Handle proxy-based TLS when placed in front of Swift
Force the URL for storage operations to use https if the authentication URL is already forced to use https. This avoids following an http URL based on the response of a Swift proxy unaware that a terminator placed in front of it was used for the authentication. Bug: T160616 Change-Id: Ia6c8c99ebb38d5828773b2f7aa8cf14ced6bdfde
This commit is contained in:
Aaron Schulz
parent
6eeefad9a3
commit
8eb82c0f64
1 changed files with 11 additions and 10 deletions
|
|
@ -35,25 +35,20 @@
|
|||
class SwiftFileBackend extends FileBackendStore {
|
||||
/** @var MultiHttpClient */
|
||||
protected $http;
|
||||
|
||||
/** @var int TTL in seconds */
|
||||
protected $authTTL;
|
||||
|
||||
/** @var string Authentication base URL (without version) */
|
||||
protected $swiftAuthUrl;
|
||||
|
||||
/** @var string Override of storage base URL */
|
||||
protected $swiftStorageUrl;
|
||||
/** @var string Swift user (account:user) to authenticate as */
|
||||
protected $swiftUser;
|
||||
|
||||
/** @var string Secret key for user */
|
||||
protected $swiftKey;
|
||||
|
||||
/** @var string Shared secret value for making temp URLs */
|
||||
protected $swiftTempUrlKey;
|
||||
|
||||
/** @var string S3 access key (RADOS Gateway) */
|
||||
protected $rgwS3AccessKey;
|
||||
|
||||
/** @var string S3 authentication key (RADOS Gateway) */
|
||||
protected $rgwS3SecretKey;
|
||||
|
||||
|
|
@ -65,10 +60,8 @@ class SwiftFileBackend extends FileBackendStore {
|
|||
|
||||
/** @var array */
|
||||
protected $authCreds;
|
||||
|
||||
/** @var int UNIX timestamp */
|
||||
protected $authSessionTimestamp = 0;
|
||||
|
||||
/** @var int UNIX timestamp */
|
||||
protected $authErrorTimestamp = null;
|
||||
|
||||
|
|
@ -84,6 +77,8 @@ class SwiftFileBackend extends FileBackendStore {
|
|||
* - swiftAuthTTL : Swift authentication TTL (seconds)
|
||||
* - swiftTempUrlKey : Swift "X-Account-Meta-Temp-URL-Key" value on the account.
|
||||
* Do not set this until it has been set in the backend.
|
||||
* - swiftStorageUrl : Swift storage URL (overrides that of the authentication response).
|
||||
* This is useful to set if a TLS proxy is in use.
|
||||
* - shardViaHashLevels : Map of container names to sharding config with:
|
||||
* - base : base of hash characters, 16 or 36
|
||||
* - levels : the number of hash levels (and digits)
|
||||
|
|
@ -116,6 +111,9 @@ class SwiftFileBackend extends FileBackendStore {
|
|||
$this->swiftTempUrlKey = isset( $config['swiftTempUrlKey'] )
|
||||
? $config['swiftTempUrlKey']
|
||||
: '';
|
||||
$this->swiftStorageUrl = isset( $config['swiftStorageUrl'] )
|
||||
? $config['swiftStorageUrl']
|
||||
: null;
|
||||
$this->shardViaHashLevels = isset( $config['shardViaHashLevels'] )
|
||||
? $config['shardViaHashLevels']
|
||||
: '';
|
||||
|
|
@ -1674,8 +1672,11 @@ class SwiftFileBackend extends FileBackendStore {
|
|||
if ( $rcode >= 200 && $rcode <= 299 ) { // OK
|
||||
$this->authCreds = [
|
||||
'auth_token' => $rhdrs['x-auth-token'],
|
||||
'storage_url' => $rhdrs['x-storage-url']
|
||||
'storage_url' => ( $this->swiftStorageUrl !== null )
|
||||
? $this->swiftStorageUrl
|
||||
: $rhdrs['x-storage-url']
|
||||
];
|
||||
|
||||
$this->srvCache->set( $cacheKey, $this->authCreds, ceil( $this->authTTL / 2 ) );
|
||||
$this->authSessionTimestamp = time();
|
||||
} elseif ( $rcode === 401 ) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue