oslo.middleware/oslo_middleware/ssl.py

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied. See the License for the specific language governing permissions and
# limitations under the License.
from debtcollector import removals
from oslo_config import cfg
from oslo_middleware import base


OPTS = [
    cfg.StrOpt('secure_proxy_ssl_header',
               default='X-Forwarded-Proto',
               deprecated_for_removal=True,
               help="The HTTP Header that will be used to determine what "
                    "the original request protocol scheme was, even if it was "
                    "hidden by a SSL termination proxy.")
]


class SSLMiddleware(base.ConfigurableMiddleware):
    """SSL termination proxies middleware.

    This middleware overloads wsgi.url_scheme with the one provided in
    secure_proxy_ssl_header header. This is useful when behind a SSL
    termination proxy.
    """

    def __init__(self, application, *args, **kwargs):
        removals.removed_module(__name__, "oslo_middleware.http_proxy_to_wsgi")
        super(SSLMiddleware, self).__init__(application, *args, **kwargs)
        self.oslo_conf.register_opts(OPTS, group='oslo_middleware')

    def process_request(self, req):
        self.header_name = 'HTTP_{0}'.format(
            self._conf_get('secure_proxy_ssl_header').upper()
            .replace('-', '_'))
        req.environ['wsgi.url_scheme'] = req.environ.get(
            self.header_name, req.environ['wsgi.url_scheme'])
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or`
			`# implied. See the License for the specific language governing permissions and`
			`# limitations under the License.`
ssl: deprecated in favor of http_proxy_to_wsgi Change-Id: Ic2d3dcadbaaaa2819f2c84b23778a2e407a9b127 2015-09-29 14:39:48 +02:00			`from debtcollector import removals`
Drop use of 'oslo' namespace package The Oslo libraries have moved all of their code out of the 'oslo' namespace package into per-library packages. The namespace package was retained during kilo for backwards compatibility, but will be removed by the liberty-2 milestone. This change removes the use of the namespace package, replacing it with the new package names. The patches in the libraries will be put on hold until application patches have landed, or L2, whichever comes first. At that point, new versions of the libraries without namespace packages will be released as a major version update. Please merge this patch, or an equivalent, before L2 to avoid problems with those library releases. Blueprint: remove-namespace-packages https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages Change-Id: Id86fa35bc81d9d24211d8553ac2ef9e91949ba7a 2015-06-24 15:31:29 +00:00			`from oslo_config import cfg`
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00			`from oslo_middleware import base`


			`OPTS = [`
			`cfg.StrOpt('secure_proxy_ssl_header',`
			`default='X-Forwarded-Proto',`
ssl: deprecated in favor of http_proxy_to_wsgi Change-Id: Ic2d3dcadbaaaa2819f2c84b23778a2e407a9b127 2015-09-29 14:39:48 +02:00			`deprecated_for_removal=True,`
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00			`help="The HTTP Header that will be used to determine what "`
			`"the original request protocol scheme was, even if it was "`
Fixed typo in SSL TrivialFix Change-Id: I71b6996c084a47f46268a9929ba1d527c178240d 2016-08-11 12:49:15 -05:00			`"hidden by a SSL termination proxy.")`
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00			`]`


Restore backward compat of paste factory Some application inherits from our middleware class When we homogenize the signature and configuration handling of all middlewares we break them. This change fixes that. Closes-bug: #1486735 Change-Id: I40c3d59110c6f8c5a1b3d3ccc734dc441069b025 2015-08-20 07:52:59 +02:00			`class SSLMiddleware(base.ConfigurableMiddleware):`
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00			`"""SSL termination proxies middleware.`

			`This middleware overloads wsgi.url_scheme with the one provided in`
			`secure_proxy_ssl_header header. This is useful when behind a SSL`
			`termination proxy.`
			`"""`

Restore backward compat of paste factory Some application inherits from our middleware class When we homogenize the signature and configuration handling of all middlewares we break them. This change fixes that. Closes-bug: #1486735 Change-Id: I40c3d59110c6f8c5a1b3d3ccc734dc441069b025 2015-08-20 07:52:59 +02:00			`def __init__(self, application, args, *kwargs):`
Limit ssl deprecation warning to external importers Closes-Bug: #1629671 Change-Id: I946ee89d9f078e2a766a2b0c89141d067c483cfa 2016-10-02 10:26:08 -04:00			`removals.removed_module(__name__, "oslo_middleware.http_proxy_to_wsgi")`
Restore backward compat of paste factory Some application inherits from our middleware class When we homogenize the signature and configuration handling of all middlewares we break them. This change fixes that. Closes-bug: #1486735 Change-Id: I40c3d59110c6f8c5a1b3d3ccc734dc441069b025 2015-08-20 07:52:59 +02:00			`super(SSLMiddleware, self).__init__(application, args, *kwargs)`
Remove usage of oslo.config global Currently application that doesn't use the global configuration object have to rely on hack to setup the global oslo config object for each middleware it want to use. For example, gnocchi have its own middleware loader and add crap to load keystonemiddleware: https://github.com/openstack/gnocchi/blob/master/gnocchi/rest/app.py#L140 And it can't use oslo.middleware that relies on the global conf object. Also aodh (use 'paste' for middleware) have to hack the global configuration object for each middlewares it want to use by code... https://review.openstack.org/#/c/208632/1/aodh/service.py But middleware are optional deployer stuffs, we should not write any code for them... This change allows application to use paste-deploy (or any middleware loader) without enforcing the application to use the global oslo.config object. If the middleware want to use oslo.config it should load the configuration file himself (and fallback to the global one if any) The proposed paste configuration to allow this is: [filter:cors] paste.filter_factory = oslo.middleware:cors oslo_config_project = aodh So the cors middleware can find and load the aodh config and what is it interested in. Also, some of them use oslo.config local, some other the global object. Some can be loaded by an middleware loader like paste, some other not. This change make consistent the way we bootstrap all middlewares. Closes-bug: #1482086 Change-Id: Iad197d1f3a386683d818b59718df34e14e15ca5c 2015-08-06 09:15:57 +02:00			`self.oslo_conf.register_opts(OPTS, group='oslo_middleware')`
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00
			`def process_request(self, req):`
Remove usage of oslo.config global Currently application that doesn't use the global configuration object have to rely on hack to setup the global oslo config object for each middleware it want to use. For example, gnocchi have its own middleware loader and add crap to load keystonemiddleware: https://github.com/openstack/gnocchi/blob/master/gnocchi/rest/app.py#L140 And it can't use oslo.middleware that relies on the global conf object. Also aodh (use 'paste' for middleware) have to hack the global configuration object for each middlewares it want to use by code... https://review.openstack.org/#/c/208632/1/aodh/service.py But middleware are optional deployer stuffs, we should not write any code for them... This change allows application to use paste-deploy (or any middleware loader) without enforcing the application to use the global oslo.config object. If the middleware want to use oslo.config it should load the configuration file himself (and fallback to the global one if any) The proposed paste configuration to allow this is: [filter:cors] paste.filter_factory = oslo.middleware:cors oslo_config_project = aodh So the cors middleware can find and load the aodh config and what is it interested in. Also, some of them use oslo.config local, some other the global object. Some can be loaded by an middleware loader like paste, some other not. This change make consistent the way we bootstrap all middlewares. Closes-bug: #1482086 Change-Id: Iad197d1f3a386683d818b59718df34e14e15ca5c 2015-08-06 09:15:57 +02:00			`self.header_name = 'HTTP_{0}'.format(`
Allow to get option from paste-deploy This change allows any middleware that use oslo.config to be configured via paste-deploy, like the cors does. Related-bug: #1482086 Change-Id: Ibb3e951b45b51c9bc602c9113df18a58226d92d1 2015-08-06 10:53:48 +02:00			`self._conf_get('secure_proxy_ssl_header').upper()`
Remove usage of oslo.config global Currently application that doesn't use the global configuration object have to rely on hack to setup the global oslo config object for each middleware it want to use. For example, gnocchi have its own middleware loader and add crap to load keystonemiddleware: https://github.com/openstack/gnocchi/blob/master/gnocchi/rest/app.py#L140 And it can't use oslo.middleware that relies on the global conf object. Also aodh (use 'paste' for middleware) have to hack the global configuration object for each middlewares it want to use by code... https://review.openstack.org/#/c/208632/1/aodh/service.py But middleware are optional deployer stuffs, we should not write any code for them... This change allows application to use paste-deploy (or any middleware loader) without enforcing the application to use the global oslo.config object. If the middleware want to use oslo.config it should load the configuration file himself (and fallback to the global one if any) The proposed paste configuration to allow this is: [filter:cors] paste.filter_factory = oslo.middleware:cors oslo_config_project = aodh So the cors middleware can find and load the aodh config and what is it interested in. Also, some of them use oslo.config local, some other the global object. Some can be loaded by an middleware loader like paste, some other not. This change make consistent the way we bootstrap all middlewares. Closes-bug: #1482086 Change-Id: Iad197d1f3a386683d818b59718df34e14e15ca5c 2015-08-06 09:15:57 +02:00			`.replace('-', '_'))`
Add middleware to support ssl termination proxies This change defines SSLMiddleware middleware which enables OpenStack services behind SSL termination proxies to return urls with original protocol scheme. SSLMiddleware is based on heat SSLMiddleware class. Change-Id: I72f8da160ced6ac80fdac743c00ea3f7ffb1f57c Closes-Bug: #1444490 2015-04-15 20:44:32 +02:00			`req.environ['wsgi.url_scheme'] = req.environ.get(`
			`self.header_name, req.environ['wsgi.url_scheme'])`