From 96ca1097a502efca95546641947aba60c85bd0bb Mon Sep 17 00:00:00 2001
From: Helber Maciel Guerra <helbermg@gmail.com>
Date: Sun, 4 Sep 2016 23:43:49 -0300
Subject: [PATCH] Get remote address from client, behind proxy servers, to log
 on console.

Discovering REMOTE_IP using headers variables and displaing on console
log.

The messages will be:
"Login successful for user "%(username)s", remote address %(remote_ip)s."
and
"Login failed for user "%(username)s", remote address %(remote_ip)s."

This patch was tested behind haproxy and nginx reverse proxy.

To set variable that want to use, must inform using settings
SECURE_PROXY_ADDR_HEADER variable. Whitout this setting the remote ip
will use REMOTE_ADDR header variable.

Change-Id: I977be6cb1d029048b9862cac4b6596fc2e2b3431
Closes-Bug: #1461266
---
 openstack_auth/forms.py       | 14 +++++++++----
 openstack_auth/tests/tests.py | 38 +++++++++++++++++++++++++++++++++++
 openstack_auth/utils.py       | 22 ++++++++++++++++++++
 3 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py
index 6e4bf8bd..0acb2904 100644
--- a/openstack_auth/forms.py
+++ b/openstack_auth/forms.py
@@ -124,12 +124,18 @@ class Login(django_auth_forms.AuthenticationForm):
                                            password=password,
                                            user_domain_name=domain,
                                            auth_url=region)
-            msg = 'Login successful for user "%(username)s".' % \
-                {'username': username}
+            msg = 'Login successful for user "%(username)s", remote address '\
+                '%(remote_ip)s.' % {
+                    'username': username,
+                    'remote_ip': utils.get_client_ip(self.request)
+                }
             LOG.info(msg)
         except exceptions.KeystoneAuthException as exc:
-            msg = 'Login failed for user "%(username)s".' % \
-                {'username': username}
+            msg = 'Login failed for user "%(username)s", remote address '\
+                '%(remote_ip)s.' % {
+                    'username': username,
+                    'remote_ip': utils.get_client_ip(self.request)
+                }
             LOG.warning(msg)
             raise forms.ValidationError(exc)
         if hasattr(self, 'check_for_test_cookie'):  # Dropped in django 1.7
diff --git a/openstack_auth/tests/tests.py b/openstack_auth/tests/tests.py
index 8f40da7b..7423b8d9 100644
--- a/openstack_auth/tests/tests.py
+++ b/openstack_auth/tests/tests.py
@@ -1178,3 +1178,41 @@ class UserTestCase(test.TestCase):
         self.assertTrue(created_token._is_pki_token(
                         self.data.domain_scoped_access_info.auth_token))
         self.assertFalse(created_token._is_pki_token(None))
+
+
+class BehindProxyTestCase(test.TestCase):
+
+    def setUp(self):
+        self.request = http.HttpRequest()
+
+    def test_without_proxy(self):
+        self.request.META['REMOTE_ADDR'] = '10.111.111.2'
+        from openstack_auth.utils import get_client_ip
+        self.assertEqual('10.111.111.2', get_client_ip(self.request))
+
+    def test_with_proxy_no_settings(self):
+        from openstack_auth.utils import get_client_ip
+        self.request.META['REMOTE_ADDR'] = '10.111.111.2'
+        self.request.META['HTTP_X_REAL_IP'] = '192.168.15.33'
+        self.request.META['HTTP_X_FORWARDED_FOR'] = '172.18.0.2'
+        self.assertEqual('10.111.111.2', get_client_ip(self.request))
+
+    def test_with_settings_without_proxy(self):
+        from openstack_auth.utils import get_client_ip
+        self.request.META['REMOTE_ADDR'] = '10.111.111.2'
+        self.assertEqual('10.111.111.2', get_client_ip(self.request))
+
+    @override_settings(SECURE_PROXY_ADDR_HEADER='HTTP_X_FORWARDED_FOR')
+    def test_with_settings_with_proxy_forwardfor(self):
+        from openstack_auth.utils import get_client_ip
+        self.request.META['REMOTE_ADDR'] = '10.111.111.2'
+        self.request.META['HTTP_X_FORWARDED_FOR'] = '172.18.0.2'
+        self.assertEqual('172.18.0.2', get_client_ip(self.request))
+
+    @override_settings(SECURE_PROXY_ADDR_HEADER='HTTP_X_REAL_IP')
+    def test_with_settings_with_proxy_real_ip(self):
+        from openstack_auth.utils import get_client_ip
+        self.request.META['REMOTE_ADDR'] = '10.111.111.2'
+        self.request.META['HTTP_X_REAL_IP'] = '192.168.15.33'
+        self.request.META['HTTP_X_FORWARDED_FOR'] = '172.18.0.2'
+        self.assertEqual('192.168.15.33', get_client_ip(self.request))
diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py
index 44b39317..555560fc 100644
--- a/openstack_auth/utils.py
+++ b/openstack_auth/utils.py
@@ -475,3 +475,25 @@ def get_admin_permissions():
         }
     """
     return {get_role_permission(role) for role in get_admin_roles()}
+
+
+def get_client_ip(request):
+    """Return client ip address using SECURE_PROXY_ADDR_HEADER variable.
+
+    If not present or not defined on settings then REMOTE_ADDR is used.
+
+    :param request: Django http request object.
+    :type request: django.http.HttpRequest
+
+    :returns: Possible client ip address
+    :rtype: string
+    """
+    _SECURE_PROXY_ADDR_HEADER = getattr(
+        settings, 'SECURE_PROXY_ADDR_HEADER', False
+    )
+    if _SECURE_PROXY_ADDR_HEADER:
+        return request.META.get(
+            _SECURE_PROXY_ADDR_HEADER,
+            request.META.get('REMOTE_ADDR')
+        )
+    return request.META.get('REMOTE_ADDR')