diff --git a/Common/config/default.json b/Common/config/default.json index caea25d4..d4424e30 100644 --- a/Common/config/default.json +++ b/Common/config/default.json @@ -184,7 +184,8 @@ "prefix": "Bearer ", "algorithm": "HS256", "expires": "5m", - "inBody": false + "inBody": false, + "urlExclusionRegex": "" }, "session": { "algorithm": "HS256", diff --git a/Common/sources/utils.js b/Common/sources/utils.js index 6513c1d4..7d74fde6 100644 --- a/Common/sources/utils.js +++ b/Common/sources/utils.js @@ -73,10 +73,16 @@ var cfgVisibilityTimeout = config.get('queue.visibilityTimeout'); var cfgQueueRetentionPeriod = config.get('queue.retentionPeriod'); var cfgRequestDefaults = config.get('services.CoAuthoring.requestDefaults'); const cfgTokenOutboxInBody = config.get('services.CoAuthoring.token.outbox.inBody'); +const cfgTokenEnableRequestOutbox = config.get('services.CoAuthoring.token.enable.request.outbox'); +const cfgTokenOutboxUrlExclusionRegex = config.get('services.CoAuthoring.token.outbox.urlExclusionRegex'); var ANDROID_SAFE_FILENAME = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ._-+,@£$€!½§~\'=()[]{}0123456789'; var baseRequest = request.defaults(cfgRequestDefaults); +let outboxUrlExclusionRegex = null; +if ("" !== cfgTokenOutboxUrlExclusionRegex) { + outboxUrlExclusionRegex = new RegExp(cfgTokenOutboxUrlExclusionRegex); +} var g_oIpFilterRules = function() { var res = []; @@ -774,3 +780,15 @@ exports.getConnectionInfo = function(conn){ exports.getConnectionInfoStr = function(conn){ return JSON.stringify(exports.getConnectionInfo(conn)); }; +exports.canIncludeOutboxAuthorization = function (url) { + if (cfgTokenEnableRequestOutbox) { + if (!outboxUrlExclusionRegex) { + return true; + } else if (!outboxUrlExclusionRegex.test(url)) { + return true; + } else { + logger.debug('canIncludeOutboxAuthorization excluded by token.outbox.urlExclusionRegex url=%s', url); + } + } + return false; +}; diff --git a/DocService/sources/DocsCoServer.js b/DocService/sources/DocsCoServer.js index 037acb2b..e66ad4b5 100644 --- a/DocService/sources/DocsCoServer.js +++ b/DocService/sources/DocsCoServer.js @@ -127,7 +127,6 @@ const cfgExpUpdateVersionStatus = ms(config.get('expire.updateVersionStatus')); const cfgSockjs = config.get('sockjs'); const cfgTokenEnableBrowser = config.get('token.enable.browser'); const cfgTokenEnableRequestInbox = config.get('token.enable.request.inbox'); -const cfgTokenEnableRequestOutbox = config.get('token.enable.request.outbox'); const cfgTokenSessionAlgorithm = config.get('token.session.algorithm'); const cfgTokenSessionExpires = ms(config.get('token.session.expires')); const cfgTokenInboxHeader = config.get('token.inbox.header'); @@ -558,7 +557,7 @@ function* getOriginalParticipantsId(docId) { function* sendServerRequest(docId, uri, dataObject, opt_checkAuthorization) { logger.debug('postData request: docId = %s;url = %s;data = %j', docId, uri, dataObject); let auth; - if (cfgTokenEnableRequestOutbox) { + if (utils.canIncludeOutboxAuthorization(uri)) { auth = utils.fillJwtForRequest(dataObject); if (cfgTokenOutboxInBody) { dataObject = {token: auth}; diff --git a/DocService/sources/canvasservice.js b/DocService/sources/canvasservice.js index c9828870..4e343374 100644 --- a/DocService/sources/canvasservice.js +++ b/DocService/sources/canvasservice.js @@ -58,7 +58,6 @@ var cfgImageSize = config_server.get('limits_image_size'); var cfgImageDownloadTimeout = config_server.get('limits_image_download_timeout'); var cfgRedisPrefix = config.get('services.CoAuthoring.redis.prefix'); var cfgTokenEnableBrowser = config.get('services.CoAuthoring.token.enable.browser'); -const cfgTokenEnableRequestOutbox = config.get('services.CoAuthoring.token.enable.request.outbox'); const cfgForgottenFiles = config_server.get('forgottenfiles'); const cfgForgottenFilesName = config_server.get('forgottenfilesname'); const cfgOpenProtectedFile = config_server.get('openProtectedFile'); @@ -485,7 +484,7 @@ function* commandImgurls(conn, cmd, outputData) { //todo multiple url case let url = checkJwtRes.decoded.url; urls = [url]; - if (cfgTokenEnableRequestOutbox) { + if (utils.canIncludeOutboxAuthorization(url)) { authorization = utils.fillJwtForRequest({url: url}); } } else { diff --git a/FileConverter/sources/converter.js b/FileConverter/sources/converter.js index c723608a..5ec4addd 100644 --- a/FileConverter/sources/converter.js +++ b/FileConverter/sources/converter.js @@ -70,7 +70,6 @@ var cfgInputLimits = configConverter.get('inputLimits'); const cfgStreamWriterBufferSize = configConverter.get('streamWriterBufferSize'); //cfgMaxRequestChanges was obtained as a result of the test: 84408 changes - 5,16 MB const cfgMaxRequestChanges = config.get('services.CoAuthoring.server.maxRequestChanges'); -var cfgTokenEnableRequestOutbox = config.get('services.CoAuthoring.token.enable.request.outbox'); const cfgForgottenFilesName = config.get('services.CoAuthoring.server.forgottenfilesname'); //windows limit 512(2048) https://msdn.microsoft.com/en-us/library/6e3b887c.aspx @@ -259,7 +258,7 @@ function* downloadFile(docId, uri, fileFrom, withAuthorization) { while (constants.NO_ERROR !== res && downloadAttemptCount++ < cfgDownloadAttemptMaxCount) { try { let authorization; - if (cfgTokenEnableRequestOutbox && withAuthorization) { + if (utils.canIncludeOutboxAuthorization(uri) && withAuthorization) { authorization = utils.fillJwtForRequest({url: uri}); } data = yield utils.downloadUrlPromise(uri, cfgDownloadTimeout, cfgDownloadMaxBytes, authorization);