[Libreoffice-commits] online.git: loolwsd.xml.in wsd/LOOLWSD.cpp wsd/LOOLWSD.hpp wsd/Storage.cpp wsd/Storage.hpp
Gabriel Masei (via logerrit)
logerrit at kemper.freedesktop.org
Tue Oct 8 16:57:56 UTC 2019
loolwsd.xml.in | 7 +++++++
wsd/LOOLWSD.cpp | 1 +
wsd/LOOLWSD.hpp | 34 ++++++++++++++++++++++++++++------
wsd/Storage.cpp | 48 +++++++++++++++++++++++++++++++++++-------------
wsd/Storage.hpp | 4 ++++
5 files changed, 75 insertions(+), 19 deletions(-)
New commits:
commit d597f22dac9042c3917d3b105adc810b6900d52c
Author: Gabriel Masei <gabriel.masei at 1and1.ro>
AuthorDate: Mon Oct 7 14:51:30 2019 +0300
Commit: Michael Meeks <michael.meeks at collabora.com>
CommitDate: Tue Oct 8 18:57:36 2019 +0200
Add minimal TLS support for communication with storage
Change-Id: Iafd9946a4240063c07f5c519b8af30b52e23d3e8
Reviewed-on: https://gerrit.libreoffice.org/80373
Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
Tested-by: Michael Meeks <michael.meeks at collabora.com>
diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index baa42874d..91c748e93 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -125,6 +125,13 @@
<webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false">
<host desc="Hostname to allow" allow="false">localhost</host>
</webdav>
+ <ssl desc="SSL settings">
+ <enable type="bool" default="false"></enable>
+ <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
+ <key_file_path desc="Path to the key file" relative="false"></key_file_path>
+ <ca_file_path desc="Path to the ca file" relative="false"></ca_file_path>
+ <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overriden only if absolutely needed."></cipher_list>
+ </ssl>
</storage>
<tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent>
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index d0dd39878..c39f62d99 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -850,6 +850,7 @@ void LOOLWSD::initialize(Application& self)
{ "ssl.key_file_path", LOOLWSD_CONFIGDIR "/key.pem" },
{ "ssl.termination", "true" },
{ "storage.filesystem[@allow]", "false" },
+ { "storage.ssl.enable", "false" },
{ "storage.webdav[@allow]", "false" },
{ "storage.wopi.host[0]", "localhost" },
{ "storage.wopi.host[0][@allow]", "true" },
diff --git a/wsd/LOOLWSD.hpp b/wsd/LOOLWSD.hpp
index 0253d08b2..333a6afc1 100644
--- a/wsd/LOOLWSD.hpp
+++ b/wsd/LOOLWSD.hpp
@@ -130,6 +130,27 @@ public:
return getConfigValue(Application::instance().config(), name, def);
}
+ /// Reads and processes path entries with the given property
+ /// from the configuration.
+ /// Converts relative paths to absolute.
+ static
+ std::string getPathFromConfig(const std::string& name)
+ {
+ return getPathFromConfig(Application::instance().config(), name);
+ }
+
+ /// Reads and processes path entries with the given property
+ /// from the configuration. If value is empty then it reads from fallback
+ /// Converts relative paths to absolute.
+ static
+ std::string getPathFromConfigWithFallback(const std::string& name, const std::string& fallbackName)
+ {
+ std::string value = LOOLWSD::getPathFromConfig(name);
+ if (value.empty())
+ return LOOLWSD::getPathFromConfig(fallbackName);
+ return value;
+ }
+
/// Trace a new session and take a snapshot of the file.
static void dumpNewSessionTrace(const std::string& id, const std::string& sessionId, const std::string& uri, const std::string& path);
@@ -253,19 +274,20 @@ private:
/// Reads and processes path entries with the given property
/// from the configuration.
/// Converts relative paths to absolute.
- std::string getPathFromConfig(const std::string& property) const
+ static
+ std::string getPathFromConfig(Poco::Util::LayeredConfiguration& config, const std::string& property)
{
- std::string path = config().getString(property);
- if (path.empty() && config().hasProperty(property + "[@default]"))
+ std::string path = config.getString(property);
+ if (path.empty() && config.hasProperty(property + "[@default]"))
{
// Use the default value if empty and a default provided.
- path = config().getString(property + "[@default]");
+ path = config.getString(property + "[@default]");
}
// Reconstruct absolute path if relative.
if (!Poco::Path(path).isAbsolute() &&
- config().hasProperty(property + "[@relative]") &&
- config().getBool(property + "[@relative]"))
+ config.hasProperty(property + "[@relative]") &&
+ config.getBool(property + "[@relative]"))
{
path = Poco::Path(Application::instance().commandPath()).parent().append(path).toString();
}
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index c96bd208f..49e804b89 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -54,6 +54,7 @@ using std::size_t;
bool StorageBase::FilesystemEnabled;
bool StorageBase::WopiEnabled;
+bool StorageBase::SSLEnabled;
Util::RegexListMatcher StorageBase::WopiHosts;
#if !MOBILEAPP
@@ -124,8 +125,29 @@ void StorageBase::initialize()
// Init client
Poco::Net::Context::Params sslClientParams;
- // TODO: Be more strict and setup SSL key/certs for remote server and us
- sslClientParams.verificationMode = Poco::Net::Context::VERIFY_NONE;
+ SSLEnabled = LOOLWSD::getConfigValue<bool>("storage.ssl.enable", false);
+#if ENABLE_DEBUG
+ char *StorageSSLEnabled = getenv("STORAGE_SSL_ENABLE");
+ if (StorageSSLEnabled != NULL)
+ {
+ if (!strcasecmp(StorageSSLEnabled, "true"))
+ SSLEnabled = true;
+ else if (!strcasecmp(StorageSSLEnabled, "false"))
+ SSLEnabled = false;
+ }
+#endif
+
+ if (SSLEnabled)
+ {
+ sslClientParams.certificateFile = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.cert_file_path", "ssl.cert_file_path");
+ sslClientParams.privateKeyFile = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.key_file_path", "ssl.key_file_path");
+ sslClientParams.caLocation = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.ca_file_path", "ssl.ca_file_path");
+ sslClientParams.cipherList = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.cipher_list", "ssl.cipher_list");
+
+ sslClientParams.verificationMode = (sslClientParams.caLocation.empty() ? Poco::Net::Context::VERIFY_NONE : Poco::Net::Context::VERIFY_STRICT);
+ }
+ else
+ sslClientParams.verificationMode = Poco::Net::Context::VERIFY_NONE;
Poco::SharedPtr<Poco::Net::PrivateKeyPassphraseHandler> consoleClientHandler = new Poco::Net::KeyConsoleHandler(false);
Poco::SharedPtr<Poco::Net::InvalidCertificateHandler> invalidClientCertHandler = new Poco::Net::AcceptCertificateHandler(false);
@@ -365,20 +387,20 @@ StorageBase::SaveResult LocalStorage::saveLocalFileToStorage(const Authorization
#if !MOBILEAPP
+Poco::Net::HTTPClientSession* StorageBase::getHTTPClientSession(const Poco::URI& uri)
+ {
+ // We decoupled the Wopi communication from client communcation because
+ // the Wopi communication must have an independent policy.
+ // So, we will use here only Storage settings.
+ return (SSLEnabled)
+ ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(),
+ Poco::Net::SSLManager::instance().defaultClientContext())
+ : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort());
+ }
+
namespace
{
-inline
-Poco::Net::HTTPClientSession* getHTTPClientSession(const Poco::URI& uri)
-{
- // FIXME: if we're configured for http - we can still use an https:// wopi
- // host surely; of course - the converse is not true / sensible.
- return (LOOLWSD::isSSLEnabled() || LOOLWSD::isSSLTermination())
- ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(),
- Poco::Net::SSLManager::instance().defaultClientContext())
- : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort());
-}
-
void addStorageDebugCookie(Poco::Net::HTTPRequest& request)
{
(void) request;
diff --git a/wsd/Storage.hpp b/wsd/Storage.hpp
index 21eee8dab..85b7e9231 100644
--- a/wsd/Storage.hpp
+++ b/wsd/Storage.hpp
@@ -16,6 +16,7 @@
#include <Poco/URI.h>
#include <Poco/Util/Application.h>
+#include <Poco/Net/HTTPClientSession.h>
#include "Auth.hpp"
#include "LOOLWSD.hpp"
@@ -208,6 +209,8 @@ public:
const std::string& jailPath);
static bool allowedWopiHost(const std::string& host);
+ static Poco::Net::HTTPClientSession* getHTTPClientSession(const Poco::URI& uri);
+
protected:
/// Returns the root path of the jail directory of docs.
@@ -238,6 +241,7 @@ private:
static bool FilesystemEnabled;
static bool WopiEnabled;
+ static bool SSLEnabled;
/// Allowed/denied WOPI hosts, if any and if WOPI is enabled.
static Util::RegexListMatcher WopiHosts;
};
More information about the Libreoffice-commits
mailing list