6 files changed, 87 insertions, 41 deletions
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 836d84292..2fa10a292 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -28,6 +28,7 @@
 #include <zenstore/oplogreferencedset.h>
 #include <zenstore/projectstore.h>
 #include <zenstore/zenstore.h>
+#include <zenutil/authutils.h>
 #include <zenutil/openprocesscache.h>
 #include <zenutil/workerpools.h>
 
@@ -106,7 +107,6 @@ CSVWriteOp(CidStore&					   CidStore,
 //////////////////////////////////////////////////////////////////////////
 
 namespace {
-
 	void CbWriteOp(CidStore&					   CidStore,
 				   bool							   Details,
 				   bool							   OpDetails,
@@ -273,7 +273,9 @@ namespace {
 											  size_t					   MaxBlockSize,
 											  size_t					   MaxChunkEmbedSize,
 											  size_t					   MaximumInMemoryDownloadSize,
-											  const std::filesystem::path& TempFilePath)
+											  const std::filesystem::path& TempFilePath,
+											  const std::filesystem::path& OidcTokenExePath,
+											  bool						   AllowExternalOidcTokenExe)
 	{
 		ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -340,19 +342,24 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
-			std::filesystem::path OidcExePath;
-			if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+
+			std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+			if (OidcExePath.empty() && AllowExternalOidcTokenExe)
 			{
-				std::filesystem::path OidcExePathMaybe(OidcExePathString);
-				if (IsFile(OidcExePathMaybe))
-				{
-					OidcExePath = std::move(OidcExePathMaybe);
-				}
-				else
+				if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
 				{
-					ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					std::filesystem::path OidcExePathMaybe(OidcExePathString);
+					if (IsFile(OidcExePathMaybe))
+					{
+						OidcExePath = std::move(OidcExePathMaybe);
+					}
+					else
+					{
+						ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					}
 				}
 			}
+
 			std::string_view KeyParam = Cloud["key"sv].AsString();
 			if (KeyParam.empty())
 			{
@@ -470,19 +477,24 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
-			std::filesystem::path OidcExePath;
-			if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+
+			std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+			if (OidcExePath.empty() && AllowExternalOidcTokenExe)
 			{
-				std::filesystem::path OidcExePathMaybe(OidcExePathString);
-				if (IsFile(OidcExePathMaybe))
-				{
-					OidcExePath = std::move(OidcExePathMaybe);
-				}
-				else
+				if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
 				{
-					ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					std::filesystem::path OidcExePathMaybe(OidcExePathString);
+					if (IsFile(OidcExePathMaybe))
+					{
+						OidcExePath = std::move(OidcExePathMaybe);
+					}
+					else
+					{
+						ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					}
 				}
 			}
+
 			std::string_view BuildIdParam = Builds["buildsid"sv].AsString();
 			if (BuildIdParam.empty())
 			{
@@ -647,14 +659,16 @@ namespace {
 
 //////////////////////////////////////////////////////////////////////////
 
-HttpProjectService::HttpProjectService(CidStore&		  Store,
-									   ProjectStore*	  Projects,
-									   HttpStatusService& StatusService,
-									   HttpStatsService&  StatsService,
-									   AuthMgr&			  AuthMgr,
-									   OpenProcessCache&  InOpenProcessCache,
-									   JobQueue&		  InJobQueue,
-									   bool				  InRestrictContentTypes)
+HttpProjectService::HttpProjectService(CidStore&					Store,
+									   ProjectStore*				Projects,
+									   HttpStatusService&			StatusService,
+									   HttpStatsService&			StatsService,
+									   AuthMgr&						AuthMgr,
+									   OpenProcessCache&			InOpenProcessCache,
+									   JobQueue&					InJobQueue,
+									   bool							InRestrictContentTypes,
+									   const std::filesystem::path& InOidcTokenExePath,
+									   bool							InAllowExternalOidcTokenExe)
 : m_Log(logging::Get("project"))
 , m_CidStore(Store)
 , m_ProjectStore(Projects)
@@ -664,6 +678,8 @@ HttpProjectService::HttpProjectService(CidStore&		  Store,
 , m_OpenProcessCache(InOpenProcessCache)
 , m_JobQueue(InJobQueue)
 , m_RestrictContentTypes(InRestrictContentTypes)
+, m_OidcTokenExePath(InOidcTokenExePath)
+, m_AllowExternalOidcTokenExe(InAllowExternalOidcTokenExe)
 {
 	ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -2825,8 +2841,9 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 																				MaxBlockSize,
 																				MaxChunkEmbedSize,
 																				GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
-																				Oplog->TempPath()));
-
+																				Oplog->TempPath(),
+																				m_OidcTokenExePath,
+																				m_AllowExternalOidcTokenExe));
 				if (RemoteStoreResult->Store == nullptr)
 				{
 					return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, RemoteStoreResult->Description);
@@ -2905,7 +2922,9 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 																			  MaxBlockSize,
 																			  MaxChunkEmbedSize,
 																			  GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
-																			  Oplog->TempPath());
+																			  Oplog->TempPath(),
+																			  m_OidcTokenExePath,
+																			  m_AllowExternalOidcTokenExe);
 
 				if (RemoteStoreResult.Store == nullptr)
 				{
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.h b/src/zenserver/storage/projectstore/httpprojectstore.h
index a1f649ed6..917337324 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.h
+++ b/src/zenserver/storage/projectstore/httpprojectstore.h
@@ -38,14 +38,16 @@ class TransferThreadWorkers;
 class HttpProjectService : public HttpService, public IHttpStatusProvider, public IHttpStatsProvider
 {
 public:
-	HttpProjectService(CidStore&		  Store,
-					   ProjectStore*	  InProjectStore,
-					   HttpStatusService& StatusService,
-					   HttpStatsService&  StatsService,
-					   AuthMgr&			  AuthMgr,
-					   OpenProcessCache&  InOpenProcessCache,
-					   JobQueue&		  InJobQueue,
-					   bool				  InRestrictContentTypes);
+	HttpProjectService(CidStore&					Store,
+					   ProjectStore*				InProjectStore,
+					   HttpStatusService&			StatusService,
+					   HttpStatsService&			StatsService,
+					   AuthMgr&						AuthMgr,
+					   OpenProcessCache&			InOpenProcessCache,
+					   JobQueue&					InJobQueue,
+					   bool							InRestrictContentTypes,
+					   const std::filesystem::path& InOidcTokenExePath,
+					   bool							AllowExternalOidcTokenExe);
 	~HttpProjectService();
 
 	virtual const char* BaseUri() const override;
@@ -112,6 +114,8 @@ private:
 	RwLock					   m_ThreadWorkersLock;
 	Ref<TransferThreadWorkers> m_ThreadWorkers;
 	bool					   m_RestrictContentTypes;
+	std::filesystem::path	   m_OidcTokenExePath;
+	bool					   m_AllowExternalOidcTokenExe;
 
 	Ref<TransferThreadWorkers> GetThreadWorkers(bool BoostWorkers, bool SingleThreaded);
 };
diff --git a/src/zenserver/storage/storageconfig.cpp b/src/zenserver/storage/storageconfig.cpp
index ad1fb88ea..e8ccb9097 100644
--- a/src/zenserver/storage/storageconfig.cpp
+++ b/src/zenserver/storage/storageconfig.cpp
@@ -497,6 +497,10 @@ ZenStorageServerConfigurator::AddConfigOptions(LuaConfig::Options& LuaOptions)
 	LuaOptions.AddOption("security.encryptionaesiv"sv, ServerOptions.EncryptionIV, "encryption-aes-iv"sv);
 	LuaOptions.AddOption("security.openidproviders"sv, ServerOptions.AuthConfig);
 	LuaOptions.AddOption("security.restrictcontenttypes"sv, ServerOptions.RestrictContentTypes, "restrict-content-types"sv);
+	LuaOptions.AddOption("security.oidctokenexecutable"sv, ServerOptions.OidcTokenExecutable, "oidctoken-exe-path"sv);
+	LuaOptions.AddOption("security.allowexternaloidctokenexecutable"sv,
+						 ServerOptions.AllowExternalOidcTokenExe,
+						 "allow-external-oidctoken-exe"sv);
 
 	////// workspaces
 	LuaOptions.AddOption("workspaces.enabled"sv, ServerOptions.WorksSpacesConfig.Enabled, "workspaces-enabled"sv);
@@ -656,6 +660,18 @@ ZenStorageServerCmdLineOptions::AddSecurityOptions(cxxopts::Options& options, Ze
 					   "Restrict content-type in requests to content-types that are not allowed in CORS simple requests",
 					   cxxopts::value<bool>(ServerOptions.RestrictContentTypes),
 					   "");
+	options.add_option("security",
+					   "",
+					   "oidctoken-exe-path",
+					   "Path to OidcToken executable",
+					   cxxopts::value<std::string>(OidcTokenExecutable),
+					   "");
+	options.add_option("security",
+					   "",
+					   "allow-external-oidctoken-exe",
+					   "Allow requests to specify a path to an external OidcToken executable",
+					   cxxopts::value<bool>(ServerOptions.AllowExternalOidcTokenExe),
+					   "");
 }
 
 void
@@ -1053,7 +1069,8 @@ ZenStorageServerCmdLineOptions::ApplyOptions(cxxopts::Options& options, ZenStora
 			{.Name = OpenIdProviderName, .Url = OpenIdProviderUrl, .ClientId = OpenIdClientId});
 	}
 
-	ServerOptions.ObjectStoreConfig = ParseBucketConfigs(BucketConfigs);
+	ServerOptions.ObjectStoreConfig	  = ParseBucketConfigs(BucketConfigs);
+	ServerOptions.OidcTokenExecutable = MakeSafeAbsolutePath(OidcTokenExecutable);
 }
 
 }  // namespace zen
diff --git a/src/zenserver/storage/storageconfig.h b/src/zenserver/storage/storageconfig.h
index d935ed8b3..128804d92 100644
--- a/src/zenserver/storage/storageconfig.h
+++ b/src/zenserver/storage/storageconfig.h
@@ -160,6 +160,8 @@ struct ZenStorageServerConfig : public ZenServerConfig
 	bool					 ComputeEnabled		= true;
 	std::string				 ScrubOptions;
 	bool					 RestrictContentTypes = false;
+	std::filesystem::path	 OidcTokenExecutable;
+	bool					 AllowExternalOidcTokenExe = true;
 };
 
 struct ZenStorageServerCmdLineOptions
@@ -177,6 +179,7 @@ struct ZenStorageServerCmdLineOptions
 	std::string OpenIdProviderName;
 	std::string OpenIdProviderUrl;
 	std::string OpenIdClientId;
+	std::string OidcTokenExecutable;
 
 	void AddSecurityOptions(cxxopts::Options& options, ZenStorageServerConfig& ServerOptions);
 
diff --git a/src/zenserver/storage/zenstorageserver.cpp b/src/zenserver/storage/zenstorageserver.cpp
index f43bb9987..d4b8e37ef 100644
--- a/src/zenserver/storage/zenstorageserver.cpp
+++ b/src/zenserver/storage/zenstorageserver.cpp
@@ -229,7 +229,9 @@ ZenStorageServer::InitializeServices(const ZenStorageServerConfig& ServerOptions
 													  *m_AuthMgr,
 													  *m_OpenProcessCache,
 													  *m_JobQueue,
-													  ServerOptions.RestrictContentTypes});
+													  ServerOptions.RestrictContentTypes,
+													  ServerOptions.OidcTokenExecutable,
+													  ServerOptions.AllowExternalOidcTokenExe});
 
 	if (ServerOptions.WorksSpacesConfig.Enabled)
 	{
diff --git a/src/zenserver/zenserver.cpp b/src/zenserver/zenserver.cpp
index bb6b02d21..88b85d7d9 100644
--- a/src/zenserver/zenserver.cpp
+++ b/src/zenserver/zenserver.cpp
@@ -26,6 +26,7 @@
 #include <zenhttp/httpserver.h>
 #include <zenhttp/security/passwordsecurityfilter.h>
 #include <zentelemetry/otlptrace.h>
+#include <zenutil/authutils.h>
 #include <zenutil/service.h>
 #include <zenutil/workerpools.h>
 #include <zenutil/zenserverprocess.h>