python-heatclient

Redirected request does not take into consider this scenario: from https//:abc.com to http//:def.com

Bug #1385581 reported by Jun Xie
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-heatclient
In Progress
Low
huangtianhua

Bug Description

when the requests is redirected from https//:Public_ip to http://127.0.0.1, in this case, the location does not start with
endpoint.lower() , then it will raise InvalidEndpoint with msg of "Prohibited endpoint redirect ..."

heatclient/common/http.py
    def strip_endpoint(self, location):
        if location is None:
            message = "Location not returned with 302"
            raise exc.InvalidEndpoint(message=message)
        elif location.lower().startswith(self.endpoint.lower()):
            return location[len(self.endpoint):]
        else:
            message = "Prohibited endpoint redirect %s" % location
            raise exc.InvalidEndpoint(message=message)

one specific example:
[root@MINE common]#heat --os-cacert ~/server.crt --ca-file ~server.crt --debug stack-show stack7

location: http://127.0.0.1:8004/v1/68a35900fbbb4b51a6141b96ce9cf489/stacks/stack7/c20a26f4-4971-4668-a723-89a1441a343a
date: Sat, 25 Oct 2014 05:42:51 GMT
content-type: text/plain; charset=UTF-8
x-openstack-request-id: req-94d6e512-7f0e-4dc2-85bd-150e9b21f2c0

302 Found

The resource was found at http://127.0.0.1:8004/v1/68a35900fbbb4b51a6141b96ce9cf489/stacks/stack7/c20a26f4-4971-4668-a723-89a1441a343a; you should be redirected automatically.

Traceback (most recent call last):
  File "/usr/bin/heat", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python2.6/site-packages/heatclient/shell.py", line 443, in main
    HeatShell().main(args)
  File "/usr/lib/python2.6/site-packages/heatclient/shell.py", line 399, in main
    args.func(client, args)
  File "/usr/lib/python2.6/site-packages/heatclient/v1/shell.py", line 309, in do_stack_show
    stack = hc.stacks.get(**fields)
  File "/usr/lib/python2.6/site-packages/heatclient/v1/stacks.py", line 145, in get
    resp, body = self.client.json_request('GET', '/stacks/%s' % stack_id)
  File "/usr/lib/python2.6/site-packages/heatclient/common/http.py", line 242, in json_request
    resp = self._http_request(url, method, **kwargs)
  File "/usr/lib/python2.6/site-packages/heatclient/common/http.py", line 205, in _http_request
    path = self.strip_endpoint(location)
  File "/usr/lib/python2.6/site-packages/heatclient/common/http.py", line 220, in strip_endpoint
    raise exc.InvalidEndpoint(message=message)
heatclient.exc.InvalidEndpoint: Prohibited endpoint redirect http://127.0.0.1:8004/v1/68a35900fbbb4b51a6141b96ce9cf489/stacks/stack7/c20a26f4-4971-4668-a723-89a1441a343a

=========
[root@MINE common]# keystone --os-cacert ~/server.crt endpoint-list |grep 8004
| dd3c51b529ae41aa8d6137779ed26e7a | RegionOne | https://10.10.0.22:8004/v1/%(tenant_id)s | https://10.10.0.22:8004/v1/%(tenant_id)s | https://10.10.0.22:8004/v1/%(tenant_id)s | 98960d0c508a458094d3c2c80760506e |

Jun Xie (junxiebj)
Changed in python-heatclient:
assignee: nobody → Jun Xie (junxiebj)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-heatclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/130925

Changed in python-heatclient:
status: New → In Progress
Revision history for this message
Ethan Lynn (ethanlynn) wrote :

When I using resource-show with --debug, It did redirect url.

DEBUG (v2) Making authentication request to http://9.123.137.77:5000/v2.0/tokens
DEBUG (retry) Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=0)
DEBUG (session) REQ: curl -i -X GET http://9.123.137.77:8004/v1/99967385fc0447fdbb8be28280e02bcd/stacks/test -H "Accept: application/json" -H "User-Agent: python-heatclient" -H "X-Region-Name: RegionOne" -H "X-Auth-Token: TOKEN_REDACTED" -H "Content-Type: application/json" -H "X-Auth-Url: http://9.123.137.77:5000/v2.0"
DEBUG (retry) Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=0)
DEBUG (session) RESP: [302] CaseInsensitiveDict({'date': 'Mon, 27 Oct 2014 08:54:29 GMT', 'content-length': '189', 'content-type': 'text/plain; charset=UTF-8', 'location': 'http://9.123.137.77:8004/v1/99967385fc0447fdbb8be28280e02bcd/stacks/test/92dd30c4-9f50-4976-80d3-98bb165977f8', 'x-openstack-request-id': 'req-47b4fcde-dba2-4c1e-96a2-0afbc2eea8fc'})
RESP BODY: 302 Found

The resource was found at http://9.123.137.77:8004/v1/99967385fc0447fdbb8be28280e02bcd/stacks/test/92dd30c4-9f50-4976-80d3-98bb165977f8; you should be redirected automatically.

Codes related in common/htttp.py
https://github.com/openstack/python-heatclient/blob/master/heatclient/common/http.py#L210-L230
        elif resp.status_code in (301, 302, 305):
            # Redirected. Reissue the request to the new location,
            # unless caller specified follow_redirects=False
            if follow_redirects:
                location = resp.headers.get('location')
                path = self.strip_endpoint(location)
                resp = self._http_request(path, method, **kwargs)
        elif resp.status_code == 300:
            raise exc.from_response(resp)

        return resp

    def strip_endpoint(self, location):
        if location is None:
            message = "Location not returned with 302"
            raise exc.InvalidEndpoint(message=message)
        elif location.lower().startswith(self.endpoint.lower()):
            return location[len(self.endpoint):]
        else:
            message = "Prohibited endpoint redirect %s" % location
            raise exc.InvalidEndpoint(message=message)

This bug only happened in endpoint changed, why do your endpoint changed?

Revision history for this message
Jun Xie (junxiebj) wrote :

the endpoint never changed. it always is https://10.10.0.22:8004/v1/%(tenant_id)s in the case .

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-heatclient (master)

Change abandoned by jun xie (<email address hidden>) on branch: master
Review: https://review.openstack.org/130925

Steve Baker (steve-stevebaker)
Changed in python-heatclient:
importance: Undecided → Low
Revision history for this message
Zhenguo Niu (niu-zglinux) wrote :

anything update here? Jun Xie, are you still working on this?

Revision history for this message
huangtianhua (huangtianhua) wrote :

I think after commit I90bc9d9fcd1058c3eca288f08dd134810f1b0000 merged, this problem is fixed:
we override the method strip_endpoint() for SessionClient:

def strip_endpoint(self, location):
        if location is None:
            message = _("Location not returned with 302")
            raise exc.InvalidEndpoint(message=message)
        if (self.endpoint_override is not None and
                location.lower().startswith(self.endpoint_override.lower())):
                return location[len(self.endpoint_override):]
        else:
            return location

Revision history for this message
huangtianhua (huangtianhua) wrote :

Sorry, seems I missed something.

huangtianhua (huangtianhua)
Changed in python-heatclient:
assignee: Jun Xie (junxiebj) → huangtianhua (huangtianhua)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-heatclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/220921

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-heatclient (master)

Change abandoned by huangtianhua (<email address hidden>) on branch: master
Review: https://review.openstack.org/220921

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.