Merge "Updated murano-apste.ini with http_proxy_to_wsgi"

2017-05-26 11:41:08 +00:00 · 2017-05-26 11:41:08 +00:00 · 1fd33aa37a
parent 176637fe4b 02ec8d03ed
commit 1fd33aa37a
5 changed files with 23 additions and 107 deletions
--- a/etc/murano/murano-paste.ini
+++ b/etc/murano/murano-paste.ini
@ -1,5 +1,5 @@
 [pipeline:murano]
-pipeline = cors request_id ssl versionnegotiation faultwrap authtoken context rootapp
+pipeline = cors http_proxy_to_wsgi request_id versionnegotiation faultwrap authtoken context rootapp

 [filter:context]
 paste.filter_factory = murano.api.middleware.context:ContextMiddleware.factory
@ -30,12 +30,13 @@ paste.filter_factory = murano.api.middleware.fault:FaultWrapper.factory
 [filter:request_id]
 paste.filter_factory = oslo_middleware.request_id:RequestId.factory

-[filter:ssl]
-paste.filter_factory = murano.api.middleware.ssl:SSLMiddleware.factory
-
 [filter:ext_context]
 paste.filter_factory = murano.api.middleware.ext_context:ExternalContextMiddleware.factory

 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = murano
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+oslo_config_project = murano
--- a/murano/api/middleware/ssl.py
+++ b/murano/api/middleware/ssl.py
@ -1,55 +0,0 @@
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-from oslo_config import cfg
-from oslo_log import log as logging
-
-from murano.common import wsgi
-
-ssl_middleware_opts = [
-    cfg.StrOpt('secure_proxy_ssl_header',
-               default='X-Forwarded-Proto',
-               help="The HTTP Header that will be used to determine which "
-                    "the original request protocol scheme was, even if it was "
-                    "removed by an SSL terminator proxy.")
-]
-cfg.CONF.register_opts(ssl_middleware_opts)
-LOG = logging.getLogger(__name__)
-
-
-class SSLMiddleware(wsgi.Middleware):
-    """Replaces the request wsgi.url_scheme environment
-
-    A middleware that replaces the request wsgi.url_scheme environment
-    variable with the value of HTTP header configured in
-    secure_proxy_ssl_header if exists in the incoming request.
-    This is useful if the server is behind a SSL termination proxy.
-    """
-
-    @classmethod
-    def factory(cls, global_conf, **local_conf):
-        def filter(app):
-            return cls(app)
-        return filter
-
-    def __init__(self, application):
-        super(SSLMiddleware, self).__init__(application)
-        self.secure_proxy_ssl_header = 'HTTP_{0}'.format(
-            cfg.CONF.secure_proxy_ssl_header.upper().replace('-', '_'))
-
-    def process_request(self, req):
-        url_scheme = req.environ['wsgi.url_scheme']
-        req.environ['wsgi.url_scheme'] = req.environ.get(
-            self.secure_proxy_ssl_header, req.environ['wsgi.url_scheme'])
-        if url_scheme != req.environ['wsgi.url_scheme']:
-            LOG.debug('Changed url_scheme from {0} to {1}'.format(
-                url_scheme, req.environ['wsgi.url_scheme']))
--- a/murano/opts.py
+++ b/murano/opts.py
@ -22,7 +22,6 @@ import itertools

 import oslo_service.sslutils

-import murano.api.middleware.ssl
 import murano.common.cf_config
 import murano.common.config
 import murano.common.wsgi
@ -50,7 +49,6 @@ _opt_lists = [
        murano.common.config.bind_opts,
        murano.common.config.file_server,
        murano.common.wsgi.wsgi_opts,
-        murano.api.middleware.ssl.ssl_middleware_opts
    ])),
 ]

--- a/murano/tests/unit/api/middleware/test_ssl.py
+++ b/murano/tests/unit/api/middleware/test_ssl.py
@ -1,46 +0,0 @@
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import webob
-
-from murano.api.middleware import ssl
-
-from murano.tests.unit import base
-
-
-class SSLMiddlewareTest(base.MuranoTestCase):
-
-    def test_ssl_middleware_default_forwarded_proto(self):
-        middleware = ssl.SSLMiddleware(None)
-        request = webob.Request.blank('/environments',
-                                      headers={'X-Forwarded-Proto': 'https'})
-        middleware.process_request(request)
-        self.assertEqual('https',
-                         request.environ['wsgi.url_scheme'])
-
-    def test_ssl_middleware_custon_forwarded_proto(self):
-        self.override_config('secure_proxy_ssl_header',
-                             'X-My-Forwarded-Proto')
-        middleware = ssl.SSLMiddleware(None)
-        request = webob.Request.blank('/environments',
-                                      headers={
-                                          'X-My-Forwarded-Proto': 'https'})
-        middleware.process_request(request)
-        self.assertEqual('https',
-                         request.environ['wsgi.url_scheme'])
-
-    def test_ssl_middleware_plain_request(self):
-        middleware = ssl.SSLMiddleware(None)
-        request = webob.Request.blank('/environments', headers={})
-        middleware.process_request(request)
-        self.assertEqual('http',
-                         request.environ['wsgi.url_scheme'])
--- a/releasenotes/notes/use_http_proxy_to_wsgi-9b22d3e60c045689.yaml
+++ b/releasenotes/notes/use_http_proxy_to_wsgi-9b22d3e60c045689.yaml
@ -0,0 +1,18 @@
+---
+
+features:
+    - |
+      Murano switched to using standard oslo middleware HTTPProxyToWSGI instead
+      of custom implementation. This middleware parses the X-Forwarded-Proto
+      HTTP header or the Proxy protocol in order to help murano respond with
+      the correct URL refs when it's put behind a TLS proxy (such as HAProxy).
+      This middleware is disabled by default, but can be enabled via a
+      configuration option in the oslo_middleware group.
+upgrade:
+    - |
+      File ``murano-paste.ini has been updated to use oslo HTTPProxyToWSGI middleware.
+      Config option ``secure_proxy_ssl_header`` has been removed. Please refer to
+      oslo_middleware configuration options if you wish deploy murano behind TLS proxy.
+      Most notably you would need to set ``enable_proxy_headers_parsing`` under group
+      ``oslo_middleware`` to True, to enable header parsing.
+