From 8eb82c0f6438ca55a0a47ca00b14f820f90fade2 Mon Sep 17 00:00:00 2001 From: Aaron Schulz Date: Wed, 29 Mar 2017 13:10:17 -0700 Subject: [PATCH] Handle proxy-based TLS when placed in front of Swift Force the URL for storage operations to use https if the authentication URL is already forced to use https. This avoids following an http URL based on the response of a Swift proxy unaware that a terminator placed in front of it was used for the authentication. Bug: T160616 Change-Id: Ia6c8c99ebb38d5828773b2f7aa8cf14ced6bdfde --- .../libs/filebackend/SwiftFileBackend.php | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/includes/libs/filebackend/SwiftFileBackend.php b/includes/libs/filebackend/SwiftFileBackend.php index ae0ad6fb84..029f94c689 100644 --- a/includes/libs/filebackend/SwiftFileBackend.php +++ b/includes/libs/filebackend/SwiftFileBackend.php @@ -35,25 +35,20 @@ class SwiftFileBackend extends FileBackendStore { /** @var MultiHttpClient */ protected $http; - /** @var int TTL in seconds */ protected $authTTL; - /** @var string Authentication base URL (without version) */ protected $swiftAuthUrl; - + /** @var string Override of storage base URL */ + protected $swiftStorageUrl; /** @var string Swift user (account:user) to authenticate as */ protected $swiftUser; - /** @var string Secret key for user */ protected $swiftKey; - /** @var string Shared secret value for making temp URLs */ protected $swiftTempUrlKey; - /** @var string S3 access key (RADOS Gateway) */ protected $rgwS3AccessKey; - /** @var string S3 authentication key (RADOS Gateway) */ protected $rgwS3SecretKey; @@ -65,10 +60,8 @@ class SwiftFileBackend extends FileBackendStore { /** @var array */ protected $authCreds; - /** @var int UNIX timestamp */ protected $authSessionTimestamp = 0; - /** @var int UNIX timestamp */ protected $authErrorTimestamp = null; @@ -84,6 +77,8 @@ class SwiftFileBackend extends FileBackendStore { * - swiftAuthTTL : Swift authentication TTL (seconds) * - swiftTempUrlKey : Swift "X-Account-Meta-Temp-URL-Key" value on the account. * Do not set this until it has been set in the backend. + * - swiftStorageUrl : Swift storage URL (overrides that of the authentication response). + * This is useful to set if a TLS proxy is in use. * - shardViaHashLevels : Map of container names to sharding config with: * - base : base of hash characters, 16 or 36 * - levels : the number of hash levels (and digits) @@ -116,6 +111,9 @@ class SwiftFileBackend extends FileBackendStore { $this->swiftTempUrlKey = isset( $config['swiftTempUrlKey'] ) ? $config['swiftTempUrlKey'] : ''; + $this->swiftStorageUrl = isset( $config['swiftStorageUrl'] ) + ? $config['swiftStorageUrl'] + : null; $this->shardViaHashLevels = isset( $config['shardViaHashLevels'] ) ? $config['shardViaHashLevels'] : ''; @@ -1674,8 +1672,11 @@ class SwiftFileBackend extends FileBackendStore { if ( $rcode >= 200 && $rcode <= 299 ) { // OK $this->authCreds = [ 'auth_token' => $rhdrs['x-auth-token'], - 'storage_url' => $rhdrs['x-storage-url'] + 'storage_url' => ( $this->swiftStorageUrl !== null ) + ? $this->swiftStorageUrl + : $rhdrs['x-storage-url'] ]; + $this->srvCache->set( $cacheKey, $this->authCreds, ceil( $this->authTTL / 2 ) ); $this->authSessionTimestamp = time(); } elseif ( $rcode === 401 ) { -- 2.20.1