5 files changed, 58 insertions, 8 deletions

diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 1e1899002..91c0a8af1 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -253,7 +253,8 @@ namespace {
 											  size_t					   MaxChunkEmbedSize,
 											  size_t					   MaximumInMemoryDownloadSize,
 											  const std::filesystem::path& TempFilePath,
-											  const std::filesystem::path& OidcTokenExePath)
+											  const std::filesystem::path& OidcTokenExePath,
+											  bool						   AllowExternalOidcTokenExe)
 	{
 		ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -320,6 +321,21 @@ namespace {
 			}
 
 			std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+			if (OidcExePath.empty() && AllowExternalOidcTokenExe)
+			{
+				if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+				{
+					std::filesystem::path OidcExePathMaybe(OidcExePathString);
+					if (IsFile(OidcExePathMaybe))
+					{
+						OidcExePath = std::move(OidcExePathMaybe);
+					}
+					else
+					{
+						ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					}
+				}
+			}
 
 			std::string_view KeyParam = Cloud["key"sv].AsString();
 			if (KeyParam.empty())
@@ -426,8 +442,25 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
-			std::filesystem::path OidcExePath  = FindOidcTokenExePath(OidcTokenExePath.string());
-			std::string_view	  BuildIdParam = Builds["buildsid"sv].AsString();
+
+			std::filesystem::path OidcExePath = FindOidcTokenExePath(OidcTokenExePath.string());
+			if (OidcExePath.empty() && AllowExternalOidcTokenExe)
+			{
+				if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+				{
+					std::filesystem::path OidcExePathMaybe(OidcExePathString);
+					if (IsFile(OidcExePathMaybe))
+					{
+						OidcExePath = std::move(OidcExePathMaybe);
+					}
+					else
+					{
+						ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					}
+				}
+			}
+
+			std::string_view BuildIdParam = Builds["buildsid"sv].AsString();
 			if (BuildIdParam.empty())
 			{
 				return {nullptr, "Missing build id"};
@@ -515,7 +548,8 @@ HttpProjectService::HttpProjectService(CidStore&					Store,
 									   AuthMgr&						AuthMgr,
 									   OpenProcessCache&			InOpenProcessCache,
 									   JobQueue&					InJobQueue,
-									   const std::filesystem::path& InOidcTokenExePath)
+									   const std::filesystem::path& InOidcTokenExePath,
+									   bool							InAllowExternalOidcTokenExe)
 : m_Log(logging::Get("project"))
 , m_CidStore(Store)
 , m_ProjectStore(Projects)
@@ -525,6 +559,7 @@ HttpProjectService::HttpProjectService(CidStore&					Store,
 , m_OpenProcessCache(InOpenProcessCache)
 , m_JobQueue(InJobQueue)
 , m_OidcTokenExePath(InOidcTokenExePath)
+, m_AllowExternalOidcTokenExe(InAllowExternalOidcTokenExe)
 {
 	ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -2640,7 +2675,8 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 																			  MaxChunkEmbedSize,
 																			  GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
 																			  Oplog->TempPath(),
-																			  m_OidcTokenExePath);
+																			  m_OidcTokenExePath,
+																			  m_AllowExternalOidcTokenExe);
 
 				if (RemoteStoreResult.Store == nullptr)
 				{
@@ -2711,7 +2747,8 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 																			  MaxChunkEmbedSize,
 																			  GetMaxMemoryBufferSize(MaxBlockSize, BoostWorkerMemory),
 																			  Oplog->TempPath(),
-																			  m_OidcTokenExePath);
+																			  m_OidcTokenExePath,
+																			  m_AllowExternalOidcTokenExe);
 
 				if (RemoteStoreResult.Store == nullptr)
 				{
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.h b/src/zenserver/storage/projectstore/httpprojectstore.h
index 5a8bd3c9b..4e7172e75 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.h
+++ b/src/zenserver/storage/projectstore/httpprojectstore.h
@@ -45,7 +45,8 @@ public:
 					   AuthMgr&						AuthMgr,
 					   OpenProcessCache&			InOpenProcessCache,
 					   JobQueue&					InJobQueue,
-					   const std::filesystem::path& InOidcTokenExePath);
+					   const std::filesystem::path& InOidcTokenExePath,
+					   bool							AllowExternalOidcTokenExe);
 	~HttpProjectService();
 
 	virtual const char* BaseUri() const override;
@@ -111,6 +112,7 @@ private:
 	RwLock					   m_ThreadWorkersLock;
 	Ref<TransferThreadWorkers> m_ThreadWorkers;
 	std::filesystem::path	   m_OidcTokenExePath;
+	bool					   m_AllowExternalOidcTokenExe;
 
 	Ref<TransferThreadWorkers> GetThreadWorkers(bool BoostWorkers, bool SingleThreaded);
 };
diff --git a/src/zenserver/storage/storageconfig.cpp b/src/zenserver/storage/storageconfig.cpp
index 98167b4f6..1826adb99 100644
--- a/src/zenserver/storage/storageconfig.cpp
+++ b/src/zenserver/storage/storageconfig.cpp
@@ -497,6 +497,9 @@ ZenStorageServerConfigurator::AddConfigOptions(LuaConfig::Options& LuaOptions)
 	LuaOptions.AddOption("security.encryptionaesiv"sv, ServerOptions.EncryptionIV, "encryption-aes-iv"sv);
 	LuaOptions.AddOption("security.openidproviders"sv, ServerOptions.AuthConfig);
 	LuaOptions.AddOption("security.oidctokenexecutable"sv, ServerOptions.OidcTokenExecutable, "oidctoken-exe-path"sv);
+	LuaOptions.AddOption("security.allowexternaloidctokenexecutable"sv,
+						 ServerOptions.AllowExternalOidcTokenExe,
+						 "allow-external-oidctoken-exe"sv);
 
 	////// workspaces
 	LuaOptions.AddOption("workspaces.enabled"sv, ServerOptions.WorksSpacesConfig.Enabled, "workspaces-enabled"sv);
@@ -656,6 +659,12 @@ ZenStorageServerCmdLineOptions::AddSecurityOptions(cxxopts::Options& options, Ze
 					   "Path to OidcToken executable",
 					   cxxopts::value<std::string>(OidcTokenExecutable),
 					   "");
+	options.add_option("security",
+					   "",
+					   "allow-external-oidctoken-exe",
+					   "Allow requests to specify a path to an external OidcToken executable",
+					   cxxopts::value<bool>(ServerOptions.AllowExternalOidcTokenExe),
+					   "");
 }
 
 void
diff --git a/src/zenserver/storage/storageconfig.h b/src/zenserver/storage/storageconfig.h
index b265572cc..f7ed68ace 100644
--- a/src/zenserver/storage/storageconfig.h
+++ b/src/zenserver/storage/storageconfig.h
@@ -158,6 +158,7 @@ struct ZenStorageServerConfig : public ZenServerConfig
 	bool					 ObjectStoreEnabled = false;
 	std::string				 ScrubOptions;
 	std::filesystem::path	 OidcTokenExecutable;
+	bool					 AllowExternalOidcTokenExe = true;
 };
 
 struct ZenStorageServerCmdLineOptions
diff --git a/src/zenserver/storage/zenstorageserver.cpp b/src/zenserver/storage/zenstorageserver.cpp
index 381ef028a..cf4936f6f 100644
--- a/src/zenserver/storage/zenstorageserver.cpp
+++ b/src/zenserver/storage/zenstorageserver.cpp
@@ -211,7 +211,8 @@ ZenStorageServer::InitializeServices(const ZenStorageServerConfig& ServerOptions
 													  *m_AuthMgr,
 													  *m_OpenProcessCache,
 													  *m_JobQueue,
-													  ServerOptions.OidcTokenExecutable});
+													  ServerOptions.OidcTokenExecutable,
+													  ServerOptions.AllowExternalOidcTokenExe});
 
 	if (ServerOptions.WorksSpacesConfig.Enabled)
 	{