Hide Swift network info in Horizon error message

In case of error Swift API return some details about unsuccessful
request, i.e. internal IP, full object pass, etc. This response is not
processed by Horizon and presented to user as-is, which is potentially
insecure. Proposed patch adds error processing striping network location
from error message

Change-Id: Ieef9669a1be3ed7bbc685a457eb1fe86b34c3c7e
Closes-bug: #1794767
This commit is contained in:
BubaVV 2018-09-27 16:58:58 +03:00 committed by Vadym Markov
parent 6c2225bab8
commit 4d6a1b327a

View File

@ -18,6 +18,8 @@
from datetime import datetime from datetime import datetime
import functools
import six.moves.urllib.parse as urlparse import six.moves.urllib.parse as urlparse
import swiftclient import swiftclient
@ -36,6 +38,18 @@ GLOBAL_READ_ACL = ".r:*"
LIST_CONTENTS_ACL = ".rlistings" LIST_CONTENTS_ACL = ".rlistings"
def safe_swift_exception(function):
@functools.wraps(function)
def wrapper(*args, **kwargs):
try:
return function(*args, **kwargs)
except swiftclient.client.ClientException as e:
e.http_scheme = e.http_host = e.http_port = ''
raise e
return wrapper
class Container(base.APIDictWrapper): class Container(base.APIDictWrapper):
pass pass
@ -136,6 +150,7 @@ def swift_object_exists(request, container_name, object_name):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_get_containers(request, marker=None, prefix=None): def swift_get_containers(request, marker=None, prefix=None):
limit = getattr(settings, 'API_RESULT_LIMIT', 1000) limit = getattr(settings, 'API_RESULT_LIMIT', 1000)
headers, containers = swift_api(request).get_account(limit=limit + 1, headers, containers = swift_api(request).get_account(limit=limit + 1,
@ -150,6 +165,7 @@ def swift_get_containers(request, marker=None, prefix=None):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_get_container(request, container_name, with_data=True): def swift_get_container(request, container_name, with_data=True):
if with_data: if with_data:
headers, data = swift_api(request).get_object(container_name, "") headers, data = swift_api(request).get_object(container_name, "")
@ -184,6 +200,7 @@ def swift_get_container(request, container_name, with_data=True):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_create_container(request, name, metadata=({})): def swift_create_container(request, name, metadata=({})):
if swift_container_exists(request, name): if swift_container_exists(request, name):
raise exceptions.AlreadyExists(name, 'container') raise exceptions.AlreadyExists(name, 'container')
@ -193,6 +210,7 @@ def swift_create_container(request, name, metadata=({})):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_update_container(request, name, metadata=({})): def swift_update_container(request, name, metadata=({})):
headers = _metadata_to_header(metadata) headers = _metadata_to_header(metadata)
swift_api(request).post_container(name, headers=headers) swift_api(request).post_container(name, headers=headers)
@ -200,6 +218,7 @@ def swift_update_container(request, name, metadata=({})):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_delete_container(request, name): def swift_delete_container(request, name):
# It cannot be deleted if it's not empty. The batch remove of objects # It cannot be deleted if it's not empty. The batch remove of objects
# be done in swiftclient instead of Horizon. # be done in swiftclient instead of Horizon.
@ -214,6 +233,7 @@ def swift_delete_container(request, name):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_get_objects(request, container_name, prefix=None, marker=None, def swift_get_objects(request, container_name, prefix=None, marker=None,
limit=None): limit=None):
limit = limit or getattr(settings, 'API_RESULT_LIMIT', 1000) limit = limit or getattr(settings, 'API_RESULT_LIMIT', 1000)
@ -233,6 +253,7 @@ def swift_get_objects(request, container_name, prefix=None, marker=None,
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_filter_objects(request, filter_string, container_name, prefix=None, def swift_filter_objects(request, filter_string, container_name, prefix=None,
marker=None): marker=None):
# FIXME(kewu): Swift currently has no real filtering API, thus the marker # FIXME(kewu): Swift currently has no real filtering API, thus the marker
@ -269,6 +290,7 @@ def wildcard_search(string, q):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_copy_object(request, orig_container_name, orig_object_name, def swift_copy_object(request, orig_container_name, orig_object_name,
new_container_name, new_object_name): new_container_name, new_object_name):
if swift_object_exists(request, new_container_name, new_object_name): if swift_object_exists(request, new_container_name, new_object_name):
@ -286,6 +308,7 @@ def swift_copy_object(request, orig_container_name, orig_object_name,
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_upload_object(request, container_name, object_name, def swift_upload_object(request, container_name, object_name,
object_file=None): object_file=None):
headers = {} headers = {}
@ -305,6 +328,7 @@ def swift_upload_object(request, container_name, object_name,
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_create_pseudo_folder(request, container_name, pseudo_folder_name): def swift_create_pseudo_folder(request, container_name, pseudo_folder_name):
# Make sure the folder name doesn't already exist. # Make sure the folder name doesn't already exist.
if swift_object_exists(request, container_name, pseudo_folder_name): if swift_object_exists(request, container_name, pseudo_folder_name):
@ -324,12 +348,14 @@ def swift_create_pseudo_folder(request, container_name, pseudo_folder_name):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_delete_object(request, container_name, object_name): def swift_delete_object(request, container_name, object_name):
swift_api(request).delete_object(container_name, object_name) swift_api(request).delete_object(container_name, object_name)
return True return True
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_delete_folder(request, container_name, object_name): def swift_delete_folder(request, container_name, object_name):
objects, more = swift_get_objects(request, container_name, objects, more = swift_get_objects(request, container_name,
prefix=object_name) prefix=object_name)
@ -350,6 +376,7 @@ def swift_delete_folder(request, container_name, object_name):
@profiler.trace @profiler.trace
@safe_swift_exception
def swift_get_object(request, container_name, object_name, with_data=True, def swift_get_object(request, container_name, object_name, with_data=True,
resp_chunk_size=CHUNK_SIZE): resp_chunk_size=CHUNK_SIZE):
if with_data: if with_data: