[Libreoffice-commits] online.git: loolwsd.xml.in test/UnitWOPITemplate.cpp test/WopiTestServer.hpp wsd/Storage.cpp wsd/Storage.hpp

Michael Meeks (via logerrit) logerrit at kemper.freedesktop.org
Thu Apr 30 12:53:47 UTC 2020 

 loolwsd.xml.in            |    3 ++-
 test/UnitWOPITemplate.cpp |    1 -
 test/WopiTestServer.hpp   |   10 ++++++++--
 wsd/Storage.cpp           |   33 ++++++++++++++++++++++++++-------
 wsd/Storage.hpp           |    3 +++
 5 files changed, 39 insertions(+), 11 deletions(-)

New commits:
commit f9f392ab5cdcde96e6eace26c90a7482952735f1
Author:     Michael Meeks <michael.meeks at collabora.com>
AuthorDate: Wed Apr 29 20:24:33 2020 +0100
Commit:     Michael Meeks <michael.meeks at collabora.com>
CommitDate: Thu Apr 30 14:53:25 2020 +0200

    Storage: add as_scheme to allow auto-determination of whether to use SSL.
    
    This is the new default - do as we're told by the client.
    The old setting is left to allow users to force SSL if they are
    concerned that they may receive unhelpful URLs.
    
    Change-Id: Idea83aacea6826a8f37264e34d49c7550efe6d27
    Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93179
    Tested-by: Michael Meeks <michael.meeks at collabora.com>
    Reviewed-by: Michael Meeks <michael.meeks at collabora.com>

diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index 02518139b..4b40aa46f 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -140,7 +140,8 @@
             <host desc="Hostname to allow" allow="false">localhost</host>
         </webdav>
         <ssl desc="SSL settings">
-            <enable type="bool" desc="Controls whether SSL encryption between storage and loolwsd is enabled. Defaults when empty to following the ssl.enable setting"></enable>
+	    <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
+            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and loolwsd. When empty this defaults to following the ssl.enable setting"></enable>
             <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
             <key_file_path desc="Path to the key file" relative="false"></key_file_path>
             <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
diff --git a/test/UnitWOPITemplate.cpp b/test/UnitWOPITemplate.cpp
index 2145bfc2b..2ebb1a28c 100644
--- a/test/UnitWOPITemplate.cpp
+++ b/test/UnitWOPITemplate.cpp
@@ -15,7 +15,6 @@
 #include <UnitHTTP.hpp>
 #include <helpers.hpp>
 #include <Poco/Net/HTTPRequest.h>
-#include <Poco/Util/LayeredConfiguration.h>
 
 class UnitWOPITemplate : public WopiTestServer
 {
diff --git a/test/WopiTestServer.hpp b/test/WopiTestServer.hpp
index f8a3375ed..40bacc45d 100644
--- a/test/WopiTestServer.hpp
+++ b/test/WopiTestServer.hpp
@@ -6,7 +6,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
-
 #include "config.h"
 
 #include "helpers.hpp"
@@ -14,7 +13,6 @@
 #include "Unit.hpp"
 #include "UnitHTTP.hpp"
 
-
 #include <Poco/DateTimeFormat.h>
 #include <Poco/DateTimeFormatter.h>
 #include <Poco/JSON/Object.h>
@@ -22,6 +20,7 @@
 #include <Poco/Net/HTTPRequest.h>
 #include <Poco/URI.h>
 #include <Poco/Timestamp.h>
+#include <Poco/Util/LayeredConfiguration.h>
 
 class WopiTestServer : public UnitWSD
 {
@@ -98,6 +97,13 @@ public:
     {
     }
 
+    void configure(Poco::Util::LayeredConfiguration& config) override
+    {
+        UnitWSD::configure(config);
+        // we're still internally confused as to https vs. http in places.
+        config.setBool("storage.ssl.as_scheme", false);
+    }
+
 protected:
     /// Here we act as a WOPI server, so that we have a server that responds to
     /// the wopi requests without additional expensive setup.
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index ad4249f4c..f010894c4 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -55,7 +55,8 @@ using std::size_t;
 
 bool StorageBase::FilesystemEnabled;
 bool StorageBase::WopiEnabled;
-bool StorageBase::SSLEnabled;
+bool StorageBase::SSLAsScheme = true;
+bool StorageBase::SSLEnabled = false;
 Util::RegexListMatcher StorageBase::WopiHosts;
 
 #if !MOBILEAPP
@@ -126,6 +127,10 @@ void StorageBase::initialize()
     // Init client
     Poco::Net::Context::Params sslClientParams;
 
+    // false default for upgrade to preserve legacy configuration
+    // in-config-file defaults are true.
+    SSLAsScheme = LOOLWSD::getConfigValue<bool>("storage.ssl.as_scheme", false);
+
     // Fallback to ssl.enable if not set - for back compatibility & simplicity.
     SSLEnabled = LOOLWSD::getConfigValue<bool>(
         "storage.ssl.enable", LOOLWSD::getConfigValue<bool>("ssl.enable", true));
@@ -398,15 +403,29 @@ LocalStorage::saveLocalFileToStorage(const Authorization& /*auth*/, const std::s
 #if !MOBILEAPP
 
 Poco::Net::HTTPClientSession* StorageBase::getHTTPClientSession(const Poco::URI& uri)
- {
+{
+    bool useSSL = false;
+    if (SSLAsScheme)
+    {
+        // the WOPI URI itself should control whether we use SSL or not
+        // for whether we verify vs. certificates, cf. above
+        useSSL = uri.getScheme() != "http";
+    }
+    else
+    {
+        // We decoupled the Wopi communication from client communication because
+        // the Wopi communication must have an independent policy.
+        // So, we will use here only Storage settings.
+        useSSL = SSLEnabled || LOOLWSD::isSSLTermination();
+    }
     // We decoupled the Wopi communication from client communication because
     // the Wopi communication must have an independent policy.
     // So, we will use here only Storage settings.
-    return (SSLEnabled || LOOLWSD::isSSLTermination())
-         ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(),
-                                             Poco::Net::SSLManager::instance().defaultClientContext())
-         : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort());
- }
+    return useSSL
+        ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(),
+                                            Poco::Net::SSLManager::instance().defaultClientContext())
+        : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort());
+}
 
 namespace
 {
diff --git a/wsd/Storage.hpp b/wsd/Storage.hpp
index 78eab6434..e5ea41101 100644
--- a/wsd/Storage.hpp
+++ b/wsd/Storage.hpp
@@ -279,6 +279,9 @@ private:
 
     static bool FilesystemEnabled;
     static bool WopiEnabled;
+    /// If true, use only the WOPI URL for whether to use SSL to talk to storage server
+    static bool SSLAsScheme;
+    /// If true, force SSL communication with storage server
     static bool SSLEnabled;
     /// Allowed/denied WOPI hosts, if any and if WOPI is enabled.
     static Util::RegexListMatcher WopiHosts;

More information about the Libreoffice-commits mailing list