Add timeout for requests

Bandit emits errors for request methods without the timeout parameter. It's better to follow the instruction to avoid hanging. Added timeout parameters and config options to set timeout. [1] https://bandit.readthedocs.io/en/1.7.5/plugins/b113_request_without_timeout.html Change-Id: I0c022c3cc57f30530ebdef6e434753ece2bdf912 (cherry picked from commit 92cdf8a0a5)
2023-03-18 00:35:47 +09:00 · 2023-03-18 00:35:47 +09:00 · 3ee9deaaba
parent 7b72bf581d
commit 3ee9deaaba
2 changed files with 17 additions and 4 deletions
--- a/keystonemiddleware/ec2_token.py
+++ b/keystonemiddleware/ec2_token.py
@ -44,6 +44,8 @@ keystone_ec2_opts = [
                    'CAs.'),
    cfg.BoolOpt('insecure', default=False,
                help='Disable SSL certificate verification.'),
+    cfg.IntOpt('timeout', default=60,
+               help='Timeout to obtain token.'),
 ]

 CONF = cfg.CONF
@ -172,9 +174,10 @@ class EC2Token(object):
        elif CONF.keystone_ec2_token.certfile:
            cert = CONF.keystone_ec2_token.certfile

-        response = requests.request('POST', CONF.keystone_ec2_token.url,
-                                    data=creds_json, headers=headers,
-                                    verify=verify, cert=cert)
+        response = requests.post(CONF.keystone_ec2_token.url,
+                                 data=creds_json, headers=headers,
+                                 verify=verify, cert=cert,
+                                 timeout=CONF.keystone_ec2_token.timeout)

        # NOTE(vish): We could save a call to keystone by
        #             having keystone return token, tenant,
--- a/keystonemiddleware/s3_token.py
+++ b/keystonemiddleware/s3_token.py
@ -33,12 +33,21 @@ This WSGI component:

 import webob

+from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
 from oslo_utils import strutils
 import requests
 import six

+s3_opts = [
+    cfg.IntOpt('timeout', default=60,
+               help='Timeout to obtain token.'),
+]
+
+CONF = cfg.CONF
+CONF.register_opts(s3_opts, group='s3_token')
+
 PROTOCOL_NAME = 'S3 Token Authentication'


@ -113,7 +122,8 @@ class S3Token(object):
        try:
            response = requests.post('%s/v2.0/s3tokens' % self._request_uri,
                                     headers=headers, data=creds_json,
-                                     verify=self._verify)
+                                     verify=self._verify,
+                                     timeout=CONF.s3_token.timeout)
        except requests.exceptions.RequestException as e:
            self._logger.info('HTTP connection exception: %s', e)
            resp = self._deny_request('InvalidURI')