Allow external OidcToken executable to be specified unless disabled via command line or config

author: Liam Mitchell <[email protected]> 2026-03-04 17:31:29 -0800
committer: Liam Mitchell <[email protected]> 2026-03-04 17:31:29 -0800
commit: c852b646f456ea5ec09d875c949d4cfbae46e45a (patch)
tree: 4d9cc4438632f00aa4672f201d603f5aaf035c04 /src/zenserver/storage/projectstore
parent: Pass command-line OidcToken option through config rather than env variables, ... (diff)
download: zen-c852b646f456ea5ec09d875c949d4cfbae46e45a.tar.xz
zen-c852b646f456ea5ec09d875c949d4cfbae46e45a.zip
2 files changed, 46 insertions, 7 deletions
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 1e1899002..91c0a8af1 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -253,7 +253,8 @@ namespace {
 											  size_t					   MaxChunkEmbedSize,
 											  size_t					   MaximumInMemoryDownloadSize,
 											  const std::filesystem::path& TempFilePath,
-											  const std::filesystem::path& OidcTokenExePath)
+											  const std::filesystem::path& OidcTokenExePath,
+											  bool						   AllowExternalOidcTokenExe)
 	{
 		ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -320,6 +321,21 @@ namespace {
 			}
 
 			std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+			if (OidcExePath.empty() && AllowExternalOidcTokenExe)
+			{
+				if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+				{
+					std::filesystem::path OidcExePathMaybe(OidcExePathString);
+					if (IsFile(OidcExePathMaybe))
+					{
+						OidcExePath = std::move(OidcExePathMaybe);
+					}
+					else
+					{
+						ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					}
+				}
+			}
 
 			std::string_view KeyParam = Cloud["key"sv].AsString();
 			if (KeyParam.empty())
@@ -426,8 +442,25 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
-			std::filesystem::path OidcExePath  = FindOidcTokenExePath(OidcTokenExePath.string());
-			std::string_view	  BuildIdParam = Builds["buildsid"sv].AsString();
+
+			std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+			if (OidcExePath.empty() && AllowExternalOidcTokenExe)
+			{
+				if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+				{
+					std::filesystem::path OidcExePathMaybe(OidcExePathString);
+					if (IsFile(OidcExePathMaybe))
+					{
+						OidcExePath = std::move(OidcExePathMaybe);
+					}
+					else
+					{
+						ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					}
+				}
+			}
+
+			std::string_view BuildIdParam = Builds["buildsid"sv].AsString();
 			if (BuildIdParam.empty())
 			{
 				return {nullptr, "Missing build id"};
@@ -515,7 +548,8 @@ HttpProjectService::HttpProjectService(CidStore&					Store,
 									   AuthMgr&						AuthMgr,
 									   OpenProcessCache&			InOpenProcessCache,
 									   JobQueue&					InJobQueue,
-									   const std::filesystem::path& InOidcTokenExePath)
+									   const std::filesystem::path& InOidcTokenExePath,
+									   bool							InAllowExternalOidcTokenExe)
 : m_Log(logging::Get("project"))
 , m_CidStore(Store)
 , m_ProjectStore(Projects)
@@ -525,6 +559,7 @@ HttpProjectService::HttpProjectService(CidStore&					Store,
 , m_OpenProcessCache(InOpenProcessCache)
 , m_JobQueue(InJobQueue)
 , m_OidcTokenExePath(InOidcTokenExePath)
+, m_AllowExternalOidcTokenExe(InAllowExternalOidcTokenExe)
 {
 	ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -2640,7 +2675,8 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 																			  MaxChunkEmbedSize,
 																			  GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
 																			  Oplog->TempPath(),
-																			  m_OidcTokenExePath);
+																			  m_OidcTokenExePath,
+																			  m_AllowExternalOidcTokenExe);
 
 				if (RemoteStoreResult.Store == nullptr)
 				{
@@ -2711,7 +2747,8 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 																			  MaxChunkEmbedSize,
 																			  GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
 																			  Oplog->TempPath(),
-																			  m_OidcTokenExePath);
+																			  m_OidcTokenExePath,
+																			  m_AllowExternalOidcTokenExe);
 
 				if (RemoteStoreResult.Store == nullptr)
 				{
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.h b/src/zenserver/storage/projectstore/httpprojectstore.h
index 5a8bd3c9b..4e7172e75 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.h
+++ b/src/zenserver/storage/projectstore/httpprojectstore.h
@@ -45,7 +45,8 @@ public:
 					   AuthMgr&						AuthMgr,
 					   OpenProcessCache&			InOpenProcessCache,
 					   JobQueue&					InJobQueue,
-					   const std::filesystem::path& InOidcTokenExePath);
+					   const std::filesystem::path& InOidcTokenExePath,
+					   bool							AllowExternalOidcTokenExe);
 	~HttpProjectService();
 
 	virtual const char* BaseUri() const override;
@@ -111,6 +112,7 @@ private:
 	RwLock					   m_ThreadWorkersLock;
 	Ref<TransferThreadWorkers> m_ThreadWorkers;
 	std::filesystem::path	   m_OidcTokenExePath;
+	bool					   m_AllowExternalOidcTokenExe;
 
 	Ref<TransferThreadWorkers> GetThreadWorkers(bool BoostWorkers, bool SingleThreaded);
 };
author	Liam Mitchell <[email protected]>	2026-03-04 17:31:29 -0800
committer	Liam Mitchell <[email protected]>	2026-03-04 17:31:29 -0800
commit	c852b646f456ea5ec09d875c949d4cfbae46e45a (patch)
tree	4d9cc4438632f00aa4672f201d603f5aaf035c04 /src/zenserver/storage/projectstore
parent	Pass command-line OidcToken option through config rather than env variables, ... (diff)
download	zen-c852b646f456ea5ec09d875c949d4cfbae46e45a.tar.xz zen-c852b646f456ea5ec09d875c949d4cfbae46e45a.zip