[config] Add urlExclusionRegex option to exclude authorization from urls matching regular expression

Main goal is to exclude authorization from requests to S3 file storage Empty string(default value) - option is disabled.
2026-04-07 14:04:35 +08:00 · 2020-07-03 19:33:42 +03:00
parent 6661919cc1
commit 38f0680028
5 changed files with 23 additions and 7 deletions
--- a/Common/config/default.json
+++ b/Common/config/default.json
@ -184,7 +184,8 @@
 					"prefix": "Bearer ",
 					"algorithm": "HS256",
 					"expires": "5m",
-					"inBody": false
+					"inBody": false,
+					"urlExclusionRegex": ""
 				},
 				"session": {
 					"algorithm": "HS256",
--- a/Common/sources/utils.js
+++ b/Common/sources/utils.js
@ -73,10 +73,16 @@ var cfgVisibilityTimeout = config.get('queue.visibilityTimeout');
 var cfgQueueRetentionPeriod = config.get('queue.retentionPeriod');
 var cfgRequestDefaults = config.get('services.CoAuthoring.requestDefaults');
 const cfgTokenOutboxInBody = config.get('services.CoAuthoring.token.outbox.inBody');
+const cfgTokenEnableRequestOutbox = config.get('services.CoAuthoring.token.enable.request.outbox');
+const cfgTokenOutboxUrlExclusionRegex = config.get('services.CoAuthoring.token.outbox.urlExclusionRegex');

 var ANDROID_SAFE_FILENAME = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ._-+,@£$€!½§~\'=()[]{}0123456789';

 var baseRequest = request.defaults(cfgRequestDefaults);
+let outboxUrlExclusionRegex = null;
+if ("" !== cfgTokenOutboxUrlExclusionRegex) {
+  outboxUrlExclusionRegex = new RegExp(cfgTokenOutboxUrlExclusionRegex);
+}

 var g_oIpFilterRules = function() {
  var res = [];
@ -774,3 +780,15 @@ exports.getConnectionInfo = function(conn){
 exports.getConnectionInfoStr = function(conn){
  return JSON.stringify(exports.getConnectionInfo(conn));
 };
+exports.canIncludeOutboxAuthorization = function (url) {
+  if (cfgTokenEnableRequestOutbox) {
+    if (!outboxUrlExclusionRegex) {
+      return true;
+    } else if (!outboxUrlExclusionRegex.test(url)) {
+      return true;
+    } else {
+      logger.debug('canIncludeOutboxAuthorization excluded by token.outbox.urlExclusionRegex url=%s', url);
+    }
+  }
+  return false;
+};
--- a/DocService/sources/DocsCoServer.js
+++ b/DocService/sources/DocsCoServer.js
@ -127,7 +127,6 @@ const cfgExpUpdateVersionStatus = ms(config.get('expire.updateVersionStatus'));
 const cfgSockjs = config.get('sockjs');
 const cfgTokenEnableBrowser = config.get('token.enable.browser');
 const cfgTokenEnableRequestInbox = config.get('token.enable.request.inbox');
-const cfgTokenEnableRequestOutbox = config.get('token.enable.request.outbox');
 const cfgTokenSessionAlgorithm = config.get('token.session.algorithm');
 const cfgTokenSessionExpires = ms(config.get('token.session.expires'));
 const cfgTokenInboxHeader = config.get('token.inbox.header');
@ -558,7 +557,7 @@ function* getOriginalParticipantsId(docId) {
 function* sendServerRequest(docId, uri, dataObject, opt_checkAuthorization) {
  logger.debug('postData request: docId = %s;url = %s;data = %j', docId, uri, dataObject);
  let auth;
-  if (cfgTokenEnableRequestOutbox) {
+  if (utils.canIncludeOutboxAuthorization(uri)) {
    auth = utils.fillJwtForRequest(dataObject);
    if (cfgTokenOutboxInBody) {
      dataObject = {token: auth};
--- a/DocService/sources/canvasservice.js
+++ b/DocService/sources/canvasservice.js
@ -58,7 +58,6 @@ var cfgImageSize = config_server.get('limits_image_size');
 var cfgImageDownloadTimeout = config_server.get('limits_image_download_timeout');
 var cfgRedisPrefix = config.get('services.CoAuthoring.redis.prefix');
 var cfgTokenEnableBrowser = config.get('services.CoAuthoring.token.enable.browser');
-const cfgTokenEnableRequestOutbox = config.get('services.CoAuthoring.token.enable.request.outbox');
 const cfgForgottenFiles = config_server.get('forgottenfiles');
 const cfgForgottenFilesName = config_server.get('forgottenfilesname');
 const cfgOpenProtectedFile = config_server.get('openProtectedFile');
@ -485,7 +484,7 @@ function* commandImgurls(conn, cmd, outputData) {
      //todo multiple url case
      let url = checkJwtRes.decoded.url;
      urls = [url];
-      if (cfgTokenEnableRequestOutbox) {
+      if (utils.canIncludeOutboxAuthorization(url)) {
        authorization = utils.fillJwtForRequest({url: url});
      }
    } else {
--- a/FileConverter/sources/converter.js
+++ b/FileConverter/sources/converter.js
@ -70,7 +70,6 @@ var cfgInputLimits = configConverter.get('inputLimits');
 const cfgStreamWriterBufferSize = configConverter.get('streamWriterBufferSize');
 //cfgMaxRequestChanges was obtained as a result of the test: 84408 changes - 5,16 MB
 const cfgMaxRequestChanges = config.get('services.CoAuthoring.server.maxRequestChanges');
-var cfgTokenEnableRequestOutbox = config.get('services.CoAuthoring.token.enable.request.outbox');
 const cfgForgottenFilesName = config.get('services.CoAuthoring.server.forgottenfilesname');

 //windows limit 512(2048) https://msdn.microsoft.com/en-us/library/6e3b887c.aspx
@ -259,7 +258,7 @@ function* downloadFile(docId, uri, fileFrom, withAuthorization) {
    while (constants.NO_ERROR !== res && downloadAttemptCount++ < cfgDownloadAttemptMaxCount) {
      try {
        let authorization;
-        if (cfgTokenEnableRequestOutbox && withAuthorization) {
+        if (utils.canIncludeOutboxAuthorization(uri) && withAuthorization) {
          authorization = utils.fillJwtForRequest({url: uri});
        }
        data = yield utils.downloadUrlPromise(uri, cfgDownloadTimeout, cfgDownloadMaxBytes, authorization);