openstack/glance
Code Issues Proposed changes

Fix config group not found error

Browse Source 
Two parts to this fix:

* add a call to oslo.config.cfg.import_group so that the function
  that checks a uri against the configured white/blacklists can
  access them
* move the location where these options are defined into the
  module's __init__ so that they can be imported without causing a
  circular import (which happens if you import them from their
  current location)

Change-Id: I6363faba0c4cbe75e6e4d0cbf0209a62c10474ef
Closes-bug: #1750205
This commit is contained in:
Brian Rosmaita 2018-02-17 23:48:18 -05:00
parent 3d5f33f2b3
commit 156ba81c2f
4 changed files with 187 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
glance/async/flows/_internal_plugins/__init__.py
View File

@ -16,9 +16,191 @@
from oslo_config import cfg
from stevedore import named
from glance.i18n import _
CONF = cfg.CONF
import_filtering_opts = [
cfg.ListOpt('allowed_schemes',
item_type=cfg.types.String(quotes=True),
bounds=True,
default=['http', 'https'],
help=_("""
Specify the allowed url schemes for web-download.
This option provides whitelisting for uri schemes that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the schemes but obeys host and port filtering.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
Possible values:
* List containing normalized url schemes as they are returned from
urllib.parse. For example ['ftp','https']
Related options:
* disallowed_schemes
* allowed_hosts
* disallowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('disallowed_schemes',
item_type=cfg.types.String(quotes=True),
bounds=True,
default=[],
help=_("""
Specify the blacklisted url schemes for web-download.
This option provides blacklisting for uri schemes that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the schemes but obeys host and port filtering. Blacklisting
can be used to prevent specific scheme to be used when whitelisting is not
in use.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
Possible values:
* List containing normalized url schemes as they are returned from
urllib.parse. For example ['ftp','https']
* By default the list is empty
Related options:
* allowed_schemes
* allowed_hosts
* disallowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('allowed_hosts',
item_type=cfg.types.HostAddress(),
bounds=True,
default=[],
help=_("""
Specify the allowed target hosts for web-download.
This option provides whitelisting for hosts that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the hosts but obeys scheme and port filtering.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
Same way the whitelisted example.com is only obeyed on the allowed schemes
and or ports. Whitelisting of the host does not allow all schemes and ports
accessed.
Possible values:
* List containing normalized hostname or ip like it would be returned
in the urllib.parse netloc without the port
* By default the list is empty
Related options:
* allowed_schemes
* disallowed_schemes
* disallowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('disallowed_hosts',
item_type=cfg.types.HostAddress(),
bounds=True,
default=[],
help=_("""
Specify the blacklisted hosts for web-download.
This option provides blacklisting for hosts that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting but obeys scheme and port filtering.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
The blacklisted example.com is obeyed on any url pointing to that host
regardless of what their scheme or port is.
Possible values:
* List containing normalized hostname or ip like it would be returned
in the urllib.parse netloc without the port
* By default the list is empty
Related options:
* allowed_schemes
* disallowed_schemes
* allowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('allowed_ports',
item_type=cfg.types.Integer(min=1, max=65535),
bounds=True,
default=[80, 443],
help=_("""
Specify the allowed ports for web-download.
This option provides whitelisting for uri ports that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the ports but obeys host and scheme filtering.
For example: If scheme blacklisting contains '80' and whitelist contains
['80', '443'] the whitelist is obeyed on http://example.com:80 but any
other port like ftp://example.com:21 is blocked even it's not blacklisted.
Possible values:
* List containing ports as they are returned from urllib.parse netloc
field. For example ['80','443']
Related options:
* allowed_schemes
* disallowed_schemes
* allowed_hosts
* disallowed_hosts
* disallowed_ports
""")),
cfg.ListOpt('disallowed_ports',
item_type=cfg.types.Integer(min=1, max=65535),
bounds=True,
default=[],
help=_("""
Specify the disallowed ports for web-download.
This option provides blacklisting for uri ports that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the ports but obeys host and scheme filtering.
For example: If scheme blacklisting contains '80' and whitelist contains
['80', '443'] the whitelist is obeyed on http://example.com:80 but any
other port like ftp://example.com:21 is blocked even it's not blacklisted.
If no whitelisting is defined any scheme and host combination is disallowed
for the blacklisted port.
Possible values:
* List containing ports as they are returned from urllib.parse netloc
field. For example ['80','443']
* By default this list is empty.
Related options:
* allowed_schemes
* disallowed_schemes
* allowed_hosts
* disallowed_hosts
* allowed_ports
""")),
]
CONF.register_opts(import_filtering_opts, group='import_filtering_opts')
def get_import_plugin(**kwargs):
method_list = CONF.enabled_import_methods

181
glance/async/flows/_internal_plugins/web_download.py
View File

@ -29,187 +29,6 @@ LOG = logging.getLogger(__name__)
CONF = cfg.CONF
import_filtering_opts = [
cfg.ListOpt('allowed_schemes',
item_type=cfg.types.String(quotes=True),
bounds=True,
default=['http', 'https'],
help=_("""
Specify the allowed url schemes for web-download.
This option provides whitelisting for uri schemes that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the schemes but obeys host and port filtering.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
Possible values:
* List containing normalized url schemes as they are returned from
urllib.parse. For example ['ftp','https']
Related options:
* disallowed_schemes
* allowed_hosts
* disallowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('disallowed_schemes',
item_type=cfg.types.String(quotes=True),
bounds=True,
default=[],
help=_("""
Specify the blacklisted url schemes for web-download.
This option provides blacklisting for uri schemes that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the schemes but obeys host and port filtering. Blacklisting
can be used to prevent specific scheme to be used when whitelisting is not
in use.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
Possible values:
* List containing normalized url schemes as they are returned from
urllib.parse. For example ['ftp','https']
* By default the list is empty
Related options:
* allowed_schemes
* allowed_hosts
* disallowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('allowed_hosts',
item_type=cfg.types.HostAddress(),
bounds=True,
default=[],
help=_("""
Specify the allowed target hosts for web-download.
This option provides whitelisting for hosts that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the hosts but obeys scheme and port filtering.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
Same way the whitelisted example.com is only obeyed on the allowed schemes
and or ports. Whitelisting of the host does not allow all schemes and ports
accessed.
Possible values:
* List containing normalized hostname or ip like it would be returned
in the urllib.parse netloc without the port
* By default the list is empty
Related options:
* allowed_schemes
* disallowed_schemes
* disallowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('disallowed_hosts',
item_type=cfg.types.HostAddress(),
bounds=True,
default=[],
help=_("""
Specify the blacklisted hosts for web-download.
This option provides blacklisting for hosts that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting but obeys scheme and port filtering.
For example: If scheme blacklisting contains 'http' and whitelist contains
['http', 'https'] the whitelist is obeyed on http://example.com but any
other scheme like ftp://example.com is blocked even it's not blacklisted.
The blacklisted example.com is obeyed on any url pointing to that host
regardless of what their scheme or port is.
Possible values:
* List containing normalized hostname or ip like it would be returned
in the urllib.parse netloc without the port
* By default the list is empty
Related options:
* allowed_schemes
* disallowed_schemes
* allowed_hosts
* allowed_ports
* disallowed_ports
""")),
cfg.ListOpt('allowed_ports',
item_type=cfg.types.Integer(min=1, max=65535),
bounds=True,
default=[80, 443],
help=_("""
Specify the allowed ports for web-download.
This option provides whitelisting for uri ports that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the ports but obeys host and scheme filtering.
For example: If scheme blacklisting contains '80' and whitelist contains
['80', '443'] the whitelist is obeyed on http://example.com:80 but any
other port like ftp://example.com:21 is blocked even it's not blacklisted.
Possible values:
* List containing ports as they are returned from urllib.parse netloc
field. For example ['80','443']
Related options:
* allowed_schemes
* disallowed_schemes
* allowed_hosts
* disallowed_hosts
* disallowed_ports
""")),
cfg.ListOpt('disallowed_ports',
item_type=cfg.types.Integer(min=1, max=65535),
bounds=True,
default=[],
help=_("""
Specify the disallowed ports for web-download.
This option provides blacklisting for uri ports that web-download import
method will be using. Whitelisting is always priority and ignores any
blacklisting of the ports but obeys host and scheme filtering.
For example: If scheme blacklisting contains '80' and whitelist contains
['80', '443'] the whitelist is obeyed on http://example.com:80 but any
other port like ftp://example.com:21 is blocked even it's not blacklisted.
If no whitelisting is defined any scheme and host combination is disallowed
for the blacklisted port.
Possible values:
* List containing ports as they are returned from urllib.parse netloc
field. For example ['80','443']
* By default this list is empty.
Related options:
* allowed_schemes
* disallowed_schemes
* allowed_hosts
* disallowed_hosts
* allowed_ports
""")),
]
CONF.register_opts(import_filtering_opts, group='import_filtering_opts')
class _WebDownload(task.Task):
default_provides = 'file_uri'

4
glance/common/utils.py
View File

@ -127,13 +127,15 @@ def cooperative_read(fd):
MAX_COOP_READER_BUFFER_SIZE = 134217728 # 128M seems like a sane buffer limit
CONF.import_group('import_filtering_opts',
'glance.async.flows._internal_plugins')
def validate_import_uri(uri):
"""Validate requested uri for Image Import web-download.
:param uri: target uri to be validated
"""
if not uri:
return False

4
glance/opts.py
View File

@ -28,7 +28,7 @@ from osprofiler import opts as profiler
import glance.api.middleware.context
import glance.api.versions
import glance.async.flows._internal_plugins.web_download
import glance.async.flows._internal_plugins
import glance.async.flows.api_image_import
import glance.async.flows.convert
from glance.async.flows.plugins import plugin_opts
@ -111,7 +111,7 @@ _manage_opts = [
_image_import_opts = [
('image_import_opts', glance.async.flows.api_image_import.api_import_opts),
('import_filtering_opts',
glance.async.flows._internal_plugins.web_download.import_filtering_opts),
glance.async.flows._internal_plugins.import_filtering_opts),
]