wsd/Admin.cpp | 4 +--- wsd/Auth.cpp | 2 ++ wsd/Auth.hpp | 5 ++--- wsd/FileServer.cpp | 5 ++--- wsd/README | 3 +-- 5 files changed, 8 insertions(+), 11 deletions(-)
New commits: commit 2d62529359da64cadf74c345716f64ce4c77c23c Author: Andras Timar <andras.ti...@collabora.com> AuthorDate: Fri Sep 28 11:54:20 2018 +0200 Commit: Andras Timar <andras.ti...@collabora.com> CommitDate: Fri Oct 5 16:38:46 2018 +0200 don't use ssl key file for admin console auth, use a generated key instead Change-Id: I424afe0184a64b7f069d896bde6941e42b7b5531 rational: setup is easier in case, when user does not use ssl in loolwsd config Reviewed-on: https://gerrit.libreoffice.org/61076 Reviewed-by: Andras Timar <andras.ti...@collabora.com> Tested-by: Andras Timar <andras.ti...@collabora.com> diff --git a/wsd/Admin.cpp b/wsd/Admin.cpp index b8d8d6afd..6025c59a5 100644 --- a/wsd/Admin.cpp +++ b/wsd/Admin.cpp @@ -76,11 +76,9 @@ void AdminSocketHandler::handleMessage(bool /* fin */, WSOpCode /* code */, } std::string jwtToken; LOOLProtocol::getTokenString(tokens[1], "jwt", jwtToken); - const auto& config = Application::instance().config(); - const std::string sslKeyPath = config.getString("ssl.key_file_path", ""); LOG_INF("Verifying JWT token: " << jwtToken); - JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin"); + JWTAuth authAgent("admin", "admin", "admin"); if (authAgent.verify(jwtToken)) { LOG_TRC("JWT token is valid"); diff --git a/wsd/Auth.cpp b/wsd/Auth.cpp index 8b1a0ec77..6be7eceea 100644 --- a/wsd/Auth.cpp +++ b/wsd/Auth.cpp @@ -37,6 +37,8 @@ using Poco::Base64Decoder; using Poco::Base64Encoder; using Poco::OutputLineEndingConverter; +const Poco::Crypto::RSAKey JWTAuth::_key(Poco::Crypto::RSAKey(Poco::Crypto::RSAKey::KL_2048, Poco::Crypto::RSAKey::EXP_LARGE)); + void Authorization::authorizeURI(Poco::URI& uri) const { if (_type == Authorization::Type::Token) diff --git a/wsd/Auth.hpp b/wsd/Auth.hpp index 1832b7868..3616b0144 100644 --- a/wsd/Auth.hpp +++ b/wsd/Auth.hpp @@ -73,11 +73,10 @@ public: class JWTAuth : public AuthBase { public: - JWTAuth(const std::string& keyPath, const std::string& name, const std::string& sub, const std::string& aud) + JWTAuth(const std::string& name, const std::string& sub, const std::string& aud) : _name(name), _sub(sub), _aud(aud), - _key(Poco::Crypto::RSAKey("", keyPath)), _digestEngine(_key, "SHA256") { } @@ -100,7 +99,7 @@ private: const std::string _sub; const std::string _aud; - const Poco::Crypto::RSAKey _key; + static const Poco::Crypto::RSAKey _key; Poco::Crypto::RSADigestEngine _digestEngine; }; diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index e0b475595..fde70d242 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -196,7 +196,6 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request, assert(LOOLWSD::AdminEnabled); const auto& config = Application::instance().config(); - const std::string& sslKeyPath = config.getString("ssl.key_file_path", ""); NameValueCollection cookies; request.getCookies(cookies); @@ -204,7 +203,7 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request, { const std::string jwtToken = cookies.get("jwt"); LOG_INF("Verifying JWT token: " << jwtToken); - JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin"); + JWTAuth authAgent("admin", "admin", "admin"); if (authAgent.verify(jwtToken)) { LOG_TRC("JWT token is valid"); @@ -247,7 +246,7 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request, } // authentication passed, generate and set the cookie - JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin"); + JWTAuth authAgent("admin", "admin", "admin"); const std::string jwtToken = authAgent.getAccessToken(); Poco::Net::HTTPCookie cookie("jwt", jwtToken); diff --git a/wsd/README b/wsd/README index 172c85f73..3c42f674b 100644 --- a/wsd/README +++ b/wsd/README @@ -183,8 +183,7 @@ there is a less verbose way, but this worked for me: openssl ca -keyfile private/ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha256 -in csr.pem -out cert.pem HTTPS is the default. HTTP-only mode can be enabled with --disable-ssl -configure option. key.pem is required even in HTTP-only mode, because it is -used to generate the secure token for the admin console. +configure option. If you plan to hack on loolwsd, you probably want to familiarize yourself with loolwsd's --numprespawns switch, and the 'connect' _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits