aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLiam Mitchell <[email protected]>2026-03-09 19:24:03 -0700
committerLiam Mitchell <[email protected]>2026-03-09 19:24:03 -0700
commit8a71531578315dacb84ab55e4b85606b53e8c015 (patch)
treef49a67466d076930541c9d9e0fffeb4bc73a463f /src
parentMerge branch 'main' into lm/restrict-content-type (diff)
parentMerge pull request #710 from ue-foundation/lm/oidctoken-exe-path (diff)
downloadzen-8a71531578315dacb84ab55e4b85606b53e8c015.tar.xz
zen-8a71531578315dacb84ab55e4b85606b53e8c015.zip
Merge branch 'main' into lm/restrict-content-type
Diffstat (limited to 'src')
-rw-r--r--src/zen/authutils.cpp28
-rw-r--r--src/zen/authutils.h6
-rw-r--r--src/zenserver/storage/projectstore/httpprojectstore.cpp81
-rw-r--r--src/zenserver/storage/projectstore/httpprojectstore.h20
-rw-r--r--src/zenserver/storage/storageconfig.cpp19
-rw-r--r--src/zenserver/storage/storageconfig.h3
-rw-r--r--src/zenserver/storage/zenstorageserver.cpp4
-rw-r--r--src/zenserver/zenserver.cpp1
-rw-r--r--src/zenutil/authutils.cpp55
-rw-r--r--src/zenutil/include/zenutil/authutils.h12
10 files changed, 157 insertions, 72 deletions
diff --git a/src/zen/authutils.cpp b/src/zen/authutils.cpp
index 534f7952b..922007ac8 100644
--- a/src/zen/authutils.cpp
+++ b/src/zen/authutils.cpp
@@ -51,34 +51,6 @@ ReadAccessTokenFromJsonFile(const std::filesystem::path& Path)
return AuthToken;
}
-std::filesystem::path
-FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath)
-{
- if (OidcTokenAuthExecutablePath.empty())
- {
- const std::string OidcExecutableName = "OidcToken" ZEN_EXE_SUFFIX_LITERAL;
- std::filesystem::path OidcTokenPath = (GetRunningExecutablePath().parent_path() / OidcExecutableName).make_preferred();
- if (IsFile(OidcTokenPath))
- {
- return OidcTokenPath;
- }
- OidcTokenPath = (std::filesystem::current_path() / OidcExecutableName).make_preferred();
- if (IsFile(OidcTokenPath))
- {
- return OidcTokenPath;
- }
- }
- else
- {
- std::filesystem::path OidcTokenPath = std::filesystem::absolute(StringToPath(OidcTokenAuthExecutablePath)).make_preferred();
- if (IsFile(OidcTokenPath))
- {
- return OidcTokenPath;
- }
- }
- return {};
-};
-
void
AuthCommandLineOptions::AddOptions(cxxopts::Options& Ops)
{
diff --git a/src/zen/authutils.h b/src/zen/authutils.h
index 2201c3f83..fa9670b3f 100644
--- a/src/zen/authutils.h
+++ b/src/zen/authutils.h
@@ -3,6 +3,7 @@
#pragma once
#include "zen.h"
+#include "zenutil/authutils.h"
namespace zen {
@@ -46,8 +47,7 @@ struct AuthCommandLineOptions
bool Verbose);
};
-std::string ReadAccessTokenFromJsonFile(const std::filesystem::path& Path);
-std::string_view GetDefaultAccessTokenEnvVariableName();
-std::filesystem::path FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath);
+std::string ReadAccessTokenFromJsonFile(const std::filesystem::path& Path);
+std::string_view GetDefaultAccessTokenEnvVariableName();
} // namespace zen
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 836d84292..2fa10a292 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -28,6 +28,7 @@
#include <zenstore/oplogreferencedset.h>
#include <zenstore/projectstore.h>
#include <zenstore/zenstore.h>
+#include <zenutil/authutils.h>
#include <zenutil/openprocesscache.h>
#include <zenutil/workerpools.h>
@@ -106,7 +107,6 @@ CSVWriteOp(CidStore& CidStore,
//////////////////////////////////////////////////////////////////////////
namespace {
-
void CbWriteOp(CidStore& CidStore,
bool Details,
bool OpDetails,
@@ -273,7 +273,9 @@ namespace {
size_t MaxBlockSize,
size_t MaxChunkEmbedSize,
size_t MaximumInMemoryDownloadSize,
- const std::filesystem::path& TempFilePath)
+ const std::filesystem::path& TempFilePath,
+ const std::filesystem::path& OidcTokenExePath,
+ bool AllowExternalOidcTokenExe)
{
ZEN_MEMSCOPE(GetProjectHttpTag());
@@ -340,19 +342,24 @@ namespace {
AccessToken = GetEnvVariable(AccessTokenEnvVariable);
}
}
- std::filesystem::path OidcExePath;
- if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+
+ std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+ if (OidcExePath.empty() && AllowExternalOidcTokenExe)
{
- std::filesystem::path OidcExePathMaybe(OidcExePathString);
- if (IsFile(OidcExePathMaybe))
- {
- OidcExePath = std::move(OidcExePathMaybe);
- }
- else
+ if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
{
- ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+ std::filesystem::path OidcExePathMaybe(OidcExePathString);
+ if (IsFile(OidcExePathMaybe))
+ {
+ OidcExePath = std::move(OidcExePathMaybe);
+ }
+ else
+ {
+ ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+ }
}
}
+
std::string_view KeyParam = Cloud["key"sv].AsString();
if (KeyParam.empty())
{
@@ -470,19 +477,24 @@ namespace {
AccessToken = GetEnvVariable(AccessTokenEnvVariable);
}
}
- std::filesystem::path OidcExePath;
- if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+
+ std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+ if (OidcExePath.empty() && AllowExternalOidcTokenExe)
{
- std::filesystem::path OidcExePathMaybe(OidcExePathString);
- if (IsFile(OidcExePathMaybe))
- {
- OidcExePath = std::move(OidcExePathMaybe);
- }
- else
+ if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
{
- ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+ std::filesystem::path OidcExePathMaybe(OidcExePathString);
+ if (IsFile(OidcExePathMaybe))
+ {
+ OidcExePath = std::move(OidcExePathMaybe);
+ }
+ else
+ {
+ ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+ }
}
}
+
std::string_view BuildIdParam = Builds["buildsid"sv].AsString();
if (BuildIdParam.empty())
{
@@ -647,14 +659,16 @@ namespace {
//////////////////////////////////////////////////////////////////////////
-HttpProjectService::HttpProjectService(CidStore& Store,
- ProjectStore* Projects,
- HttpStatusService& StatusService,
- HttpStatsService& StatsService,
- AuthMgr& AuthMgr,
- OpenProcessCache& InOpenProcessCache,
- JobQueue& InJobQueue,
- bool InRestrictContentTypes)
+HttpProjectService::HttpProjectService(CidStore& Store,
+ ProjectStore* Projects,
+ HttpStatusService& StatusService,
+ HttpStatsService& StatsService,
+ AuthMgr& AuthMgr,
+ OpenProcessCache& InOpenProcessCache,
+ JobQueue& InJobQueue,
+ bool InRestrictContentTypes,
+ const std::filesystem::path& InOidcTokenExePath,
+ bool InAllowExternalOidcTokenExe)
: m_Log(logging::Get("project"))
, m_CidStore(Store)
, m_ProjectStore(Projects)
@@ -664,6 +678,8 @@ HttpProjectService::HttpProjectService(CidStore& Store,
, m_OpenProcessCache(InOpenProcessCache)
, m_JobQueue(InJobQueue)
, m_RestrictContentTypes(InRestrictContentTypes)
+, m_OidcTokenExePath(InOidcTokenExePath)
+, m_AllowExternalOidcTokenExe(InAllowExternalOidcTokenExe)
{
ZEN_MEMSCOPE(GetProjectHttpTag());
@@ -2825,8 +2841,9 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
MaxBlockSize,
MaxChunkEmbedSize,
GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
- Oplog->TempPath()));
-
+ Oplog->TempPath(),
+ m_OidcTokenExePath,
+ m_AllowExternalOidcTokenExe));
if (RemoteStoreResult->Store == nullptr)
{
return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, RemoteStoreResult->Description);
@@ -2905,7 +2922,9 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
MaxBlockSize,
MaxChunkEmbedSize,
GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
- Oplog->TempPath());
+ Oplog->TempPath(),
+ m_OidcTokenExePath,
+ m_AllowExternalOidcTokenExe);
if (RemoteStoreResult.Store == nullptr)
{
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.h b/src/zenserver/storage/projectstore/httpprojectstore.h
index a1f649ed6..917337324 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.h
+++ b/src/zenserver/storage/projectstore/httpprojectstore.h
@@ -38,14 +38,16 @@ class TransferThreadWorkers;
class HttpProjectService : public HttpService, public IHttpStatusProvider, public IHttpStatsProvider
{
public:
- HttpProjectService(CidStore& Store,
- ProjectStore* InProjectStore,
- HttpStatusService& StatusService,
- HttpStatsService& StatsService,
- AuthMgr& AuthMgr,
- OpenProcessCache& InOpenProcessCache,
- JobQueue& InJobQueue,
- bool InRestrictContentTypes);
+ HttpProjectService(CidStore& Store,
+ ProjectStore* InProjectStore,
+ HttpStatusService& StatusService,
+ HttpStatsService& StatsService,
+ AuthMgr& AuthMgr,
+ OpenProcessCache& InOpenProcessCache,
+ JobQueue& InJobQueue,
+ bool InRestrictContentTypes,
+ const std::filesystem::path& InOidcTokenExePath,
+ bool AllowExternalOidcTokenExe);
~HttpProjectService();
virtual const char* BaseUri() const override;
@@ -112,6 +114,8 @@ private:
RwLock m_ThreadWorkersLock;
Ref<TransferThreadWorkers> m_ThreadWorkers;
bool m_RestrictContentTypes;
+ std::filesystem::path m_OidcTokenExePath;
+ bool m_AllowExternalOidcTokenExe;
Ref<TransferThreadWorkers> GetThreadWorkers(bool BoostWorkers, bool SingleThreaded);
};
diff --git a/src/zenserver/storage/storageconfig.cpp b/src/zenserver/storage/storageconfig.cpp
index ad1fb88ea..e8ccb9097 100644
--- a/src/zenserver/storage/storageconfig.cpp
+++ b/src/zenserver/storage/storageconfig.cpp
@@ -497,6 +497,10 @@ ZenStorageServerConfigurator::AddConfigOptions(LuaConfig::Options& LuaOptions)
LuaOptions.AddOption("security.encryptionaesiv"sv, ServerOptions.EncryptionIV, "encryption-aes-iv"sv);
LuaOptions.AddOption("security.openidproviders"sv, ServerOptions.AuthConfig);
LuaOptions.AddOption("security.restrictcontenttypes"sv, ServerOptions.RestrictContentTypes, "restrict-content-types"sv);
+ LuaOptions.AddOption("security.oidctokenexecutable"sv, ServerOptions.OidcTokenExecutable, "oidctoken-exe-path"sv);
+ LuaOptions.AddOption("security.allowexternaloidctokenexecutable"sv,
+ ServerOptions.AllowExternalOidcTokenExe,
+ "allow-external-oidctoken-exe"sv);
////// workspaces
LuaOptions.AddOption("workspaces.enabled"sv, ServerOptions.WorksSpacesConfig.Enabled, "workspaces-enabled"sv);
@@ -656,6 +660,18 @@ ZenStorageServerCmdLineOptions::AddSecurityOptions(cxxopts::Options& options, Ze
"Restrict content-type in requests to content-types that are not allowed in CORS simple requests",
cxxopts::value<bool>(ServerOptions.RestrictContentTypes),
"");
+ options.add_option("security",
+ "",
+ "oidctoken-exe-path",
+ "Path to OidcToken executable",
+ cxxopts::value<std::string>(OidcTokenExecutable),
+ "");
+ options.add_option("security",
+ "",
+ "allow-external-oidctoken-exe",
+ "Allow requests to specify a path to an external OidcToken executable",
+ cxxopts::value<bool>(ServerOptions.AllowExternalOidcTokenExe),
+ "");
}
void
@@ -1053,7 +1069,8 @@ ZenStorageServerCmdLineOptions::ApplyOptions(cxxopts::Options& options, ZenStora
{.Name = OpenIdProviderName, .Url = OpenIdProviderUrl, .ClientId = OpenIdClientId});
}
- ServerOptions.ObjectStoreConfig = ParseBucketConfigs(BucketConfigs);
+ ServerOptions.ObjectStoreConfig = ParseBucketConfigs(BucketConfigs);
+ ServerOptions.OidcTokenExecutable = MakeSafeAbsolutePath(OidcTokenExecutable);
}
} // namespace zen
diff --git a/src/zenserver/storage/storageconfig.h b/src/zenserver/storage/storageconfig.h
index d935ed8b3..128804d92 100644
--- a/src/zenserver/storage/storageconfig.h
+++ b/src/zenserver/storage/storageconfig.h
@@ -160,6 +160,8 @@ struct ZenStorageServerConfig : public ZenServerConfig
bool ComputeEnabled = true;
std::string ScrubOptions;
bool RestrictContentTypes = false;
+ std::filesystem::path OidcTokenExecutable;
+ bool AllowExternalOidcTokenExe = true;
};
struct ZenStorageServerCmdLineOptions
@@ -177,6 +179,7 @@ struct ZenStorageServerCmdLineOptions
std::string OpenIdProviderName;
std::string OpenIdProviderUrl;
std::string OpenIdClientId;
+ std::string OidcTokenExecutable;
void AddSecurityOptions(cxxopts::Options& options, ZenStorageServerConfig& ServerOptions);
diff --git a/src/zenserver/storage/zenstorageserver.cpp b/src/zenserver/storage/zenstorageserver.cpp
index f43bb9987..d4b8e37ef 100644
--- a/src/zenserver/storage/zenstorageserver.cpp
+++ b/src/zenserver/storage/zenstorageserver.cpp
@@ -229,7 +229,9 @@ ZenStorageServer::InitializeServices(const ZenStorageServerConfig& ServerOptions
*m_AuthMgr,
*m_OpenProcessCache,
*m_JobQueue,
- ServerOptions.RestrictContentTypes});
+ ServerOptions.RestrictContentTypes,
+ ServerOptions.OidcTokenExecutable,
+ ServerOptions.AllowExternalOidcTokenExe});
if (ServerOptions.WorksSpacesConfig.Enabled)
{
diff --git a/src/zenserver/zenserver.cpp b/src/zenserver/zenserver.cpp
index bb6b02d21..88b85d7d9 100644
--- a/src/zenserver/zenserver.cpp
+++ b/src/zenserver/zenserver.cpp
@@ -26,6 +26,7 @@
#include <zenhttp/httpserver.h>
#include <zenhttp/security/passwordsecurityfilter.h>
#include <zentelemetry/otlptrace.h>
+#include <zenutil/authutils.h>
#include <zenutil/service.h>
#include <zenutil/workerpools.h>
#include <zenutil/zenserverprocess.h>
diff --git a/src/zenutil/authutils.cpp b/src/zenutil/authutils.cpp
new file mode 100644
index 000000000..8ee6b1417
--- /dev/null
+++ b/src/zenutil/authutils.cpp
@@ -0,0 +1,55 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#include "zenutil/authutils.h"
+#include "zenutil/config/commandlineoptions.h"
+
+#include <zencore/filesystem.h>
+
+namespace zen {
+using namespace std::literals;
+
+std::string_view
+GetOidcTokenPathEnvVariableName()
+{
+#if ZEN_PLATFORM_WINDOWS
+ return "UE-OidcTokenExePath"sv;
+#endif
+#if ZEN_PLATFORM_LINUX || ZEN_PLATFORM_MAC
+ return "UE_OidcTokenExePath"sv;
+#endif
+}
+
+std::filesystem::path
+FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath)
+{
+ if (OidcTokenAuthExecutablePath.empty())
+ {
+ std::filesystem::path OidcTokenPath = GetEnvVariable(GetOidcTokenPathEnvVariableName());
+ if (IsFile(OidcTokenPath))
+ {
+ return OidcTokenPath;
+ }
+ const std::string OidcExecutableName = "OidcToken" ZEN_EXE_SUFFIX_LITERAL;
+ OidcTokenPath = (GetRunningExecutablePath().parent_path() / OidcExecutableName).make_preferred();
+ if (IsFile(OidcTokenPath))
+ {
+ return OidcTokenPath;
+ }
+ OidcTokenPath = (std::filesystem::current_path() / OidcExecutableName).make_preferred();
+ if (IsFile(OidcTokenPath))
+ {
+ return OidcTokenPath;
+ }
+ }
+ else
+ {
+ std::filesystem::path OidcTokenPath = std::filesystem::absolute(StringToPath(OidcTokenAuthExecutablePath)).make_preferred();
+ if (IsFile(OidcTokenPath))
+ {
+ return OidcTokenPath;
+ }
+ }
+ return {};
+};
+
+} // namespace zen
diff --git a/src/zenutil/include/zenutil/authutils.h b/src/zenutil/include/zenutil/authutils.h
new file mode 100644
index 000000000..92ccad4b4
--- /dev/null
+++ b/src/zenutil/include/zenutil/authutils.h
@@ -0,0 +1,12 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#pragma once
+
+#include <filesystem>
+
+namespace zen {
+
+std::string_view GetOidcTokenPathEnvVariableName();
+std::filesystem::path FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath);
+
+} // namespace zen