Remove secure_proxy_ssl_header opt from Glance
Glance uses http-proxy-to-wsgi middleware from oslo.middleware in
its pipeline in order to efficiently forward request headers in case
of load balancer style deployments. Hence, the configuration option
``secure_proxy_ssl_header`` was marked as deprecated.
This patch removes the option and the support for it within Glance
to entirely rely on oslo middleware. This will ensure that the related
headers set by oslo.middleware:HTTPProxyToWSGI is never modified in
Glance.
Change-Id: I11d41bb736bbfd90030d88245c11642823e4c400
Closes-Bug: 1673908
Dharini Chandrasekar authored 7 years ago
Cyril Roelandt committed 1 year, 10 months ago
| 792 | 792 | # (integer value) |
| 793 | 793 | # Minimum value: 1 |
| 794 | 794 | #tcp_keepidle = 600 |
| 795 | ||
| 796 | # DEPRECATED: The HTTP header used to determine the scheme for the original | |
| 797 | # request, even if it was removed by an SSL terminating proxy. Typical value is | |
| 798 | # "HTTP_X_FORWARDED_PROTO". (string value) | |
| 799 | # This option is deprecated for removal. | |
| 800 | # Its value may be silently ignored in the future. | |
| 801 | # Reason: Use the http_proxy_to_wsgi middleware instead. | |
| 802 | #secure_proxy_ssl_header = <None> | |
| 803 | 795 | |
| 804 | 796 | # Key:Value pair of store identifier and store type. In case of multiple |
| 805 | 797 | # backends should be separated using comma. (dict value) |
| 244 | 244 | """)), |
| 245 | 245 | ] |
| 246 | 246 | |
| 247 | wsgi_opts = [ | |
| 248 | cfg.StrOpt('secure_proxy_ssl_header', | |
| 249 | deprecated_for_removal=True, | |
| 250 | deprecated_reason=_('Use the http_proxy_to_wsgi middleware ' | |
| 251 | 'instead.'), | |
| 252 | help=_('The HTTP header used to determine the scheme for the ' | |
| 253 | 'original request, even if it was removed by an SSL ' | |
| 254 | 'terminating proxy. Typical value is ' | |
| 255 | '"HTTP_X_FORWARDED_PROTO".')), | |
| 256 | ] | |
| 257 | ||
| 258 | 247 | store_opts = [ |
| 259 | 248 | cfg.DictOpt('enabled_backends', |
| 260 | 249 | help=_('Key:Value pair of store identifier and store type. ' |
| 292 | 281 | CONF.register_opts(bind_opts) |
| 293 | 282 | CONF.register_opts(socket_opts) |
| 294 | 283 | CONF.register_opts(eventlet_opts) |
| 295 | CONF.register_opts(wsgi_opts) | |
| 296 | 284 | CONF.register_opts(store_opts) |
| 297 | 285 | CONF.register_opts(cache_opts) |
| 298 | 286 | profiler_opts.set_defaults(CONF) |
| 1083 | 1071 | """Add some OpenStack API-specific logic to the base webob.Request.""" |
| 1084 | 1072 | |
| 1085 | 1073 | def __init__(self, environ, *args, **kwargs): |
| 1086 | if CONF.secure_proxy_ssl_header: | |
| 1087 | scheme = environ.get(CONF.secure_proxy_ssl_header) | |
| 1088 | if scheme: | |
| 1089 | environ['wsgi.url_scheme'] = scheme | |
| 1090 | 1074 | super(Request, self).__init__(environ, *args, **kwargs) |
| 1091 | 1075 | |
| 1092 | 1076 | @property |
| 52 | 52 | glance.common.wsgi.bind_opts, |
| 53 | 53 | glance.common.wsgi.eventlet_opts, |
| 54 | 54 | glance.common.wsgi.socket_opts, |
| 55 | glance.common.wsgi.wsgi_opts, | |
| 56 | 55 | glance.common.wsgi.store_opts, |
| 57 | 56 | glance.common.wsgi.cache_opts, |
| 58 | 57 | glance.common.wsgi.cli_opts, |
| 21 | 21 | |
| 22 | 22 | from glance.api.middleware import version_negotiation |
| 23 | 23 | from glance.api import versions |
| 24 | from glance.common.wsgi import Request as WsgiRequest | |
| 25 | 24 | from glance.tests.unit import base |
| 26 | 25 | |
| 27 | 26 | |
| 208 | 207 | res = versions.Controller().index(req) |
| 209 | 208 | results = jsonutils.loads(res.body)['versions'] |
| 210 | 209 | expected = get_versions_list('https://example.com:9292', |
| 211 | enabled_backends=True, | |
| 212 | enabled_cache=True) | |
| 213 | self.assertEqual(expected, results) | |
| 214 | ||
| 215 | def test_get_version_list_secure_proxy_ssl_header(self): | |
| 216 | self.config(secure_proxy_ssl_header='HTTP_X_FORWARDED_PROTO') | |
| 217 | url = 'http://localhost:9292' | |
| 218 | environ = webob.request.environ_from_url(url) | |
| 219 | req = WsgiRequest(environ) | |
| 220 | res = versions.Controller().index(req) | |
| 221 | self.assertEqual(http.MULTIPLE_CHOICES, res.status_int) | |
| 222 | self.assertEqual('application/json', res.content_type) | |
| 223 | results = jsonutils.loads(res.body)['versions'] | |
| 224 | expected = get_versions_list(url) | |
| 225 | self.assertEqual(expected, results) | |
| 226 | ||
| 227 | self.config(enabled_backends='slow:one,fast:two') | |
| 228 | res = versions.Controller().index(req) | |
| 229 | results = jsonutils.loads(res.body)['versions'] | |
| 230 | expected = get_versions_list(url, enabled_backends=True) | |
| 231 | self.assertEqual(expected, results) | |
| 232 | ||
| 233 | self.config(image_cache_dir='/tmp/cache') | |
| 234 | res = versions.Controller().index(req) | |
| 235 | results = jsonutils.loads(res.body)['versions'] | |
| 236 | expected = get_versions_list(url, | |
| 237 | enabled_backends=True, | |
| 238 | enabled_cache=True) | |
| 239 | self.assertEqual(expected, results) | |
| 240 | ||
| 241 | def test_get_version_list_secure_proxy_ssl_header_https(self): | |
| 242 | self.config(secure_proxy_ssl_header='HTTP_X_FORWARDED_PROTO') | |
| 243 | url = 'http://localhost:9292' | |
| 244 | ssl_url = 'https://localhost:9292' | |
| 245 | environ = webob.request.environ_from_url(url) | |
| 246 | environ['HTTP_X_FORWARDED_PROTO'] = "https" | |
| 247 | req = WsgiRequest(environ) | |
| 248 | res = versions.Controller().index(req) | |
| 249 | self.assertEqual(http.MULTIPLE_CHOICES, res.status_int) | |
| 250 | self.assertEqual('application/json', res.content_type) | |
| 251 | results = jsonutils.loads(res.body)['versions'] | |
| 252 | expected = get_versions_list(ssl_url) | |
| 253 | self.assertEqual(expected, results) | |
| 254 | ||
| 255 | self.config(enabled_backends='slow:one,fast:two') | |
| 256 | res = versions.Controller().index(req) | |
| 257 | results = jsonutils.loads(res.body)['versions'] | |
| 258 | expected = get_versions_list(ssl_url, enabled_backends=True) | |
| 259 | self.assertEqual(expected, results) | |
| 260 | ||
| 261 | self.config(image_cache_dir='/tmp/cache') | |
| 262 | res = versions.Controller().index(req) | |
| 263 | results = jsonutils.loads(res.body)['versions'] | |
| 264 | expected = get_versions_list(ssl_url, | |
| 265 | 210 | enabled_backends=True, |
| 266 | 211 | enabled_cache=True) |
| 267 | 212 | self.assertEqual(expected, results) |
| 0 | --- | |
| 1 | deprecations: | |
| 2 | - | | |
| 3 | Removed the deprecated 'secure_proxy_ssl_header' config option. Image import | |
| 4 | will be always enabled from this release onwards as designed. | |
| 5 | upgrade: | |
| 6 | - | | |
| 7 | As Glance relies on oslo.middleware for this feature, care needs to be taken | |
| 8 | that it is configured properly from this release forward. |