strepsirrhini/libreoffice-online
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rewrite coolwsd-generate-proof-key in C++

Browse source 
* simplified the tooling a bit: use coolconfig for creating
  RSA key pairs for WOPI Proof headers.
* got rid of a dependency: ssh-keygen, towards leaner docker images

Signed-off-by: Andras Timar <andras.timar@collabora.com>
Change-Id: Iaf468b5c8585d45027f512bb0a287ab77afb1ea9
This commit is contained in:
Andras Timar 2023-07-06 21:51:58 +02:00 committed by thebearon
parent 7256b59bba
commit fc946198d3
15 changed files with 62 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Makefile.am
View file

@ -29,8 +29,7 @@ else
bin_PROGRAMS += coolwsd
endif
dist_bin_SCRIPTS = coolwsd-systemplate-setup \
coolwsd-generate-proof-key
dist_bin_SCRIPTS = coolwsd-systemplate-setup
man_MANS = man/coolwsd.1 \
man/coolforkit.1 \
@ -38,7 +37,6 @@ man_MANS = man/coolwsd.1 \
man/coolconfig.1 \
man/coolstress.1 \
man/coolwsd-systemplate-setup.1 \
man/coolwsd-generate-proof-key.1 \
man/coolmount.1

46
coolwsd-generate-proof-key
View file

@ -1,46 +0,0 @@
#!/usr/bin/env bash
if [ "$1" == "-h" ]; then
echo "Usage: coolwsd-generate-proof-key [-h] [CONFIGDIR]"
echo "CONFIGDIR defaults to /etc/coolwsd"
exit 0
fi
if [ "$1" ]; then
CONFIGDIR="$1"
else
CONFIGDIR="/etc/coolwsd"
fi
SUDO=''
if [ ! -w "$CONFIGDIR" ]; then
if (( $EUID != 0 )); then
if hash sudo 2>/dev/null; then
SUDO='sudo'
else
echo "Run the script as root."
exit 1
fi
fi
fi
if [ -f $CONFIGDIR/proof_key ]; then
echo "$CONFIGDIR/proof_key exists already."
exit 0
fi
if hash ssh-keygen 2>/dev/null; then
$SUDO ssh-keygen -t rsa -N "" -m PEM -f $CONFIGDIR/proof_key
if [ $? -ne 0 ] ; then
exit $?
fi
if id -u cool >/dev/null 2>&1; then
$SUDO chown cool: $CONFIGDIR/proof_key
else
echo "User cool does not exist. Please reinstall coolwsd package, or in case of manual installation from source, create the cool user manually."
fi
else
echo "ssh-keygen command not found. Please install openssh client tools."
exit 127
fi

6
coolwsd.spec.in
View file

@ -15,7 +15,7 @@ License: EULA
Source0: coolwsd-@PACKAGE_VERSION@.tar.gz
BuildRequires: libcap-devel pam-devel gcc-c++ cppunit-devel pam-devel fontconfig make
Requires: collaboraoffice collaboraoffice-ure collaboraofficebasis-core collaboraofficebasis-writer collaboraofficebasis-impress collaboraofficebasis-graphicfilter collaboraofficebasis-en-US collaboraofficebasis-calc collaboraofficebasis-ooofonts collaboraofficebasis-images collaboraofficebasis-draw collaboraofficebasis-extension-pdf-import collaboraofficebasis-ooolinguistic collaboraofficebasis-math
Requires(post): coreutils grep sed cpio /usr/sbin/setcap /usr/bin/ssh-keygen
Requires(post): coreutils grep sed cpio /usr/sbin/setcap
Provides: loolwsd
Obsoletes: loolwsd collaboraoffice-dict-br collaboraoffice-dict-et collaboraoffice-dict-gd collaboraoffice-dict-gu collaboraoffice-dict-hi collaboraoffice-dict-lt collaboraoffice-dict-lv collaboraoffice-dict-ro collaboraoffice-dict-sr collaboraoffice-dict-te collaboraofficebasis-as collaboraofficebasis-bn-IN collaboraofficebasis-ast collaboraofficebasis-br collaboraofficebasis-ca-valencia collaboraofficebasis-cy collaboraofficebasis-et collaboraofficebasis-ga collaboraofficebasis-gd collaboraofficebasis-gu collaboraofficebasis-hi collaboraofficebasis-km collaboraofficebasis-kn collaboraofficebasis-lt collaboraofficebasis-lv collaboraofficebasis-ml collaboraofficebasis-mr collaboraofficebasis-nn collaboraofficebasis-or collaboraofficebasis-pa-IN collaboraofficebasis-ro collaboraofficebasis-sr collaboraofficebasis-sr-Latn collaboraofficebasis-ta collaboraofficebasis-te
@ -56,7 +56,6 @@ echo "account required pam_unix.so" >> %{buildroot}/etc/pam.d/coolwsd
/usr/bin/loolwsd
/usr/bin/coolwsd-systemplate-setup
/usr/bin/loolwsd-systemplate-setup
/usr/bin/coolwsd-generate-proof-key
/usr/bin/coolforkit
/usr/bin/coolconvert
/usr/bin/coolconfig
@ -77,7 +76,6 @@ echo "account required pam_unix.so" >> %{buildroot}/etc/pam.d/coolwsd
/usr/share/man/man1/coolconfig.1.gz
/usr/share/man/man1/coolstress.1.gz
/usr/share/man/man1/coolwsd-systemplate-setup.1.gz
/usr/share/man/man1/coolwsd-generate-proof-key.1.gz
/usr/share/man/man1/coolmount.1.gz
/usr/lib/systemd/system/coolwsd.service
@ -130,7 +128,7 @@ chown cool:cool ${coolparent}/cool/child-roots
fc-cache ${lokitroot}/share/fonts/truetype
coolwsd-systemplate-setup ${coolparent}/cool/systemplate ${lokitroot} >/dev/null 2>&1
coolwsd-generate-proof-key >/dev/null 2>&1
coolconfig generate-proof-key >/dev/null 2>&1
if [ $COOLWSD_IS_ACTIVE == "1" ]; then systemctl start coolwsd; fi

2
debian/control vendored
View file

@ -9,7 +9,7 @@ Package: coolwsd
Section: web
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends},
adduser, fontconfig, cpio, libcap2-bin, openssh-client,
adduser, fontconfig, cpio, libcap2-bin,
collaboraofficebasis-calc,
collaboraofficebasis-core,
collaboraofficebasis-graphicfilter,

2
debian/coolwsd.postinst.in vendored
View file

@ -24,7 +24,7 @@ case "$1" in
fc-cache @LO_PATH@/share/fonts/truetype
coolwsd-systemplate-setup /opt/cool/systemplate @LO_PATH@ >/dev/null 2>&1
coolwsd-generate-proof-key >/dev/null 2>&1
coolconfig generate-proof-key >/dev/null 2>&1
cat << EOF > /etc/apt/apt.conf.d/25coolwsd
// Rebuild systemplate of @APP_NAME@
DPkg::Post-Invoke { "echo Updating coolwsd systemplate;coolwsd-systemplate-setup /opt/cool/systemplate @LO_PATH@ >/dev/null 2>&1 || true"; };

2
docker/from-packages/scripts/start-collabora-online.sh
View file

@ -56,7 +56,7 @@ fi
) &
# Generate WOPI proof key
coolwsd-generate-proof-key
coolconfig generate-proof-key
# Start coolwsd
exec /usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --o:logging.color=false ${extra_params}

6
man/coolconfig.1
View file

@ -1,4 +1,4 @@
.TH COOLCONFIG "1" "Nov 2021" "coolconfig" "User Commands"
.TH COOLCONFIG "1" "Jul 2023" "coolconfig" "User Commands"
.SH NAME
coolconfig \- Configuration tool for Collabora Online.
.SH SYNOPSIS
@ -50,5 +50,7 @@ The \fBupdate\-system\-template\fR command updates Collabora Online's system tem
.PP
update\-system\-template
.PP
.SS "generate\-proof\-key"
The \fBgenerate\-proof\-key\fR command creates an RSA key pair in /etc/coolwsd for the WOPI Proof headers. The postinstall script of coolwsd package usually creates this RSA key pair in case of new installation.
.SH "SEE ALSO"
coolforkit(1), coolconvert(1), coolwsd(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
coolforkit(1), coolconvert(1), coolwsd(1), coolwsd-systemplate-setup(1), coolmount(1)

2
man/coolconvert.1
View file

@ -17,4 +17,4 @@ coolconvert OPTIONS FILE(S)
\fB\-\-no\-check\-certificate\fR Disable checking of SSL certs
.PP
.SH "SEE ALSO"
coolwsd(1), coolforkit(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
coolwsd(1), coolforkit(1), coolconfig(1), coolwsd-systemplate-setup(1), coolmount(1)

2
man/coolforkit.1
View file

@ -8,4 +8,4 @@ Single-threaded process that spawns LibreOfficeKit (LOK) instances.
.PP
\fBNote\fR: Running this standalone is not possible. It is spawned by coolwsd and is controlled via a pipe.
.SH "SEE ALSO"
coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolmount(1)

2
man/coolmount.1
View file

@ -8,4 +8,4 @@ This is a very tiny helper to allow overlay mounting.
.PP
\fBNote\fR: Running this standalone is not possible. It is used internally by coolwsd when it creates the jail for the document.
.SH "SEE ALSO"
coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolforkit(1)
coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolforkit(1)

9
man/coolwsd-generate-proof-key.1
View file

@ -1,9 +0,0 @@
.TH COOLWSD-GENERATE_PROOF_KEY "1" "April 2020" "coolwsd-generate-proof-key " "User Commands"
.SH NAME
coolwsd-generate-proof-key \- Utility that genarates WOPI Proof keys for Collabora Online
.SH SYNOPSIS
coolwsd-generate-proof-key
.SH DESCRIPTION
coolwsd-generate-proof-key creates an RSA key pair in /etc/coolwsd for the WOPI Proof headers. The script is automatically run by the postinstall script of coolwsd package, but in case of failure sysadmins can run it manually.
.SH "SEE ALSO"
coolforkit(1), coolconvert(1), coolconfig(1), coolwsd(1), coolwsd-systemplate-setup(1), coolmount(1)

2
man/coolwsd-systemplate-setup.1
View file

@ -6,4 +6,4 @@ coolwsd-systemplate-setup <chroot template directory for system libs to create>
.SH DESCRIPTION
coolwsd-systemplate-setup creates a minimal system template for running the LibreOfficeKit in a chroot jail. The system template contains the bare minimum of system libraries to run LibreOfficeKit, and also fonts and locale data from the system.
.SH "SEE ALSO"
coolforkit(1), coolconvert(1), coolconfig(1), coolwsd(1), coolwsd-generate-proof-key(1), coolmount(1)
coolforkit(1), coolconvert(1), coolconfig(1), coolwsd(1), coolmount(1)

2
man/coolwsd.1
View file

@ -31,4 +31,4 @@ coolwsd OPTIONS
\fB\-\-nocaps\fR Use a non\-privileged forkit, with increase in security problems.
.PP
.SH "SEE ALSO"
coolforkit(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
coolforkit(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolmount(1)

46
tools/Config.cpp
View file

@ -9,7 +9,10 @@
#include <iostream>
#include <iomanip>
#include <pwd.h>
#include <sstream>
#include <sys/stat.h>
#include <sys/types.h>
#include <sysexits.h>
#include <termios.h>
#include <unistd.h>
@ -17,6 +20,7 @@
#include <openssl/rand.h>
#include <openssl/evp.h>
#include <Poco/Crypto/RSAKey.h>
#include <Poco/Exception.h>
#include <Poco/File.h>
#include <Poco/Util/Application.h>
@ -126,6 +130,7 @@ void Config::displayHelp()
<< " set-support-key" << std::endl
#endif
<< " set <key> <value>" << std::endl
<< " generate-proof-key" << std::endl
<< " update-system-template" << std::endl << std::endl;
}
@ -440,6 +445,47 @@ int Config::main(const std::vector<std::string>& args)
std::cout << "Migration of old configuration failed." << std::endl;
}
}
else if (args[0] == "generate-proof-key")
{
std::string proofKeyPath =
#if ENABLE_DEBUG
DEBUG_ABSSRCDIR
#else
COOLWSD_CONFIGDIR
#endif
"/proof_key";
#if !ENABLE_DEBUG
struct passwd* pwd;
pwd = getpwnam(COOL_USER_ID);
if (pwd == NULL)
{
std::cerr << "User '" COOL_USER_ID
"' does not exist. Please reinstall coolwsd package, or in case of manual "
"installation from source, create the '" COOL_USER_ID "' user manually."
<< std::endl;
return EX_NOUSER;
}
#endif
Poco::File proofKeyFile(proofKeyPath);
if (!proofKeyFile.exists())
{
Poco::Crypto::RSAKey proofKey =
Poco::Crypto::RSAKey(Poco::Crypto::RSAKey::KeyLength::KL_2048,
Poco::Crypto::RSAKey::Exponent::EXP_LARGE);
proofKey.save(proofKeyPath + ".pub", proofKeyPath, "" /*no password*/);
#if !ENABLE_DEBUG
chmod(proofKeyPath.c_str(), S_IRUSR | S_IWUSR);
chown(proofKeyPath.c_str(), pwd->pw_uid, -1);
#endif
}
else
{
std::cerr << proofKeyPath << " exists already. New proof key was not generated."
<< std::endl;
}
}
else
{
std::cerr << "No such command, \"" << args[0] << '"' << std::endl;

2
wsd/ProofKey.cpp
View file

@ -140,7 +140,7 @@ Proof::Proof()
std::string msg = e.displayText() +
"\nNo proof-key will be present in discovery."
"\nIf you need to use WOPI security, generate an RSA key using this command:"
"\n coolwsd-generate-proof-key"
"\n sudo coolconfig generate-proof-key"
"\nor if your config dir is not /etc, you can run ssh-keygen manually:"
"\n ssh-keygen -t rsa -N \"\" -m PEM -f \"" + keyPath + "\""
"\nNote: the proof_key file must be readable by the coolwsd process.";