loolwsd.xml.in | 7 +++++++ wsd/LOOLWSD.cpp | 1 + wsd/LOOLWSD.hpp | 34 ++++++++++++++++++++++++++++------ wsd/Storage.cpp | 48 +++++++++++++++++++++++++++++++++++------------- wsd/Storage.hpp | 4 ++++ 5 files changed, 75 insertions(+), 19 deletions(-)
New commits: commit d597f22dac9042c3917d3b105adc810b6900d52c Author: Gabriel Masei <[email protected]> AuthorDate: Mon Oct 7 14:51:30 2019 +0300 Commit: Michael Meeks <[email protected]> CommitDate: Tue Oct 8 18:57:36 2019 +0200 Add minimal TLS support for communication with storage Change-Id: Iafd9946a4240063c07f5c519b8af30b52e23d3e8 Reviewed-on: https://gerrit.libreoffice.org/80373 Reviewed-by: Michael Meeks <[email protected]> Tested-by: Michael Meeks <[email protected]> diff --git a/loolwsd.xml.in b/loolwsd.xml.in index baa42874d..91c748e93 100644 --- a/loolwsd.xml.in +++ b/loolwsd.xml.in @@ -125,6 +125,13 @@ <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false"> <host desc="Hostname to allow" allow="false">localhost</host> </webdav> + <ssl desc="SSL settings"> + <enable type="bool" default="false"></enable> + <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path> + <key_file_path desc="Path to the key file" relative="false"></key_file_path> + <ca_file_path desc="Path to the ca file" relative="false"></ca_file_path> + <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overriden only if absolutely needed."></cipher_list> + </ssl> </storage> <tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent> diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index d0dd39878..c39f62d99 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -850,6 +850,7 @@ void LOOLWSD::initialize(Application& self) { "ssl.key_file_path", LOOLWSD_CONFIGDIR "/key.pem" }, { "ssl.termination", "true" }, { "storage.filesystem[@allow]", "false" }, + { "storage.ssl.enable", "false" }, { "storage.webdav[@allow]", "false" }, { "storage.wopi.host[0]", "localhost" }, { "storage.wopi.host[0][@allow]", "true" }, diff --git a/wsd/LOOLWSD.hpp b/wsd/LOOLWSD.hpp index 0253d08b2..333a6afc1 100644 --- a/wsd/LOOLWSD.hpp +++ b/wsd/LOOLWSD.hpp @@ -130,6 +130,27 @@ public: return getConfigValue(Application::instance().config(), name, def); } + /// Reads and processes path entries with the given property + /// from the configuration. + /// Converts relative paths to absolute. + static + std::string getPathFromConfig(const std::string& name) + { + return getPathFromConfig(Application::instance().config(), name); + } + + /// Reads and processes path entries with the given property + /// from the configuration. If value is empty then it reads from fallback + /// Converts relative paths to absolute. + static + std::string getPathFromConfigWithFallback(const std::string& name, const std::string& fallbackName) + { + std::string value = LOOLWSD::getPathFromConfig(name); + if (value.empty()) + return LOOLWSD::getPathFromConfig(fallbackName); + return value; + } + /// Trace a new session and take a snapshot of the file. static void dumpNewSessionTrace(const std::string& id, const std::string& sessionId, const std::string& uri, const std::string& path); @@ -253,19 +274,20 @@ private: /// Reads and processes path entries with the given property /// from the configuration. /// Converts relative paths to absolute. - std::string getPathFromConfig(const std::string& property) const + static + std::string getPathFromConfig(Poco::Util::LayeredConfiguration& config, const std::string& property) { - std::string path = config().getString(property); - if (path.empty() && config().hasProperty(property + "[@default]")) + std::string path = config.getString(property); + if (path.empty() && config.hasProperty(property + "[@default]")) { // Use the default value if empty and a default provided. - path = config().getString(property + "[@default]"); + path = config.getString(property + "[@default]"); } // Reconstruct absolute path if relative. if (!Poco::Path(path).isAbsolute() && - config().hasProperty(property + "[@relative]") && - config().getBool(property + "[@relative]")) + config.hasProperty(property + "[@relative]") && + config.getBool(property + "[@relative]")) { path = Poco::Path(Application::instance().commandPath()).parent().append(path).toString(); } diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp index c96bd208f..49e804b89 100644 --- a/wsd/Storage.cpp +++ b/wsd/Storage.cpp @@ -54,6 +54,7 @@ using std::size_t; bool StorageBase::FilesystemEnabled; bool StorageBase::WopiEnabled; +bool StorageBase::SSLEnabled; Util::RegexListMatcher StorageBase::WopiHosts; #if !MOBILEAPP @@ -124,8 +125,29 @@ void StorageBase::initialize() // Init client Poco::Net::Context::Params sslClientParams; - // TODO: Be more strict and setup SSL key/certs for remote server and us - sslClientParams.verificationMode = Poco::Net::Context::VERIFY_NONE; + SSLEnabled = LOOLWSD::getConfigValue<bool>("storage.ssl.enable", false); +#if ENABLE_DEBUG + char *StorageSSLEnabled = getenv("STORAGE_SSL_ENABLE"); + if (StorageSSLEnabled != NULL) + { + if (!strcasecmp(StorageSSLEnabled, "true")) + SSLEnabled = true; + else if (!strcasecmp(StorageSSLEnabled, "false")) + SSLEnabled = false; + } +#endif + + if (SSLEnabled) + { + sslClientParams.certificateFile = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.cert_file_path", "ssl.cert_file_path"); + sslClientParams.privateKeyFile = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.key_file_path", "ssl.key_file_path"); + sslClientParams.caLocation = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.ca_file_path", "ssl.ca_file_path"); + sslClientParams.cipherList = LOOLWSD::getPathFromConfigWithFallback("storage.ssl.cipher_list", "ssl.cipher_list"); + + sslClientParams.verificationMode = (sslClientParams.caLocation.empty() ? Poco::Net::Context::VERIFY_NONE : Poco::Net::Context::VERIFY_STRICT); + } + else + sslClientParams.verificationMode = Poco::Net::Context::VERIFY_NONE; Poco::SharedPtr<Poco::Net::PrivateKeyPassphraseHandler> consoleClientHandler = new Poco::Net::KeyConsoleHandler(false); Poco::SharedPtr<Poco::Net::InvalidCertificateHandler> invalidClientCertHandler = new Poco::Net::AcceptCertificateHandler(false); @@ -365,20 +387,20 @@ StorageBase::SaveResult LocalStorage::saveLocalFileToStorage(const Authorization #if !MOBILEAPP +Poco::Net::HTTPClientSession* StorageBase::getHTTPClientSession(const Poco::URI& uri) + { + // We decoupled the Wopi communication from client communcation because + // the Wopi communication must have an independent policy. + // So, we will use here only Storage settings. + return (SSLEnabled) + ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(), + Poco::Net::SSLManager::instance().defaultClientContext()) + : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort()); + } + namespace { -inline -Poco::Net::HTTPClientSession* getHTTPClientSession(const Poco::URI& uri) -{ - // FIXME: if we're configured for http - we can still use an https:// wopi - // host surely; of course - the converse is not true / sensible. - return (LOOLWSD::isSSLEnabled() || LOOLWSD::isSSLTermination()) - ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(), - Poco::Net::SSLManager::instance().defaultClientContext()) - : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort()); -} - void addStorageDebugCookie(Poco::Net::HTTPRequest& request) { (void) request; diff --git a/wsd/Storage.hpp b/wsd/Storage.hpp index 21eee8dab..85b7e9231 100644 --- a/wsd/Storage.hpp +++ b/wsd/Storage.hpp @@ -16,6 +16,7 @@ #include <Poco/URI.h> #include <Poco/Util/Application.h> +#include <Poco/Net/HTTPClientSession.h> #include "Auth.hpp" #include "LOOLWSD.hpp" @@ -208,6 +209,8 @@ public: const std::string& jailPath); static bool allowedWopiHost(const std::string& host); + static Poco::Net::HTTPClientSession* getHTTPClientSession(const Poco::URI& uri); + protected: /// Returns the root path of the jail directory of docs. @@ -238,6 +241,7 @@ private: static bool FilesystemEnabled; static bool WopiEnabled; + static bool SSLEnabled; /// Allowed/denied WOPI hosts, if any and if WOPI is enabled. static Util::RegexListMatcher WopiHosts; }; _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
