wsd/Auth.cpp
+++ b/wsd/Auth.cpp
@@ -37,6 +37,8 @@ using Poco::Base64Decoder;
 using Poco::Base64Encoder;
 using Poco::OutputLineEndingConverter;
 
+const Poco::Crypto::RSAKey JWTAuth::_key(Poco::Crypto::RSAKey(Poco::Crypto::RSAKey::KL_2048, Poco::Crypto::RSAKey::EXP_LARGE));
+
 void Authorization::authorizeURI(Poco::URI& uri) const
 {
     if (_type == Authorization::Type::Token)
diff --git a/wsd/Auth.hpp b/wsd/Auth.hpp
index 96bcb86b6..fa9029bba 100644
--- a/wsd/Auth.hpp
+++ b/wsd/Auth.hpp
@@ -69,11 +69,10 @@ public:
 class JWTAuth : public AuthBase
 {
 public:
-    JWTAuth(const std::string& keyPath, const std::string& name, const std::string& sub, const std::string& aud)
+    JWTAuth(const std::string& name, const std::string& sub, const std::string& aud)
         : _name(name),
           _sub(sub),
           _aud(aud),
-          _key(Poco::Crypto::RSAKey("", keyPath)),
           _digestEngine(_key, "SHA256")
     {
     }
@@ -96,7 +95,7 @@ private:
     const std::string _sub;
     const std::string _aud;
 
-    const Poco::Crypto::RSAKey _key;
+    static const Poco::Crypto::RSAKey _key;
     Poco::Crypto::RSADigestEngine _digestEngine;
 };
 
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 35b43c27e..714dac28b 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -196,7 +196,6 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
     assert(LOOLWSD::AdminEnabled);
 
     const auto& config = Application::instance().config();
-    const auto sslKeyPath = config.getString("ssl.key_file_path", "");
 
     NameValueCollection cookies;
     request.getCookies(cookies);
@@ -204,7 +203,7 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
     {
         const std::string jwtToken = cookies.get("jwt");
         LOG_INF("Verifying JWT token: " << jwtToken);
-        JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin");
+        JWTAuth authAgent("admin", "admin", "admin");
         if (authAgent.verify(jwtToken))
         {
             LOG_TRC("JWT token is valid");
@@ -247,7 +246,7 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
     }
 
     // authentication passed, generate and set the cookie
-    JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin");
+    JWTAuth authAgent("admin", "admin", "admin");
     const std::string jwtToken = authAgent.getAccessToken();
 
     Poco::Net::HTTPCookie cookie("jwt", jwtToken);

More information about the Libreoffice-commits mailing list