loolwsd.xml.in | 3 ++- test/UnitWOPITemplate.cpp | 1 - test/WopiTestServer.hpp | 10 ++++++++-- wsd/Storage.cpp | 33 ++++++++++++++++++++++++++------- wsd/Storage.hpp | 3 +++ 5 files changed, 39 insertions(+), 11 deletions(-)
New commits: commit f9f392ab5cdcde96e6eace26c90a7482952735f1 Author: Michael Meeks <[email protected]> AuthorDate: Wed Apr 29 20:24:33 2020 +0100 Commit: Michael Meeks <[email protected]> CommitDate: Thu Apr 30 14:53:25 2020 +0200 Storage: add as_scheme to allow auto-determination of whether to use SSL. This is the new default - do as we're told by the client. The old setting is left to allow users to force SSL if they are concerned that they may receive unhelpful URLs. Change-Id: Idea83aacea6826a8f37264e34d49c7550efe6d27 Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93179 Tested-by: Michael Meeks <[email protected]> Reviewed-by: Michael Meeks <[email protected]> diff --git a/loolwsd.xml.in b/loolwsd.xml.in index 02518139b..4b40aa46f 100644 --- a/loolwsd.xml.in +++ b/loolwsd.xml.in @@ -140,7 +140,8 @@ <host desc="Hostname to allow" allow="false">localhost</host> </webdav> <ssl desc="SSL settings"> - <enable type="bool" desc="Controls whether SSL encryption between storage and loolwsd is enabled. Defaults when empty to following the ssl.enable setting"></enable> + <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme> + <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and loolwsd. When empty this defaults to following the ssl.enable setting"></enable> <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path> <key_file_path desc="Path to the key file" relative="false"></key_file_path> <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path> diff --git a/test/UnitWOPITemplate.cpp b/test/UnitWOPITemplate.cpp index 2145bfc2b..2ebb1a28c 100644 --- a/test/UnitWOPITemplate.cpp +++ b/test/UnitWOPITemplate.cpp @@ -15,7 +15,6 @@ #include <UnitHTTP.hpp> #include <helpers.hpp> #include <Poco/Net/HTTPRequest.h> -#include <Poco/Util/LayeredConfiguration.h> class UnitWOPITemplate : public WopiTestServer { diff --git a/test/WopiTestServer.hpp b/test/WopiTestServer.hpp index f8a3375ed..40bacc45d 100644 --- a/test/WopiTestServer.hpp +++ b/test/WopiTestServer.hpp @@ -6,7 +6,6 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - #include "config.h" #include "helpers.hpp" @@ -14,7 +13,6 @@ #include "Unit.hpp" #include "UnitHTTP.hpp" - #include <Poco/DateTimeFormat.h> #include <Poco/DateTimeFormatter.h> #include <Poco/JSON/Object.h> @@ -22,6 +20,7 @@ #include <Poco/Net/HTTPRequest.h> #include <Poco/URI.h> #include <Poco/Timestamp.h> +#include <Poco/Util/LayeredConfiguration.h> class WopiTestServer : public UnitWSD { @@ -98,6 +97,13 @@ public: { } + void configure(Poco::Util::LayeredConfiguration& config) override + { + UnitWSD::configure(config); + // we're still internally confused as to https vs. http in places. + config.setBool("storage.ssl.as_scheme", false); + } + protected: /// Here we act as a WOPI server, so that we have a server that responds to /// the wopi requests without additional expensive setup. diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp index ad4249f4c..f010894c4 100644 --- a/wsd/Storage.cpp +++ b/wsd/Storage.cpp @@ -55,7 +55,8 @@ using std::size_t; bool StorageBase::FilesystemEnabled; bool StorageBase::WopiEnabled; -bool StorageBase::SSLEnabled; +bool StorageBase::SSLAsScheme = true; +bool StorageBase::SSLEnabled = false; Util::RegexListMatcher StorageBase::WopiHosts; #if !MOBILEAPP @@ -126,6 +127,10 @@ void StorageBase::initialize() // Init client Poco::Net::Context::Params sslClientParams; + // false default for upgrade to preserve legacy configuration + // in-config-file defaults are true. + SSLAsScheme = LOOLWSD::getConfigValue<bool>("storage.ssl.as_scheme", false); + // Fallback to ssl.enable if not set - for back compatibility & simplicity. SSLEnabled = LOOLWSD::getConfigValue<bool>( "storage.ssl.enable", LOOLWSD::getConfigValue<bool>("ssl.enable", true)); @@ -398,15 +403,29 @@ LocalStorage::saveLocalFileToStorage(const Authorization& /*auth*/, const std::s #if !MOBILEAPP Poco::Net::HTTPClientSession* StorageBase::getHTTPClientSession(const Poco::URI& uri) - { +{ + bool useSSL = false; + if (SSLAsScheme) + { + // the WOPI URI itself should control whether we use SSL or not + // for whether we verify vs. certificates, cf. above + useSSL = uri.getScheme() != "http"; + } + else + { + // We decoupled the Wopi communication from client communication because + // the Wopi communication must have an independent policy. + // So, we will use here only Storage settings. + useSSL = SSLEnabled || LOOLWSD::isSSLTermination(); + } // We decoupled the Wopi communication from client communication because // the Wopi communication must have an independent policy. // So, we will use here only Storage settings. - return (SSLEnabled || LOOLWSD::isSSLTermination()) - ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(), - Poco::Net::SSLManager::instance().defaultClientContext()) - : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort()); - } + return useSSL + ? new Poco::Net::HTTPSClientSession(uri.getHost(), uri.getPort(), + Poco::Net::SSLManager::instance().defaultClientContext()) + : new Poco::Net::HTTPClientSession(uri.getHost(), uri.getPort()); +} namespace { diff --git a/wsd/Storage.hpp b/wsd/Storage.hpp index 78eab6434..e5ea41101 100644 --- a/wsd/Storage.hpp +++ b/wsd/Storage.hpp @@ -279,6 +279,9 @@ private: static bool FilesystemEnabled; static bool WopiEnabled; + /// If true, use only the WOPI URL for whether to use SSL to talk to storage server + static bool SSLAsScheme; + /// If true, force SSL communication with storage server static bool SSLEnabled; /// Allowed/denied WOPI hosts, if any and if WOPI is enabled. static Util::RegexListMatcher WopiHosts; _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
