Browse Source

Adds a whitelist for endpoint catalog substitution

Change-Id: If02327d70d0143d805969fe927898f08eb84c4c2
Closes-Bug: #1354208
tags/2014.1.3
David Stanek 5 years ago
parent
commit
878f12e160
4 changed files with 47 additions and 4 deletions
  1. +4
    -0
      keystone/catalog/core.py
  2. +11
    -1
      keystone/common/config.py
  3. +12
    -0
      keystone/common/utils.py
  4. +20
    -3
      keystone/tests/unit/catalog/test_core.py

+ 4
- 0
keystone/catalog/core.py View File

@@ -22,6 +22,7 @@ import six
from keystone.common import dependency
from keystone.common import driver_hints
from keystone.common import manager
from keystone.common import utils
from keystone import config
from keystone import exception
from keystone.openstack.common.gettextutils import _
@@ -34,6 +35,9 @@ LOG = log.getLogger(__name__)

def format_url(url, data):
"""Safely string formats a user-defined URL with the given data."""
data = utils.WhiteListedFormatter(
CONF.catalog.endpoint_substitution_whitelist,
data)
try:
result = url.replace('$(', '%(') % data
except AttributeError:

+ 11
- 1
keystone/common/config.py View File

@@ -640,7 +640,17 @@ FILE_OPTIONS = {
help='Keystone catalog backend driver.'),
cfg.IntOpt('list_limit', default=None,
help='Maximum number of entities that will be returned '
'in a catalog collection.')],
'in a catalog collection.'),
cfg.ListOpt('endpoint_substitution_whitelist',
default=['tenant_id', 'user_id', 'public_bind_host',
'admin_bind_host', 'compute_host', 'compute_port',
'admin_port', 'public_port', 'public_endpoint',
'admin_endpoint'],
help='List of possible substitutions for use in '
'formatting endpoints. Use caution when modifying '
'this list. It will give users with permission to '
'create endpoints the ability to see those values '
'in your configuration file.')],
'kvs': [
cfg.ListOpt('backends', default=[],
help='Extra dogpile.cache backend modules to register '

+ 12
- 0
keystone/common/utils.py View File

@@ -525,3 +525,15 @@ def make_dirs(path, mode=None, user=None, group=None, log=None):
raise EnvironmentError("makedirs('%s'): %s" % (path, exc.strerror))

set_permissions(path, mode, user, group, log)


class WhiteListedFormatter(object):

def __init__(self, whitelist, data):
self._whitelist = set(whitelist or [])
self._data = data

def __getitem__(self, name):
if name not in self._whitelist:
raise KeyError
return self._data[name]

+ 20
- 3
keystone/tests/unit/catalog/test_core.py View File

@@ -10,13 +10,21 @@
# License for the specific language governing permissions and limitations
# under the License.

import testtools

from keystone.catalog import core
from keystone import config
from keystone import exception
from keystone import tests


CONF = config.CONF


class FormatUrlTests(tests.TestCase):

class FormatUrlTests(testtools.TestCase):
def setUp(self):
super(FormatUrlTests, self).setUp()
whitelist = ['host', 'port', 'part1', 'part2']
CONF.catalog.endpoint_substitution_whitelist = whitelist

def test_successful_formatting(self):
url_template = 'http://%(host)s:%(port)d/%(part1)s/%(part2)s'
@@ -53,3 +61,12 @@ class FormatUrlTests(testtools.TestCase):

_test(None)
_test(object())

def test_substitution_with_key_not_whitelisted(self):
url_template = 'http://%(host)s:%(port)d/%(part1)s/%(part2)s/%(part3)s'
values = {'host': 'server', 'port': 9090,
'part1': 'A', 'part2': 'B', 'part3': 'C'}
self.assertRaises(exception.MalformedEndpoint,
core.format_url,
url_template,
values)

Loading…
Cancel
Save