222 lines
7.4 KiB
Python
222 lines
7.4 KiB
Python
# Copyright 2018 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_config import cfg
|
|
from stevedore import named
|
|
|
|
from glance.i18n import _
|
|
|
|
|
|
CONF = cfg.CONF
|
|
|
|
import_filtering_opts = [
|
|
|
|
cfg.ListOpt('allowed_schemes',
|
|
item_type=cfg.types.String(quotes=True),
|
|
bounds=True,
|
|
default=['http', 'https'],
|
|
help=_("""
|
|
Specify the "whitelist" of allowed url schemes for web-download.
|
|
|
|
This option provides whitelisting of uri schemes that will be allowed when
|
|
an end user imports an image using the web-download import method. The
|
|
whitelist has priority such that if there is also a blacklist defined for
|
|
schemes, the blacklist will be ignored. Host and port filtering, however,
|
|
will be applied.
|
|
|
|
See the Glance Administration Guide for more information.
|
|
|
|
Possible values:
|
|
* List containing normalized url schemes as they are returned from
|
|
urllib.parse. For example ['ftp','https']
|
|
* Hint: leave the whitelist empty if you want the disallowed_schemes
|
|
blacklist to be processed
|
|
|
|
Related options:
|
|
* disallowed_schemes
|
|
* allowed_hosts
|
|
* disallowed_hosts
|
|
* allowed_ports
|
|
* disallowed_ports
|
|
|
|
""")),
|
|
cfg.ListOpt('disallowed_schemes',
|
|
item_type=cfg.types.String(quotes=True),
|
|
bounds=True,
|
|
default=[],
|
|
help=_("""
|
|
Specify the "blacklist" of uri schemes disallowed for web-download.
|
|
|
|
This option provides blacklisting of uri schemes that will be rejected when
|
|
an end user imports an image using the web-download import method. Note
|
|
that if a scheme whitelist is defined using the 'allowed_schemes' option,
|
|
*this option will be ignored*. Host and port filtering, however, will be
|
|
applied.
|
|
|
|
See the Glance Administration Guide for more information.
|
|
|
|
Possible values:
|
|
* List containing normalized url schemes as they are returned from
|
|
urllib.parse. For example ['ftp','https']
|
|
* By default the list is empty
|
|
|
|
Related options:
|
|
* allowed_schemes
|
|
* allowed_hosts
|
|
* disallowed_hosts
|
|
* allowed_ports
|
|
* disallowed_ports
|
|
|
|
""")),
|
|
cfg.ListOpt('allowed_hosts',
|
|
item_type=cfg.types.HostAddress(),
|
|
bounds=True,
|
|
default=[],
|
|
help=_("""
|
|
Specify the "whitelist" of allowed target hosts for web-download.
|
|
|
|
This option provides whitelisting of hosts that will be allowed when an end
|
|
user imports an image using the web-download import method. The whitelist
|
|
has priority such that if there is also a blacklist defined for hosts, the
|
|
blacklist will be ignored. The uri must have already passed scheme
|
|
filtering before this host filter will be applied. If the uri passes, port
|
|
filtering will then be applied.
|
|
|
|
See the Glance Administration Guide for more information.
|
|
|
|
Possible values:
|
|
* List containing normalized hostname or ip like it would be returned
|
|
in the urllib.parse netloc without the port
|
|
* By default the list is empty
|
|
* Hint: leave the whitelist empty if you want the disallowed_hosts
|
|
blacklist to be processed
|
|
|
|
Related options:
|
|
* allowed_schemes
|
|
* disallowed_schemes
|
|
* disallowed_hosts
|
|
* allowed_ports
|
|
* disallowed_ports
|
|
|
|
""")),
|
|
cfg.ListOpt('disallowed_hosts',
|
|
item_type=cfg.types.HostAddress(),
|
|
bounds=True,
|
|
default=[],
|
|
help=_("""
|
|
Specify the "blacklist" of hosts disallowed for web-download.
|
|
|
|
This option provides blacklisting of hosts that will be rejected when an end
|
|
user imports an image using the web-download import method. Note that if a
|
|
host whitelist is defined using the 'allowed_hosts' option, *this option
|
|
will be ignored*.
|
|
|
|
The uri must have already passed scheme filtering before this host filter
|
|
will be applied. If the uri passes, port filtering will then be applied.
|
|
|
|
See the Glance Administration Guide for more information.
|
|
|
|
Possible values:
|
|
* List containing normalized hostname or ip like it would be returned
|
|
in the urllib.parse netloc without the port
|
|
* By default the list is empty
|
|
|
|
Related options:
|
|
* allowed_schemes
|
|
* disallowed_schemes
|
|
* allowed_hosts
|
|
* allowed_ports
|
|
* disallowed_ports
|
|
|
|
""")),
|
|
cfg.ListOpt('allowed_ports',
|
|
item_type=cfg.types.Integer(min=1, max=65535),
|
|
bounds=True,
|
|
default=[80, 443],
|
|
help=_("""
|
|
Specify the "whitelist" of allowed ports for web-download.
|
|
|
|
This option provides whitelisting of ports that will be allowed when an end
|
|
user imports an image using the web-download import method. The whitelist
|
|
has priority such that if there is also a blacklist defined for ports, the
|
|
blacklist will be ignored. Note that scheme and host filtering have already
|
|
been applied by the time a uri hits the port filter.
|
|
|
|
See the Glance Administration Guide for more information.
|
|
|
|
Possible values:
|
|
* List containing ports as they are returned from urllib.parse netloc
|
|
field. Thus the value is a list of integer values, for example
|
|
[80, 443]
|
|
* Hint: leave the whitelist empty if you want the disallowed_ports
|
|
blacklist to be processed
|
|
|
|
Related options:
|
|
* allowed_schemes
|
|
* disallowed_schemes
|
|
* allowed_hosts
|
|
* disallowed_hosts
|
|
* disallowed_ports
|
|
""")),
|
|
cfg.ListOpt('disallowed_ports',
|
|
item_type=cfg.types.Integer(min=1, max=65535),
|
|
bounds=True,
|
|
default=[],
|
|
help=_("""
|
|
Specify the "blacklist" of disallowed ports for web-download.
|
|
|
|
This option provides blacklisting of target ports that will be rejected when
|
|
an end user imports an image using the web-download import method. Note
|
|
that if a port whitelist is defined using the 'allowed_ports' option, *this
|
|
option will be ignored*. Note that scheme and host filtering have already
|
|
been applied by the time a uri hits the port filter.
|
|
|
|
See the Glance Administration Guide for more information.
|
|
|
|
Possible values:
|
|
* List containing ports as they are returned from urllib.parse netloc
|
|
field. Thus the value is a list of integer values, for example
|
|
[22, 88]
|
|
* By default this list is empty
|
|
|
|
Related options:
|
|
* allowed_schemes
|
|
* disallowed_schemes
|
|
* allowed_hosts
|
|
* disallowed_hosts
|
|
* allowed_ports
|
|
|
|
""")),
|
|
]
|
|
|
|
CONF.register_opts(import_filtering_opts, group='import_filtering_opts')
|
|
|
|
|
|
def get_import_plugin(**kwargs):
|
|
method_list = CONF.enabled_import_methods
|
|
import_method = kwargs.get('import_req')['method']['name']
|
|
if import_method in method_list:
|
|
import_method = import_method.replace("-", "_")
|
|
task_list = [import_method]
|
|
# TODO(jokke): Implement error handling of non-listed methods.
|
|
extensions = named.NamedExtensionManager(
|
|
'glance.image_import.internal_plugins',
|
|
names=task_list,
|
|
name_order=True,
|
|
invoke_on_load=True,
|
|
invoke_kwds=kwargs)
|
|
for extension in extensions.extensions:
|
|
return extension.obj
|