From 156ba81c2fad2844af1ad21b24c771cf66522932 Mon Sep 17 00:00:00 2001 From: Brian Rosmaita Date: Sat, 17 Feb 2018 23:48:18 -0500 Subject: [PATCH] Fix config group not found error Two parts to this fix: * add a call to oslo.config.cfg.import_group so that the function that checks a uri against the configured white/blacklists can access them * move the location where these options are defined into the module's __init__ so that they can be imported without causing a circular import (which happens if you import them from their current location) Change-Id: I6363faba0c4cbe75e6e4d0cbf0209a62c10474ef Closes-bug: #1750205 --- .../async/flows/_internal_plugins/__init__.py | 182 ++++++++++++++++++ .../flows/_internal_plugins/web_download.py | 181 ----------------- glance/common/utils.py | 4 +- glance/opts.py | 4 +- 4 files changed, 187 insertions(+), 184 deletions(-) diff --git a/glance/async/flows/_internal_plugins/__init__.py b/glance/async/flows/_internal_plugins/__init__.py index 4e363340c2..f584304262 100644 --- a/glance/async/flows/_internal_plugins/__init__.py +++ b/glance/async/flows/_internal_plugins/__init__.py @@ -16,9 +16,191 @@ from oslo_config import cfg from stevedore import named +from glance.i18n import _ + CONF = cfg.CONF +import_filtering_opts = [ + + cfg.ListOpt('allowed_schemes', + item_type=cfg.types.String(quotes=True), + bounds=True, + default=['http', 'https'], + help=_(""" +Specify the allowed url schemes for web-download. + +This option provides whitelisting for uri schemes that web-download import +method will be using. Whitelisting is always priority and ignores any +blacklisting of the schemes but obeys host and port filtering. + +For example: If scheme blacklisting contains 'http' and whitelist contains +['http', 'https'] the whitelist is obeyed on http://example.com but any +other scheme like ftp://example.com is blocked even it's not blacklisted. + +Possible values: + * List containing normalized url schemes as they are returned from + urllib.parse. For example ['ftp','https'] + +Related options: + * disallowed_schemes + * allowed_hosts + * disallowed_hosts + * allowed_ports + * disallowed_ports + +""")), + cfg.ListOpt('disallowed_schemes', + item_type=cfg.types.String(quotes=True), + bounds=True, + default=[], + help=_(""" +Specify the blacklisted url schemes for web-download. + +This option provides blacklisting for uri schemes that web-download import +method will be using. Whitelisting is always priority and ignores any +blacklisting of the schemes but obeys host and port filtering. Blacklisting +can be used to prevent specific scheme to be used when whitelisting is not +in use. + +For example: If scheme blacklisting contains 'http' and whitelist contains +['http', 'https'] the whitelist is obeyed on http://example.com but any +other scheme like ftp://example.com is blocked even it's not blacklisted. + +Possible values: + * List containing normalized url schemes as they are returned from + urllib.parse. For example ['ftp','https'] + * By default the list is empty + +Related options: + * allowed_schemes + * allowed_hosts + * disallowed_hosts + * allowed_ports + * disallowed_ports + +""")), + cfg.ListOpt('allowed_hosts', + item_type=cfg.types.HostAddress(), + bounds=True, + default=[], + help=_(""" +Specify the allowed target hosts for web-download. + +This option provides whitelisting for hosts that web-download import +method will be using. Whitelisting is always priority and ignores any +blacklisting of the hosts but obeys scheme and port filtering. + +For example: If scheme blacklisting contains 'http' and whitelist contains +['http', 'https'] the whitelist is obeyed on http://example.com but any +other scheme like ftp://example.com is blocked even it's not blacklisted. +Same way the whitelisted example.com is only obeyed on the allowed schemes +and or ports. Whitelisting of the host does not allow all schemes and ports +accessed. + +Possible values: + * List containing normalized hostname or ip like it would be returned + in the urllib.parse netloc without the port + * By default the list is empty + +Related options: + * allowed_schemes + * disallowed_schemes + * disallowed_hosts + * allowed_ports + * disallowed_ports + +""")), + cfg.ListOpt('disallowed_hosts', + item_type=cfg.types.HostAddress(), + bounds=True, + default=[], + help=_(""" +Specify the blacklisted hosts for web-download. + +This option provides blacklisting for hosts that web-download import +method will be using. Whitelisting is always priority and ignores any +blacklisting but obeys scheme and port filtering. + +For example: If scheme blacklisting contains 'http' and whitelist contains +['http', 'https'] the whitelist is obeyed on http://example.com but any +other scheme like ftp://example.com is blocked even it's not blacklisted. +The blacklisted example.com is obeyed on any url pointing to that host +regardless of what their scheme or port is. + +Possible values: + * List containing normalized hostname or ip like it would be returned + in the urllib.parse netloc without the port + * By default the list is empty + +Related options: + * allowed_schemes + * disallowed_schemes + * allowed_hosts + * allowed_ports + * disallowed_ports + +""")), + cfg.ListOpt('allowed_ports', + item_type=cfg.types.Integer(min=1, max=65535), + bounds=True, + default=[80, 443], + help=_(""" +Specify the allowed ports for web-download. + +This option provides whitelisting for uri ports that web-download import +method will be using. Whitelisting is always priority and ignores any +blacklisting of the ports but obeys host and scheme filtering. + +For example: If scheme blacklisting contains '80' and whitelist contains +['80', '443'] the whitelist is obeyed on http://example.com:80 but any +other port like ftp://example.com:21 is blocked even it's not blacklisted. + +Possible values: + * List containing ports as they are returned from urllib.parse netloc + field. For example ['80','443'] + +Related options: + * allowed_schemes + * disallowed_schemes + * allowed_hosts + * disallowed_hosts + * disallowed_ports +""")), + cfg.ListOpt('disallowed_ports', + item_type=cfg.types.Integer(min=1, max=65535), + bounds=True, + default=[], + help=_(""" +Specify the disallowed ports for web-download. + +This option provides blacklisting for uri ports that web-download import +method will be using. Whitelisting is always priority and ignores any +blacklisting of the ports but obeys host and scheme filtering. + +For example: If scheme blacklisting contains '80' and whitelist contains +['80', '443'] the whitelist is obeyed on http://example.com:80 but any +other port like ftp://example.com:21 is blocked even it's not blacklisted. +If no whitelisting is defined any scheme and host combination is disallowed +for the blacklisted port. + +Possible values: + * List containing ports as they are returned from urllib.parse netloc + field. For example ['80','443'] + * By default this list is empty. + +Related options: + * allowed_schemes + * disallowed_schemes + * allowed_hosts + * disallowed_hosts + * allowed_ports + +""")), +] + +CONF.register_opts(import_filtering_opts, group='import_filtering_opts') + def get_import_plugin(**kwargs): method_list = CONF.enabled_import_methods diff --git a/glance/async/flows/_internal_plugins/web_download.py b/glance/async/flows/_internal_plugins/web_download.py index 5f5a982a53..04cb33e463 100644 --- a/glance/async/flows/_internal_plugins/web_download.py +++ b/glance/async/flows/_internal_plugins/web_download.py @@ -29,187 +29,6 @@ LOG = logging.getLogger(__name__) CONF = cfg.CONF -import_filtering_opts = [ - - cfg.ListOpt('allowed_schemes', - item_type=cfg.types.String(quotes=True), - bounds=True, - default=['http', 'https'], - help=_(""" -Specify the allowed url schemes for web-download. - -This option provides whitelisting for uri schemes that web-download import -method will be using. Whitelisting is always priority and ignores any -blacklisting of the schemes but obeys host and port filtering. - -For example: If scheme blacklisting contains 'http' and whitelist contains -['http', 'https'] the whitelist is obeyed on http://example.com but any -other scheme like ftp://example.com is blocked even it's not blacklisted. - -Possible values: - * List containing normalized url schemes as they are returned from - urllib.parse. For example ['ftp','https'] - -Related options: - * disallowed_schemes - * allowed_hosts - * disallowed_hosts - * allowed_ports - * disallowed_ports - -""")), - cfg.ListOpt('disallowed_schemes', - item_type=cfg.types.String(quotes=True), - bounds=True, - default=[], - help=_(""" -Specify the blacklisted url schemes for web-download. - -This option provides blacklisting for uri schemes that web-download import -method will be using. Whitelisting is always priority and ignores any -blacklisting of the schemes but obeys host and port filtering. Blacklisting -can be used to prevent specific scheme to be used when whitelisting is not -in use. - -For example: If scheme blacklisting contains 'http' and whitelist contains -['http', 'https'] the whitelist is obeyed on http://example.com but any -other scheme like ftp://example.com is blocked even it's not blacklisted. - -Possible values: - * List containing normalized url schemes as they are returned from - urllib.parse. For example ['ftp','https'] - * By default the list is empty - -Related options: - * allowed_schemes - * allowed_hosts - * disallowed_hosts - * allowed_ports - * disallowed_ports - -""")), - cfg.ListOpt('allowed_hosts', - item_type=cfg.types.HostAddress(), - bounds=True, - default=[], - help=_(""" -Specify the allowed target hosts for web-download. - -This option provides whitelisting for hosts that web-download import -method will be using. Whitelisting is always priority and ignores any -blacklisting of the hosts but obeys scheme and port filtering. - -For example: If scheme blacklisting contains 'http' and whitelist contains -['http', 'https'] the whitelist is obeyed on http://example.com but any -other scheme like ftp://example.com is blocked even it's not blacklisted. -Same way the whitelisted example.com is only obeyed on the allowed schemes -and or ports. Whitelisting of the host does not allow all schemes and ports -accessed. - -Possible values: - * List containing normalized hostname or ip like it would be returned - in the urllib.parse netloc without the port - * By default the list is empty - -Related options: - * allowed_schemes - * disallowed_schemes - * disallowed_hosts - * allowed_ports - * disallowed_ports - -""")), - cfg.ListOpt('disallowed_hosts', - item_type=cfg.types.HostAddress(), - bounds=True, - default=[], - help=_(""" -Specify the blacklisted hosts for web-download. - -This option provides blacklisting for hosts that web-download import -method will be using. Whitelisting is always priority and ignores any -blacklisting but obeys scheme and port filtering. - -For example: If scheme blacklisting contains 'http' and whitelist contains -['http', 'https'] the whitelist is obeyed on http://example.com but any -other scheme like ftp://example.com is blocked even it's not blacklisted. -The blacklisted example.com is obeyed on any url pointing to that host -regardless of what their scheme or port is. - -Possible values: - * List containing normalized hostname or ip like it would be returned - in the urllib.parse netloc without the port - * By default the list is empty - -Related options: - * allowed_schemes - * disallowed_schemes - * allowed_hosts - * allowed_ports - * disallowed_ports - -""")), - cfg.ListOpt('allowed_ports', - item_type=cfg.types.Integer(min=1, max=65535), - bounds=True, - default=[80, 443], - help=_(""" -Specify the allowed ports for web-download. - -This option provides whitelisting for uri ports that web-download import -method will be using. Whitelisting is always priority and ignores any -blacklisting of the ports but obeys host and scheme filtering. - -For example: If scheme blacklisting contains '80' and whitelist contains -['80', '443'] the whitelist is obeyed on http://example.com:80 but any -other port like ftp://example.com:21 is blocked even it's not blacklisted. - -Possible values: - * List containing ports as they are returned from urllib.parse netloc - field. For example ['80','443'] - -Related options: - * allowed_schemes - * disallowed_schemes - * allowed_hosts - * disallowed_hosts - * disallowed_ports -""")), - cfg.ListOpt('disallowed_ports', - item_type=cfg.types.Integer(min=1, max=65535), - bounds=True, - default=[], - help=_(""" -Specify the disallowed ports for web-download. - -This option provides blacklisting for uri ports that web-download import -method will be using. Whitelisting is always priority and ignores any -blacklisting of the ports but obeys host and scheme filtering. - -For example: If scheme blacklisting contains '80' and whitelist contains -['80', '443'] the whitelist is obeyed on http://example.com:80 but any -other port like ftp://example.com:21 is blocked even it's not blacklisted. -If no whitelisting is defined any scheme and host combination is disallowed -for the blacklisted port. - -Possible values: - * List containing ports as they are returned from urllib.parse netloc - field. For example ['80','443'] - * By default this list is empty. - -Related options: - * allowed_schemes - * disallowed_schemes - * allowed_hosts - * disallowed_hosts - * allowed_ports - -""")), -] - -CONF.register_opts(import_filtering_opts, group='import_filtering_opts') - - class _WebDownload(task.Task): default_provides = 'file_uri' diff --git a/glance/common/utils.py b/glance/common/utils.py index b61ead55ed..876afa44f1 100644 --- a/glance/common/utils.py +++ b/glance/common/utils.py @@ -127,13 +127,15 @@ def cooperative_read(fd): MAX_COOP_READER_BUFFER_SIZE = 134217728 # 128M seems like a sane buffer limit +CONF.import_group('import_filtering_opts', + 'glance.async.flows._internal_plugins') + def validate_import_uri(uri): """Validate requested uri for Image Import web-download. :param uri: target uri to be validated """ - if not uri: return False diff --git a/glance/opts.py b/glance/opts.py index c2b6f269dc..93caf40f6d 100644 --- a/glance/opts.py +++ b/glance/opts.py @@ -28,7 +28,7 @@ from osprofiler import opts as profiler import glance.api.middleware.context import glance.api.versions -import glance.async.flows._internal_plugins.web_download +import glance.async.flows._internal_plugins import glance.async.flows.api_image_import import glance.async.flows.convert from glance.async.flows.plugins import plugin_opts @@ -111,7 +111,7 @@ _manage_opts = [ _image_import_opts = [ ('image_import_opts', glance.async.flows.api_image_import.api_import_opts), ('import_filtering_opts', - glance.async.flows._internal_plugins.web_download.import_filtering_opts), + glance.async.flows._internal_plugins.import_filtering_opts), ]