From 81caf3eb710358f5df598b84851ddbc8dd32d8e6 Mon Sep 17 00:00:00 2001 From: Morgan Fainberg Date: Wed, 6 Jun 2018 09:10:39 -0700 Subject: [PATCH] Add in ability to load DEBUG middleware This change adds a new config group ``[wsgi]`` with the ability to load in the oslo.middleware Debug middleware. The DEBUG middleware is placed as the first middleware in the chain printing out raw request/response data closest to the edge of the applciation. The new option is ``debug_middleware`` and is boolean. It defaults to "False". This option should never be set in production as it can and will leak sensitive information via the printed data. Change-Id: I013e38f3578e6ea8e5bad3123fe47bf93b840b43 --- keystone/conf/__init__.py | 2 ++ keystone/conf/wsgi.py | 45 +++++++++++++++++++++++++++++++++++ keystone/server/flask/core.py | 14 ++++++++++- 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 keystone/conf/wsgi.py diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py index 1288a5f409..fb5a6d84cc 100644 --- a/keystone/conf/__init__.py +++ b/keystone/conf/__init__.py @@ -49,6 +49,7 @@ from keystone.conf import token from keystone.conf import tokenless_auth from keystone.conf import trust from keystone.conf import unified_limit +from keystone.conf import wsgi CONF = cfg.CONF @@ -84,6 +85,7 @@ conf_modules = [ tokenless_auth, trust, unified_limit, + wsgi ] diff --git a/keystone/conf/wsgi.py b/keystone/conf/wsgi.py new file mode 100644 index 0000000000..ac9c67e8f0 --- /dev/null +++ b/keystone/conf/wsgi.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +debug_middlware = cfg.BoolOpt( + 'debug_middleware', + default=False, + help=utils.fmt(""" +If set to true, this enables the oslo debug middleware in Keystone. This +Middleware prints a lot of information about the request and the response. It +is useful for getting information about the data on the wire (decoded) and +passed to the WSGI application pipeline. + +This middleware is inserted as the first element in the middleware chain +and will show the data closest to the wire. + +WARNING: NOT INTENDED FOR USE IN PRODUCTION. THIS MIDDLEWARE CAN AND WILL EMIT +SENSITIVE/PRIVILEGED DATA. +""")) + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + debug_middlware, +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/server/flask/core.py b/keystone/server/flask/core.py index 64b48763bb..6b9f925ed5 100644 --- a/keystone/server/flask/core.py +++ b/keystone/server/flask/core.py @@ -90,7 +90,19 @@ def setup_app_middleware(application): # explicitly; reverse order to ensure the first element in _APP_MIDDLEWARE # processes the request first. - for mw in reversed(_APP_MIDDLEWARE): + MW = _APP_MIDDLEWARE + + # Add in optional (config-based) middleware + # NOTE(morgan): Each of these may need to be in a specific location + # within the pipeline therefore cannot be magically appended/prepended + if CONF.wsgi.debug_middleware: + # Add in the Debug Middleware + MW = (_Middleware(namespace='keystone.server_middleware', + ep='debug', + conf={}),) + _APP_MIDDLEWARE + + # Apply the middleware to the application. + for mw in reversed(MW): # TODO(morgan): Explore moving this to ExtensionManager, but we # want to be super careful about what middleware we load and in # what order. DriverManager gives us that capability and only loads