[Libreoffice-commits] online.git: debian/loolwsd.postinst.in docker/Dockerfile loolwsd-generate-proof-key loolwsd.spec.in Makefile.am man/loolconfig.1 man/loolconvert.1 man/loolforkit.1 man/loolwsd.1 man/loolwsd-generate-proof-key.1 man/loolwsd-systemplate-setup.1 wsd/ProofKey.cpp

Andras Timar (via logerrit) logerrit at kemper.freedesktop.org
Thu Apr 23 17:36:26 UTC 2020 

 Makefile.am                      |    6 ++++--
 debian/loolwsd.postinst.in       |    1 +
 docker/Dockerfile                |    1 +
 loolwsd-generate-proof-key       |   32 ++++++++++++++++++++++++++++++++
 loolwsd.spec.in                  |    3 +++
 man/loolconfig.1                 |    2 +-
 man/loolconvert.1                |    2 +-
 man/loolforkit.1                 |    2 +-
 man/loolwsd-generate-proof-key.1 |    9 +++++++++
 man/loolwsd-systemplate-setup.1  |    2 +-
 man/loolwsd.1                    |    2 +-
 wsd/ProofKey.cpp                 |    7 +++++--
 12 files changed, 60 insertions(+), 9 deletions(-)

New commits:
commit 25bc0a1088d308f30f1705df96b13d650114a357
Author:     Andras Timar <andras.timar at collabora.com>
AuthorDate: Thu Apr 23 15:55:32 2020 +0200
Commit:     Andras Timar <andras.timar at collabora.com>
CommitDate: Thu Apr 23 19:36:06 2020 +0200

    Proof: add loolwsd-generate-proof-key helper script
    
    Change-Id: Ibbd99b6431b1a2992c520d3fad5f52d0770905f6
    Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92788
    Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice at gmail.com>
    Reviewed-by: Andras Timar <andras.timar at collabora.com>

diff --git a/Makefile.am b/Makefile.am
index dcbfbdcbb..521631dac 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,13 +23,15 @@ else
 bin_PROGRAMS += loolwsd
 endif
 
-dist_bin_SCRIPTS = loolwsd-systemplate-setup
+dist_bin_SCRIPTS = loolwsd-systemplate-setup \
+                   loolwsd-generate-proof-key
 
 man_MANS = man/loolwsd.1 \
            man/loolforkit.1 \
            man/loolconvert.1 \
            man/loolconfig.1 \
-           man/loolwsd-systemplate-setup.1
+           man/loolwsd-systemplate-setup.1 \
+           man/loolwsd-generate-proof-key.1
 
 dist_doc_DATA = wsd/README \
                 wsd/README.vars \
diff --git a/debian/loolwsd.postinst.in b/debian/loolwsd.postinst.in
index afd2cde2a..41198e75a 100644
--- a/debian/loolwsd.postinst.in
+++ b/debian/loolwsd.postinst.in
@@ -24,6 +24,7 @@ case "$1" in
 	fc-cache @LO_PATH@/share/fonts/truetype
 
 	loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1
+	loolwsd-generate-proof-key >/dev/null 2>&1
     cat << EOF > /etc/apt/apt.conf.d/25loolwsd
 // Rebuild systemplate of @APP_NAME@
 DPkg::Post-Invoke { "echo Updating loolwsd systemplate;su lool --shell=/bin/sh -c 'loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1'"; };
diff --git a/docker/Dockerfile b/docker/Dockerfile
index c82cdee4c..351f9589e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -31,6 +31,7 @@ RUN rm -rf /var/cache/loolwsd/*
 RUN rm -rf /opt/lool
 RUN mkdir -p /opt/lool/child-roots
 RUN loolwsd-systemplate-setup /opt/lool/systemplate /opt/libreoffice >/dev/null 2>&1
+RUN loolwsd-generate-proof-key >/dev/null 2>&1
 RUN touch /var/log/loolwsd.log
 # Fix permissions
 RUN chown lool:lool /var/log/loolwsd.log
diff --git a/loolwsd-generate-proof-key b/loolwsd-generate-proof-key
new file mode 100755
index 000000000..1abbab78f
--- /dev/null
+++ b/loolwsd-generate-proof-key
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+SUDO=''
+if (( $EUID != 0 )); then
+    if hash sudo 2>/dev/null; then
+        SUDO='sudo'
+    else
+        "Run the script as root."
+        exit 1
+    fi
+fi
+
+if [ -f /etc/loolwsd/proof_key ]; then
+    echo "/etc/loolwsd/proof_key exists already."
+    exit 0
+fi
+
+if hash ssh-keygen 2>/dev/null; then
+    $SUDO ssh-keygen -t rsa -N "" -m PEM -f /etc/loolwsd/proof_key
+    if [ $? -ne 0 ] ; then
+        exit $?
+	fi
+    if id -u lool >/dev/null 2>&1; then
+        $SUDO chown lool: /etc/loolwsd/proof_key
+    else
+        echo "User lool does not exist. Please reinstall loolwsd package, or in case of manual installation from source, create the lool user manually."
+    fi
+else
+	echo "ssh-keygen command not found. Please install openssh client tools."
+    exit 127
+fi
+
diff --git a/loolwsd.spec.in b/loolwsd.spec.in
index d78760e82..e8747a5a9 100644
--- a/loolwsd.spec.in
+++ b/loolwsd.spec.in
@@ -96,6 +96,7 @@ echo "account    required     pam_unix.so" >>  %{buildroot}/etc/pam.d/loolwsd
 %files
 /usr/bin/loolwsd
 /usr/bin/loolwsd-systemplate-setup
+/usr/bin/loolwsd-generate-proof-key
 /usr/bin/loolforkit
 /usr/bin/loolconvert
 /usr/bin/loolconfig
@@ -112,6 +113,7 @@ echo "account    required     pam_unix.so" >>  %{buildroot}/etc/pam.d/loolwsd
 /usr/share/man/man1/loolconvert.1
 /usr/share/man/man1/loolconfig.1
 /usr/share/man/man1/loolwsd-systemplate-setup.1
+/usr/share/man/man1/loolwsd-generate-proof-key.1
 %{_unitdir}/loolwsd.service
 %if 0%{?fedora} || 0%{?rhel} >= 7
 %config(noreplace) /etc/sysconfig/loolwsd
@@ -154,6 +156,7 @@ chown lool:lool ${loolparent}/lool/child-roots
 
 fc-cache ${loroot}/share/fonts/truetype
 loolwsd-systemplate-setup ${loolparent}/lool/systemplate ${loroot} >/dev/null 2>&1
+loolwsd-generate-proof-key >/dev/null 2>&1
 
 %if 0%{?fedora} || 0%{?rhel} >= 7
 %systemd_post loolwsd.service
diff --git a/man/loolconfig.1 b/man/loolconfig.1
index 3637d9b14..ce481b02e 100644
--- a/man/loolconfig.1
+++ b/man/loolconfig.1
@@ -24,4 +24,4 @@ update\-system\-template
 .PP
 \fB\-\-pwd\-hash\-length\fR=\fInumber\fR  Length of password hash to generate [set\-admin\-password].
 .SH "SEE ALSO"
-loolforkit(1), loolconvert(1), loolwsd(1), loolwsd-systemplate-setup(1)
+loolforkit(1), loolconvert(1), loolwsd(1), loolwsd-systemplate-setup(1), loolwsd-generate-proof-key(1)
diff --git a/man/loolconvert.1 b/man/loolconvert.1
index bd0dcf01a..7b89e8351 100644
--- a/man/loolconvert.1
+++ b/man/loolconvert.1
@@ -17,4 +17,4 @@ loolconvert OPTIONS FILE(S)
 \fB\-\-no\-check\-certificate\fR  Disable checking of SSL certs
 .PP
 .SH "SEE ALSO"
-loolwsd(1), loolforkit(1), loolconfig(1), loolforkit-systemplate-setup(1)
+loolwsd(1), loolforkit(1), loolconfig(1), loolforkit-systemplate-setup(1), loolwsd-generate-proof-key(1)
diff --git a/man/loolforkit.1 b/man/loolforkit.1
index 73b54fd7a..1862f5de7 100644
--- a/man/loolforkit.1
+++ b/man/loolforkit.1
@@ -8,4 +8,4 @@ Single-threaded process that spawns LibreOffice Online Kit (LOK) instances.
 .PP
 \fBNote\fR: Running this standalone is not possible. It is spawned by loolwsd and is controlled via a pipe.
 .SH "SEE ALSO"
-loolwsd(1), loolconvert(1), loolconfig(1), loolforkit-systemplate-setup(1)
+loolwsd(1), loolconvert(1), loolconfig(1), loolforkit-systemplate-setup(1), loolwsd-generate-proof-key(1)
diff --git a/man/loolwsd-generate-proof-key.1 b/man/loolwsd-generate-proof-key.1
new file mode 100644
index 000000000..2a30a22c8
--- /dev/null
+++ b/man/loolwsd-generate-proof-key.1
@@ -0,0 +1,9 @@
+.TH LOOLWSD-GENERATE_PROOF_KEY "1" "April 2020" "loolwsd-generate-proof-key " "User Commands"
+.SH NAME
+loolwsd-generate-proof-key
+.SH SYNOPSYS
+loolwsd-generate-proof-key
+.SH DESCRIPTION
+loolwsd-generate-proof-key creates an RSA key pair in /etc/loolwsd for the WOPI Proof headers. The script is automatically run by the postinstall script of loolwsd package, but in case of failure sysadmins can run it manually.
+.SH "SEE ALSO"
+loolforkit(1), loolconvert(1), loolconfig(1), loolwsd(1), loolwsd-systemplate-setup(1)
diff --git a/man/loolwsd-systemplate-setup.1 b/man/loolwsd-systemplate-setup.1
index c55f17290..6614e6779 100644
--- a/man/loolwsd-systemplate-setup.1
+++ b/man/loolwsd-systemplate-setup.1
@@ -6,4 +6,4 @@ loolwsd-systemplate-setup <chroot template directory for system libs to create>
 .SH DESCRIPTION
 loolwsd-systemplate-setup creates a minimal system template for running the LibreOfficeKit in a chroot jail. The system template contains the bare minimum of system libraries to run LibreOfficeKit, and also fonts and locale data from the system.
 .SH "SEE ALSO"
-loolforkit(1), loolconvert(1), loolconfig(1), loolwsd(1)
+loolforkit(1), loolconvert(1), loolconfig(1), loolwsd(1), loolwsd-generate-proof-key(1)
diff --git a/man/loolwsd.1 b/man/loolwsd.1
index c73adfd93..bd932d521 100644
--- a/man/loolwsd.1
+++ b/man/loolwsd.1
@@ -31,4 +31,4 @@ loolwsd OPTIONS
 \fB\-\-nocaps\fR                       Use a non\-privileged forkit, with increase in security problems.
 .PP
 .SH "SEE ALSO"
-loolforkit(1), loolconvert(1), loolconfig(1), loolwsd-systemplate-setup(1)
+loolforkit(1), loolconvert(1), loolconfig(1), loolwsd-systemplate-setup(1), loolwsd-generate-proof-key(1)
diff --git a/wsd/ProofKey.cpp b/wsd/ProofKey.cpp
index 836b2967a..ed49fb0bf 100644
--- a/wsd/ProofKey.cpp
+++ b/wsd/ProofKey.cpp
@@ -142,8 +142,11 @@ Proof::Proof()
         {
             std::string msg = e.displayText() +
                 "\nNo proof-key will be present in discovery."
-                "\nIf you need to use WOPI security, generate an RSA key using this command line:"
-                "\n    ssh-keygen -t rsa -N \"\" -m PEM -f \"" + keyPath + "\"";
+                "\nIf you need to use WOPI security, generate an RSA key using this command:"
+                "\n    loolwsd-generate-proof-key"
+                "\nor if your config dir is not /etc, you can run ssh-keygen manually:"
+                "\n    ssh-keygen -t rsa -N \"\" -m PEM -f \"" + keyPath + "\""
+                "\nNote: the proof_key file must be readable by the loolwsd process.";
             LOG_WRN(msg);
         }
         catch (const Poco::Exception& e)

More information about the Libreoffice-commits mailing list