From 92cdf8a0a5df0a7862eaa950060794a43b8ad4ec Mon Sep 17 00:00:00 2001
From: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Date: Sat, 18 Mar 2023 00:35:47 +0900
Subject: Add timeout for requests

Bandit emits errors for request methods without the timeout parameter.
It's better to follow the instruction to avoid hanging.

Added timeout parameters and config options to set timeout.

[1] https://bandit.readthedocs.io/en/1.7.5/plugins/b113_request_without_timeout.html

Change-Id: I0c022c3cc57f30530ebdef6e434753ece2bdf912
---
 keystonemiddleware/ec2_token.py |  9 ++++++---
 keystonemiddleware/s3_token.py  | 12 +++++++++++-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/keystonemiddleware/ec2_token.py b/keystonemiddleware/ec2_token.py
index faa5968..3e00646 100644
--- a/keystonemiddleware/ec2_token.py
+++ b/keystonemiddleware/ec2_token.py
@@ -44,6 +44,8 @@ keystone_ec2_opts = [
                     'CAs.'),
     cfg.BoolOpt('insecure', default=False,
                 help='Disable SSL certificate verification.'),
+    cfg.IntOpt('timeout', default=60,
+               help='Timeout to obtain token.'),
 ]
 
 CONF = cfg.CONF
@@ -172,9 +174,10 @@ class EC2Token(object):
         elif CONF.keystone_ec2_token.certfile:
             cert = CONF.keystone_ec2_token.certfile
 
-        response = requests.request('POST', CONF.keystone_ec2_token.url,
-                                    data=creds_json, headers=headers,
-                                    verify=verify, cert=cert)
+        response = requests.post(CONF.keystone_ec2_token.url,
+                                 data=creds_json, headers=headers,
+                                 verify=verify, cert=cert,
+                                 timeout=CONF.keystone_ec2_token.timeout)
 
         # NOTE(vish): We could save a call to keystone by
         #             having keystone return token, tenant,
diff --git a/keystonemiddleware/s3_token.py b/keystonemiddleware/s3_token.py
index d8d8e78..ad27aff 100644
--- a/keystonemiddleware/s3_token.py
+++ b/keystonemiddleware/s3_token.py
@@ -33,12 +33,21 @@ This WSGI component:
 
 import webob
 
+from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
 from oslo_utils import strutils
 import requests
 import six
 
+s3_opts = [
+    cfg.IntOpt('timeout', default=60,
+               help='Timeout to obtain token.'),
+]
+
+CONF = cfg.CONF
+CONF.register_opts(s3_opts, group='s3_token')
+
 PROTOCOL_NAME = 'S3 Token Authentication'
 
 
@@ -113,7 +122,8 @@ class S3Token(object):
         try:
             response = requests.post('%s/v2.0/s3tokens' % self._request_uri,
                                      headers=headers, data=creds_json,
-                                     verify=self._verify)
+                                     verify=self._verify,
+                                     timeout=CONF.s3_token.timeout)
         except requests.exceptions.RequestException as e:
             self._logger.info('HTTP connection exception: %s', e)
             resp = self._deny_request('InvalidURI')
-- 
cgit v1.2.1