Disable http_proxy_to_wsgi middleware by default

Having this middleware as default is very convenient for deployments, since this enables the application to handle the appropriate headers correctly in order to deal with SSL, which is nice to have out of the box. Heat, for instance, has already taken this middleware as default. However, having this act on the headers by default may not be so desirable, as the application may not be in front of a proxy, and thus will have nothing that parses or strips the X-Forwarded-* headers. Which can lead to security problems. Thus, this patch proposes the enabling of this functionality through a configuration option. This will enable more projects to take this middleware into use by default, and the deployer would only need to change one configuration file; while leaving the paste configuration intact. Change-Id: I50a70d477613025d3e54e4ee773bbb1d6fcf2e68 SecurityImpact
author: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2016-02-22 14:07:50 +0200
committer: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2016-03-07 12:47:34 +0200
commit: f62c3a74c07238d91efb17e9ac64373f08894490 (patch)
tree: 41dc41aa7c60b02389406cb760a110f6877e16e4
parent: 502e390770dfe314e0de6c78a67db196695b9662 (diff)
download: oslo-middleware-f62c3a74c07238d91efb17e9ac64373f08894490.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/oslo_middleware/http_proxy_to_wsgi.py b/oslo_middleware/http_proxy_to_wsgi.py
index a2da6ab..ad61401 100644
--- a/oslo_middleware/http_proxy_to_wsgi.py
+++ b/oslo_middleware/http_proxy_to_wsgi.py
@@ -12,9 +12,19 @@
 # implied. See the License for the specific language governing permissions and
 # limitations under the License.
 from debtcollector import removals
+from oslo_config import cfg
 from oslo_middleware import base
 
 
+OPTS = [
+    cfg.BoolOpt('enable_proxy_headers_parsing',
+                default=False,
+                help="Wether the application is behind a proxy or not. "
+                     "This determines if the middleware should parse the "
+                     "headers or not.")
+]
+
+
 class HTTPProxyToWSGI(base.ConfigurableMiddleware):
     """HTTP proxy to WSGI termination middleware.
 
@@ -23,6 +33,10 @@ class HTTPProxyToWSGI(base.ConfigurableMiddleware):
 
     """
 
+    def __init__(self, application, *args, **kwargs):
+        super(HTTPProxyToWSGI, self).__init__(application, *args, **kwargs)
+        self.oslo_conf.register_opts(OPTS, group='oslo_middleware')
+
     @staticmethod
     def _parse_rfc7239_header(header):
         """Parses RFC7239 Forward headers.
@@ -40,6 +54,8 @@ class HTTPProxyToWSGI(base.ConfigurableMiddleware):
         return result
 
     def process_request(self, req):
+        if not self._conf_get('enable_proxy_headers_parsing'):
+            return
         fwd_hdr = req.environ.get("HTTP_FORWARDED")
         if fwd_hdr:
             proxies = self._parse_rfc7239_header(fwd_hdr)
diff --git a/oslo_middleware/tests/test_http_proxy_to_wsgi.py b/oslo_middleware/tests/test_http_proxy_to_wsgi.py
index 8db1190..26baa77 100644
--- a/oslo_middleware/tests/test_http_proxy_to_wsgi.py
+++ b/oslo_middleware/tests/test_http_proxy_to_wsgi.py
@@ -29,6 +29,10 @@ class TestHTTPProxyToWSGI(test_base.BaseTestCase):
             return util.application_uri(req.environ)
 
         self.middleware = http_proxy_to_wsgi.HTTPProxyToWSGI(fake_app)
+        self.middleware.oslo_conf.set_override('enable_proxy_headers_parsing',
+                                               True,
+                                               group='oslo_middleware',
+                                               enforce_type=True)
         self.request = webob.Request.blank('/foo/bar', method='POST')
 
     def test_backward_compat(self):
@@ -98,3 +102,30 @@ class TestHTTPProxyToWSGI(test_base.BaseTestCase):
         self.request.headers['X-Forwarded-Prefix'] = "/bla"
         response = self.request.get_response(self.middleware)
         self.assertEqual(b"https://example.com:8043/bla", response.body)
+
+
+class TestHTTPProxyToWSGIDisabled(test_base.BaseTestCase):
+
+    def setUp(self):
+        super(TestHTTPProxyToWSGIDisabled, self).setUp()
+
+        @webob.dec.wsgify()
+        def fake_app(req):
+            return util.application_uri(req.environ)
+
+        self.middleware = http_proxy_to_wsgi.HTTPProxyToWSGI(fake_app)
+        self.middleware.oslo_conf.set_override('enable_proxy_headers_parsing',
+                                               False,
+                                               group='oslo_middleware',
+                                               enforce_type=True)
+        self.request = webob.Request.blank('/foo/bar', method='POST')
+
+    def test_no_headers(self):
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(b"http://localhost:80/", response.body)
+
+    def test_url_translate_ssl_has_no_effect(self):
+        self.request.headers['X-Forwarded-Proto'] = "https"
+        self.request.headers['X-Forwarded-Host'] = "example.com:123"
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(b"http://localhost:80/", response.body)
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2016-02-22 14:07:50 +0200
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2016-03-07 12:47:34 +0200
commit	f62c3a74c07238d91efb17e9ac64373f08894490 (patch)
tree	41dc41aa7c60b02389406cb760a110f6877e16e4
parent	502e390770dfe314e0de6c78a67db196695b9662 (diff)
download	oslo-middleware-f62c3a74c07238d91efb17e9ac64373f08894490.tar.gz