[Libreoffice-commits] online.git: configure.ac kit/Kit.cpp loolwsd.xml.in wsd/ClientSession.cpp wsd/DocumentBroker.cpp wsd/LOOLWSD.cpp wsd/LOOLWSD.hpp wsd/Storage.cpp
Ashod Nakashian (via logerrit)
logerrit at kemper.freedesktop.org
Sat Aug 17 01:42:38 UTC 2019
configure.ac | 35 +++++++++---------------------
kit/Kit.cpp | 18 ++++++---------
loolwsd.xml.in | 3 --
wsd/ClientSession.cpp | 2 -
wsd/DocumentBroker.cpp | 2 -
wsd/LOOLWSD.cpp | 57 +++++++++++++++++++++++++++++--------------------
wsd/LOOLWSD.hpp | 7 ++----
wsd/Storage.cpp | 20 ++++++-----------
8 files changed, 66 insertions(+), 78 deletions(-)
New commits:
commit 226c2fe71c53f4c8e460bf13a30870aaa0ea7581
Author: Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Apr 14 12:24:45 2019 -0400
Commit: Ashod Nakashian <ashnakash at gmail.com>
CommitDate: Sat Aug 17 03:42:19 2019 +0200
wsd: unify anonymization flags under one
This simplifies the anonymization configuration
as virtually always they are all either enabled
together, or not at all.
Change-Id: I6fe60f5287fc5d71cd7a6ac3268eac67e5e6e9fb
Reviewed-on: https://gerrit.libreoffice.org/70033
Reviewed-by: Ashod Nakashian <ashnakash at gmail.com>
Tested-by: Ashod Nakashian <ashnakash at gmail.com>
Reviewed-on: https://gerrit.libreoffice.org/71090
diff --git a/configure.ac b/configure.ac
index 681d5bdde..711de7d01 100644
--- a/configure.ac
+++ b/configure.ac
@@ -59,13 +59,9 @@ AC_ARG_ENABLE([browsersync],
AS_HELP_STRING([--enable-browsersync],
[Don't copy files to the target directory but create the symlink to allow browsersync usage]))
-AC_ARG_ENABLE([anonymize-usernames],
- AS_HELP_STRING([--enable-anonymize-usernames],
- [Enable anonymization/obfuscation of usernames in logs]))
-
-AC_ARG_ENABLE([anonymize-filenames],
- AS_HELP_STRING([--enable-anonymize-filenames],
- [Enable anonymization/obfuscation of filenames in logs]))
+AC_ARG_ENABLE([anonymization],
+ AS_HELP_STRING([--enable-anonymization],
+ [Enable anonymization/obfuscation of user-data in logs]))
AC_ARG_ENABLE([iosapp],
AS_HELP_STRING([--enable-iosapp],
@@ -213,8 +209,7 @@ ENABLE_DEBUG=
LOOLWSD_LOGLEVEL="warning"
LOOLWSD_LOG_TO_FILE="false"
LOOLWSD_LOGFILE="/var/log/loolwsd.log"
-LOOLWSD_ANONYMIZE_FILENAMES=false
-LOOLWSD_ANONYMIZE_USERNAMES=false
+LOOLWSD_ANONYMIZE_USER_DATA=false
LOLEAFLET_LOGGING="false"
debug_msg="secure mode: product build"
anonym_msg=""
@@ -224,8 +219,7 @@ if test "$enable_debug" = "yes"; then
LOOLWSD_LOGLEVEL="trace"
LOOLWSD_LOG_TO_FILE="true"
LOOLWSD_LOGFILE="/tmp/loolwsd.log"
- LOOLWSD_ANONYMIZE_FILENAMES=false
- LOOLWSD_ANONYMIZE_USERNAMES=false
+ LOOLWSD_ANONYMIZE_USER_DATA=false
LOLEAFLET_LOGGING="true"
debug_msg="low security debugging mode"
else
@@ -252,22 +246,15 @@ if test -n "$with_logfile" ; then
fi
AC_SUBST(LOOLWSD_LOGFILE)
-if test "$enable_anonymize_filenames" = "yes" ; then
- LOOLWSD_ANONYMIZE_FILENAMES=true
- anonym_msg="filenames anonymized; "
-fi
-AC_DEFINE_UNQUOTED([LOOLWSD_ANONYMIZE_FILENAMES],[$LOOLWSD_ANONYMIZE_FILENAMES],[Enable permanent filenames anonymization in logs])
-AC_SUBST(LOOLWSD_ANONYMIZE_FILENAMES)
-
-if test "$enable_anonymize_usernames" = "yes" ; then
- LOOLWSD_ANONYMIZE_USERNAMES=true
- anonym_msg="${anonym_msg}usernames anonymized; "
+if test "$enable_anonymization" = "yes" ; then
+ LOOLWSD_ANONYMIZE_USER_DATA=true
+ anonym_msg="anonymization of user-data is enabled"
fi
-AC_DEFINE_UNQUOTED([LOOLWSD_ANONYMIZE_USERNAMES],[$LOOLWSD_ANONYMIZE_USERNAMES],[Enable permanent usernames anonymization in logs])
-AC_SUBST(LOOLWSD_ANONYMIZE_USERNAMES)
+AC_DEFINE_UNQUOTED([LOOLWSD_ANONYMIZE_USER_DATA],[$LOOLWSD_ANONYMIZE_USER_DATA],[Enable permanent anonymization in logs])
+AC_SUBST(LOOLWSD_ANONYMIZE_USER_DATA)
if test -z "$anonym_msg"; then
- anonym_msg="no anonymization of usernames or filenames"
+ anonym_msg="anonymization of user-data is disabled"
fi
# macOS: When configuring for building the app itself, on macOS, we need these.
diff --git a/kit/Kit.cpp b/kit/Kit.cpp
index c76e4cf50..425c0b5fb 100644
--- a/kit/Kit.cpp
+++ b/kit/Kit.cpp
@@ -112,8 +112,7 @@ using std::size_t;
class Document;
static std::shared_ptr<Document> document;
#ifndef BUILDING_TESTS
-static bool AnonymizeFilenames = false;
-static bool AnonymizeUsernames = false;
+static bool AnonymizeUserData = false;
static std::string ObfuscatedFileId;
#endif
@@ -2236,7 +2235,7 @@ protected:
logger << _socketName << ": recv [";
for (const std::string& token : tokens)
{
- // Don't log PII, there are anonymized versions that get logged instead.
+ // Don't log user-data, there are anonymized versions that get logged instead.
if (Util::startsWith(token, "jail") ||
Util::startsWith(token, "author") ||
Util::startsWith(token, "name") ||
@@ -2468,10 +2467,8 @@ void lokit_main(
LOG_INF("Setting log-level to [trace] and delaying setting to configured [" << LogLevel << "] until after Kit initialization.");
}
- AnonymizeFilenames = std::getenv("LOOL_ANONYMIZE_FILENAMES") != nullptr;
- LOG_INF("Filename anonymization is " << (AnonymizeFilenames ? "enabled." : "disabled."));
- AnonymizeUsernames = std::getenv("LOOL_ANONYMIZE_USERNAMES") != nullptr;
- LOG_INF("Username anonymization is " << (AnonymizeUsernames ? "enabled." : "disabled."));
+ AnonymizeUserData = std::getenv("LOOL_ANONYMIZE_USER_DATA") != nullptr;
+ LOG_INF("User-data anonymization is " << (AnonymizeUserData ? "enabled." : "disabled."));
assert(!childRoot.empty());
assert(!sysTemplate.empty());
@@ -2490,8 +2487,7 @@ void lokit_main(
Path jailPath;
bool bRunInsideJail = !noCapabilities;
#else
- AnonymizeFilenames = false;
- AnonymizeUsernames = false;
+ AnonymizeUserData = false;
#endif // MOBILEAPP
try
@@ -2783,7 +2779,7 @@ void lokit_main(
std::string anonymizeUrl(const std::string& url)
{
#ifndef BUILDING_TESTS
- return AnonymizeFilenames ? Util::anonymizeUrl(url) : url;
+ return AnonymizeUserData ? Util::anonymizeUrl(url) : url;
#else
return url;
#endif
@@ -2877,7 +2873,7 @@ bool globalPreinit(const std::string &loTemplate)
std::string anonymizeUsername(const std::string& username)
{
#ifndef BUILDING_TESTS
- return AnonymizeUsernames ? Util::anonymize(username) : username;
+ return AnonymizeUserData ? Util::anonymize(username) : username;
#else
return username;
#endif
diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index 31a57ebe6..d9b6cf922 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -53,8 +53,7 @@
<property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property>
</file>
<anonymize>
- <filenames type="bool" desc="Enable to anonymize/obfuscate filenames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="@LOOLWSD_ANONYMIZE_FILENAMES@">@LOOLWSD_ANONYMIZE_FILENAMES@</filenames>
- <usernames type="bool" desc="Enable to anonymize/obfuscate usernames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="@LOOLWSD_ANONYMIZE_USERNAMES@">@LOOLWSD_ANONYMIZE_USERNAMES@</usernames>
+ <anonymize_user_data type="bool" desc="Enable to anonymize/obfuscate of user data in logs. If default is true, it was forced at compile-time and cannot be disabled." default="@LOOLWSD_ANONYMIZE_USER_DATA@">@LOOLWSD_ANONYMIZE_USER_DATA@</anonymize_user_data>
</anonymize>
</logging>
diff --git a/wsd/ClientSession.cpp b/wsd/ClientSession.cpp
index 6205909ad..bc48cde32 100644
--- a/wsd/ClientSession.cpp
+++ b/wsd/ClientSession.cpp
@@ -695,7 +695,7 @@ bool ClientSession::loadDocument(const char* /*buffer*/, int /*length*/,
{
std::string encodedUserExtraInfo;
Poco::URI::encode(getUserExtraInfo(), "", encodedUserExtraInfo);
- oss << " authorextrainfo=" << encodedUserExtraInfo; //TODO: could this include PII?
+ oss << " authorextrainfo=" << encodedUserExtraInfo; //TODO: could this include user-data?
}
oss << " readonly=" << isReadOnly();
diff --git a/wsd/DocumentBroker.cpp b/wsd/DocumentBroker.cpp
index 06a423219..5105e426d 100644
--- a/wsd/DocumentBroker.cpp
+++ b/wsd/DocumentBroker.cpp
@@ -887,7 +887,7 @@ bool DocumentBroker::saveToStorageInternal(const std::string& sessionId,
// Map the FileId from the docKey to the new filename to anonymize the new filename as the FileId.
const std::string newFilename = Util::getFilenameFromURL(uri);
const std::string fileId = Util::getFilenameFromURL(_docKey);
- if (LOOLWSD::AnonymizeFilenames)
+ if (LOOLWSD::AnonymizeUserData)
LOG_DBG("New filename [" << LOOLWSD::anonymizeUrl(newFilename) << "] will be known by its fileId [" << fileId << "]");
Util::mapAnonymized(newFilename, fileId);
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 207fa66fa..f1878f9a8 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -708,8 +708,7 @@ std::string LOOLWSD::HostIdentifier;
std::string LOOLWSD::ConfigFile = LOOLWSD_CONFIGDIR "/loolwsd.xml";
std::string LOOLWSD::ConfigDir = LOOLWSD_CONFIGDIR "/conf.d";
std::string LOOLWSD::LogLevel = "trace";
-bool LOOLWSD::AnonymizeFilenames = false;
-bool LOOLWSD::AnonymizeUsernames = false;
+bool LOOLWSD::AnonymizeUserData = false;
Util::RuntimeConstant<bool> LOOLWSD::SSLEnabled;
Util::RuntimeConstant<bool> LOOLWSD::SSLTermination;
unsigned LOOLWSD::MaxConnections;
@@ -790,8 +789,9 @@ void LOOLWSD::initialize(Application& self)
{ "file_server_root_path", "loleaflet/.." },
{ "lo_jail_subpath", "lo" },
{ "lo_template_path", LO_PATH },
- { "logging.anonymize.filenames", "false" },
- { "logging.anonymize.usernames", "false" },
+ { "logging.anonymize.filenames", "false" }, // Deprecated.
+ { "logging.anonymize.usernames", "false" }, // Deprecated.
+ // { "logging.anonymize.anonymize_user_data", "false" }, // Do not set to fallback on filename/username.
{ "logging.color", "true" },
{ "logging.file.property[0]", "loolwsd.log" },
{ "logging.file.property[0][@name]", "path" },
@@ -938,28 +938,41 @@ void LOOLWSD::initialize(Application& self)
}
// Get anonymization settings.
-#if LOOLWSD_ANONYMIZE_USERNAMES
- AnonymizeUsernames = true;
+#if LOOLWSD_ANONYMIZE_USER_DATA
+ AnonymizeUserData = true;
+ LOG_INF("Anonymization of user-data is permanently enabled.");
#else
- AnonymizeUsernames = getConfigValue<bool>(conf, "logging.anonymize.usernames", false);
-#endif
+ LOG_INF("Anonymization of user-data is configurable.");
+ bool haveAnonymizeUserDataConfig = false;
+ if (getSafeConfig(conf, "logging.anonymize.anonymize_user_data", AnonymizeUserData))
+ haveAnonymizeUserDataConfig = true;
-#if LOOLWSD_ANONYMIZE_FILENAMES
- AnonymizeFilenames = true;
-#else
- AnonymizeFilenames = getConfigValue<bool>(conf, "logging.anonymize.filenames", false);
+ bool anonymizeFilenames = false;
+ bool anonymizeUsernames = false;
+ if (getSafeConfig(conf, "logging.anonymize.usernames", anonymizeFilenames) ||
+ getSafeConfig(conf, "logging.anonymize.filenames", anonymizeUsernames))
+ {
+ LOG_WRN("NOTE: both logging.anonymize.usernames and logging.anonymize.filenames are deprecated and superseded by "
+ "logging.anonymize.anonymize_user_data. Please remove username and filename entries from the config and use only anonymize_user_data.");
+
+ if (haveAnonymizeUserDataConfig)
+ LOG_WRN("Since logging.anonymize.anonymize_user_data is provided (" << AnonymizeUserData << ") in the config, it will be used.");
+ else
+ {
+ AnonymizeUserData = (anonymizeFilenames || anonymizeUsernames);
+ }
+ }
#endif
- if ((AnonymizeFilenames || AnonymizeUsernames) && LogLevel == "trace")
+ if (AnonymizeUserData && LogLevel == "trace")
{
- if (getConfigValue<bool>(conf, "logging.anonymize.allow_logging_pii", false))
+ if (getConfigValue<bool>(conf, "logging.anonymize.allow_logging_user_data", false))
{
- LOG_WRN("Enabling trace logging while anonymization is enabled due to logging.anonymize.allow_logging_pii setting. "
- "This will leak personally identifiable information!");
+ LOG_WRN("Enabling trace logging while anonymization is enabled due to logging.anonymize.allow_logging_user_data setting. "
+ "This will leak user-data!");
// Disable anonymization as it's useless now.
- AnonymizeFilenames = false;
- AnonymizeUsernames = false;
+ AnonymizeUserData = false;
}
else
{
@@ -976,11 +989,9 @@ void LOOLWSD::initialize(Application& self)
}
}
- if (AnonymizeFilenames)
- setenv("LOOL_ANONYMIZE_FILENAMES", "1", true);
-
- if (AnonymizeUsernames)
- setenv("LOOL_ANONYMIZE_USERNAMES", "1", true);
+ LOG_INF("Anonymization of user-data is " << (AnonymizeUserData ? "enabled." : "disabled."));
+ if (AnonymizeUserData)
+ setenv("LOOL_ANONYMIZE_USER_DATA", "1", true);
{
std::string proto = getConfigValue<std::string>(conf, "net.proto", "");
diff --git a/wsd/LOOLWSD.hpp b/wsd/LOOLWSD.hpp
index 4a9796a3a..011aca503 100644
--- a/wsd/LOOLWSD.hpp
+++ b/wsd/LOOLWSD.hpp
@@ -66,8 +66,7 @@ public:
static std::string LOKitVersion;
static std::string HostIdentifier; ///< A unique random hash that identifies this server
static std::string LogLevel;
- static bool AnonymizeFilenames;
- static bool AnonymizeUsernames;
+ static bool AnonymizeUserData;
static std::atomic<unsigned> NumConnections;
static std::unique_ptr<TraceFileWriter> TraceDumper;
#if !MOBILEAPP
@@ -155,14 +154,14 @@ public:
/// Anonymize the basename of filenames, preserving the path and extension.
static std::string anonymizeUrl(const std::string& url)
{
- return AnonymizeFilenames ? Util::anonymizeUrl(url) : url;
+ return AnonymizeUserData ? Util::anonymizeUrl(url) : url;
}
/// Anonymize user names and IDs.
/// Will use the Obfuscated User ID if one is provied via WOPI.
static std::string anonymizeUsername(const std::string& username)
{
- return AnonymizeUsernames ? Util::anonymize(username) : username;
+ return AnonymizeUserData ? Util::anonymize(username) : username;
}
/// get correct server URL with protocol + port number for this running server
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index c13498c09..0057f8cf8 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -511,7 +511,7 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
Poco::JSON::Object::Ptr object;
if (JsonUtil::parseJSON(wopiResponse, object))
{
- if (LOOLWSD::AnonymizeFilenames || LOOLWSD::AnonymizeUsernames)
+ if (LOOLWSD::AnonymizeUserData)
LOG_DBG("WOPI::CheckFileInfo (" << callDuration.count() * 1000. << " ms): anonymizing...");
else
LOG_DBG("WOPI::CheckFileInfo (" << callDuration.count() * 1000. << " ms): " << wopiResponse);
@@ -524,7 +524,7 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
JsonUtil::findJSONValue(object, "TemplateSource", templateSource);
// Anonymize key values.
- if (LOOLWSD::AnonymizeFilenames || LOOLWSD::AnonymizeUsernames)
+ if (LOOLWSD::AnonymizeUserData)
{
Util::mapAnonymized(Util::getFilenameFromURL(filename), Util::getFilenameFromURL(getUri().toString()));
@@ -538,11 +538,11 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
// Set anonymized version of the above fields before logging.
// Note: anonymization caches the result, so we don't need to store here.
- if (LOOLWSD::AnonymizeFilenames)
+ if (LOOLWSD::AnonymizeUserData)
object->set("BaseFileName", LOOLWSD::anonymizeUrl(filename));
// If obfuscatedUserId is provided, then don't log the originals and use it.
- if (LOOLWSD::AnonymizeUsernames && obfuscatedUserId.empty())
+ if (LOOLWSD::AnonymizeUserData && obfuscatedUserId.empty())
{
object->set("OwnerId", LOOLWSD::anonymizeUsername(ownerId));
object->set("UserId", LOOLWSD::anonymizeUsername(userId));
@@ -556,16 +556,12 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
// Remove them for performance reasons; they aren't needed anymore.
object->remove("ObfuscatedUserId");
- if (LOOLWSD::AnonymizeFilenames)
+ if (LOOLWSD::AnonymizeUserData)
{
object->remove("BaseFileName");
object->remove("TemplateSaveAs");
object->remove("TemplateSource");
- }
-
- if (LOOLWSD::AnonymizeUsernames)
- {
- object->remove("OwnerId");
+ object->remove("OwnerId");
object->remove("UserId");
object->remove("UserFriendlyName");
}
@@ -604,7 +600,7 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
}
else
{
- if (LOOLWSD::AnonymizeFilenames || LOOLWSD::AnonymizeUsernames)
+ if (LOOLWSD::AnonymizeUserData)
wopiResponse = "obfuscated";
LOG_ERR("WOPI::CheckFileInfo (" << callDuration.count() * 1000. <<
@@ -817,7 +813,7 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
if (Log::infoEnabled())
{
- if (LOOLWSD::AnonymizeFilenames)
+ if (LOOLWSD::AnonymizeUserData)
{
Poco::JSON::Object::Ptr object;
if (JsonUtil::parseJSON(responseString, object))
More information about the Libreoffice-commits
mailing list