Avoid printing URIs which can contain credentials
Fix for bug 1233275. Change-Id: I24d8b57418eb678767b33840973a632eb2132c6a
This commit is contained in:
parent
f4f2a82728
commit
408cebacc3
@ -69,7 +69,7 @@ class VersionNegotiationFilter(wsgi.Middleware):
|
|||||||
req.environ['api.version'] = version
|
req.environ['api.version'] = version
|
||||||
req.path_info = ''.join(('/v', str(version), req.path_info))
|
req.path_info = ''.join(('/v', str(version), req.path_info))
|
||||||
LOG.debug(_("Matched version: v%d"), version)
|
LOG.debug(_("Matched version: v%d"), version)
|
||||||
LOG.debug('new uri %s' % req.path_info)
|
LOG.debug('new path %s' % req.path_info)
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def _match_version_string(self, subject):
|
def _match_version_string(self, subject):
|
||||||
|
@ -53,13 +53,14 @@ def migrate_location_credentials(migrate_engine, to_quoted):
|
|||||||
'swift')).execute())
|
'swift')).execute())
|
||||||
|
|
||||||
for image in images:
|
for image in images:
|
||||||
fixed_uri = legacy_parse_uri(image['location'], to_quoted)
|
fixed_uri = legacy_parse_uri(image['location'], to_quoted,
|
||||||
|
image['id'])
|
||||||
images_table.update()\
|
images_table.update()\
|
||||||
.where(images_table.c.id == image['id'])\
|
.where(images_table.c.id == image['id'])\
|
||||||
.values(location=fixed_uri).execute()
|
.values(location=fixed_uri).execute()
|
||||||
|
|
||||||
|
|
||||||
def legacy_parse_uri(uri, to_quote):
|
def legacy_parse_uri(uri, to_quote, image_id):
|
||||||
"""
|
"""
|
||||||
Parse URLs. This method fixes an issue where credentials specified
|
Parse URLs. This method fixes an issue where credentials specified
|
||||||
in the URL are interpreted differently in Python 2.6.1+ than prior
|
in the URL are interpreted differently in Python 2.6.1+ than prior
|
||||||
@ -87,7 +88,7 @@ def legacy_parse_uri(uri, to_quote):
|
|||||||
"like so: "
|
"like so: "
|
||||||
"swift+http://user:pass@authurl.com/v1/container/obj")
|
"swift+http://user:pass@authurl.com/v1/container/obj")
|
||||||
|
|
||||||
LOG.error(_("Invalid store uri %(uri)s: %(reason)s") % locals())
|
LOG.error(_("Invalid store uri for image %s: %s") % (image_id, reason))
|
||||||
raise exception.BadStoreUri(message=reason)
|
raise exception.BadStoreUri(message=reason)
|
||||||
|
|
||||||
pieces = urlparse.urlparse(uri)
|
pieces = urlparse.urlparse(uri)
|
||||||
|
@ -80,7 +80,8 @@ def migrate_location_credentials(migrate_engine, to_quoted):
|
|||||||
|
|
||||||
for image in images:
|
for image in images:
|
||||||
try:
|
try:
|
||||||
fixed_uri = fix_uri_credentials(image['location'], to_quoted)
|
fixed_uri = fix_uri_credentials(image['location'], to_quoted,
|
||||||
|
image['id'])
|
||||||
images_table.update()\
|
images_table.update()\
|
||||||
.where(images_table.c.id == image['id'])\
|
.where(images_table.c.id == image['id'])\
|
||||||
.values(location=fixed_uri).execute()
|
.values(location=fixed_uri).execute()
|
||||||
@ -97,7 +98,7 @@ def encrypt_location(uri):
|
|||||||
return crypt.urlsafe_encrypt(CONF.metadata_encryption_key, uri, 64)
|
return crypt.urlsafe_encrypt(CONF.metadata_encryption_key, uri, 64)
|
||||||
|
|
||||||
|
|
||||||
def fix_uri_credentials(uri, to_quoted):
|
def fix_uri_credentials(uri, to_quoted, image_id):
|
||||||
"""
|
"""
|
||||||
Fix the given uri's embedded credentials by round-tripping with
|
Fix the given uri's embedded credentials by round-tripping with
|
||||||
StoreLocation.
|
StoreLocation.
|
||||||
@ -119,10 +120,10 @@ def fix_uri_credentials(uri, to_quoted):
|
|||||||
except (TypeError, ValueError) as e:
|
except (TypeError, ValueError) as e:
|
||||||
raise exception.Invalid(str(e))
|
raise exception.Invalid(str(e))
|
||||||
|
|
||||||
return legacy_parse_uri(decrypted_uri, to_quoted)
|
return legacy_parse_uri(decrypted_uri, to_quoted, image_id)
|
||||||
|
|
||||||
|
|
||||||
def legacy_parse_uri(uri, to_quote):
|
def legacy_parse_uri(uri, to_quote, image_id):
|
||||||
"""
|
"""
|
||||||
Parse URLs. This method fixes an issue where credentials specified
|
Parse URLs. This method fixes an issue where credentials specified
|
||||||
in the URL are interpreted differently in Python 2.6.1+ than prior
|
in the URL are interpreted differently in Python 2.6.1+ than prior
|
||||||
@ -150,7 +151,7 @@ def legacy_parse_uri(uri, to_quote):
|
|||||||
"like so: "
|
"like so: "
|
||||||
"swift+http://user:pass@authurl.com/v1/container/obj")
|
"swift+http://user:pass@authurl.com/v1/container/obj")
|
||||||
|
|
||||||
LOG.error(_("Invalid store uri %(uri)s: %(reason)s") % locals())
|
LOG.error(_("Invalid store uri for image %s: %s") % (image_id, reason))
|
||||||
raise exception.BadStoreUri(message=reason)
|
raise exception.BadStoreUri(message=reason)
|
||||||
|
|
||||||
pieces = urlparse.urlparse(uri)
|
pieces = urlparse.urlparse(uri)
|
||||||
|
@ -272,14 +272,14 @@ def safe_delete_from_backend(context, uri, image_id, **kwargs):
|
|||||||
try:
|
try:
|
||||||
return delete_from_backend(context, uri, **kwargs)
|
return delete_from_backend(context, uri, **kwargs)
|
||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
msg = _('Failed to delete image in store at URI: %s')
|
msg = _('Failed to delete image %s in store from URI')
|
||||||
LOG.warn(msg % uri)
|
LOG.warn(msg % image_id)
|
||||||
except exception.StoreDeleteNotSupported as e:
|
except exception.StoreDeleteNotSupported as e:
|
||||||
LOG.warn(str(e))
|
LOG.warn(str(e))
|
||||||
except UnsupportedBackend:
|
except UnsupportedBackend:
|
||||||
exc_type = sys.exc_info()[0].__name__
|
exc_type = sys.exc_info()[0].__name__
|
||||||
msg = (_('Failed to delete image at %s from store (%s)') %
|
msg = (_('Failed to delete image %s from store (%s)') %
|
||||||
(uri, exc_type))
|
(image_id, exc_type))
|
||||||
LOG.error(msg)
|
LOG.error(msg)
|
||||||
|
|
||||||
|
|
||||||
|
@ -122,7 +122,7 @@ class StoreLocation(glance.store.location.StoreLocation):
|
|||||||
"s3+https:// scheme, like so: "
|
"s3+https:// scheme, like so: "
|
||||||
"s3+https://accesskey:secretkey@"
|
"s3+https://accesskey:secretkey@"
|
||||||
"s3.amazonaws.com/bucket/key-id")
|
"s3.amazonaws.com/bucket/key-id")
|
||||||
LOG.debug(_("Invalid store uri %(uri)s: %(reason)s") % locals())
|
LOG.debug(_("Invalid store uri: %s") % reason)
|
||||||
raise exception.BadStoreUri(message=reason)
|
raise exception.BadStoreUri(message=reason)
|
||||||
|
|
||||||
pieces = urlparse.urlparse(uri)
|
pieces = urlparse.urlparse(uri)
|
||||||
|
@ -442,8 +442,8 @@ class Scrubber(object):
|
|||||||
uri = crypt.urlsafe_decrypt(CONF.metadata_encryption_key, uri)
|
uri = crypt.urlsafe_decrypt(CONF.metadata_encryption_key, uri)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
LOG.debug(_("Deleting %(uri)s from image %(image_id)s.") %
|
LOG.debug(_("Deleting URI from image %(image_id)s.") %
|
||||||
{'image_id': image_id, 'uri': uri})
|
{'image_id': image_id})
|
||||||
|
|
||||||
# Here we create a request context with credentials to support
|
# Here we create a request context with credentials to support
|
||||||
# delayed delete when using multi-tenant backend storage
|
# delayed delete when using multi-tenant backend storage
|
||||||
@ -455,8 +455,8 @@ class Scrubber(object):
|
|||||||
|
|
||||||
self.store_api.delete_from_backend(admin_context, uri)
|
self.store_api.delete_from_backend(admin_context, uri)
|
||||||
except Exception:
|
except Exception:
|
||||||
msg = _("Failed to delete image %(image_id)s from %(uri)s.")
|
msg = _("Failed to delete URI from image %(image_id)s")
|
||||||
LOG.error(msg % {'image_id': image_id, 'uri': uri})
|
LOG.error(msg % {'image_id': image_id})
|
||||||
|
|
||||||
def _read_cleanup_file(self, file_path):
|
def _read_cleanup_file(self, file_path):
|
||||||
"""Reading cleanup to get latest cleanup timestamp.
|
"""Reading cleanup to get latest cleanup timestamp.
|
||||||
|
Loading…
Reference in New Issue
Block a user