def _get_remote_ip(self, req):
remote_ip = req.remote_addr
if CONF.use_forwarded_for:
remote_ip = req.headers.get('X-Forwarded-For', remote_ip)
if not remote_ip:
raise exception.EC2MetadataInvalidAddress()
return remote_ip
def _unpack_neutron_request(self, req):
os_instance_id = req.headers.get('X-Instance-ID')
project_id = req.headers.get('X-Tenant-ID')
signature = req.headers.get('X-Instance-ID-Signature')
remote_ip = req.headers.get('X-Forwarded-For')
if not remote_ip:
raise exception.EC2MetadataInvalidAddress()
if os_instance_id is None:
msg = _('X-Instance-ID header is missing from request.')
elif project_id is None:
msg = _('X-Tenant-ID header is missing from request.')
elif not isinstance(os_instance_id, six.string_types):
msg = _('Multiple X-Instance-ID headers found within request.')
elif not isinstance(project_id, six.string_types):
msg = _('Multiple X-Tenant-ID headers found within request.')
else:
msg = None
if msg:
raise webob.exc.HTTPBadRequest(explanation=msg)
self._validate_signature(signature, os_instance_id, remote_ip)
return os_instance_id, project_id, remote_ip
def _unpack_request_attributes(self, req):
os_instance_id = req.headers.get('X-Instance-ID')
project_id = req.headers.get('X-Tenant-ID')
signature = req.headers.get('X-Instance-ID-Signature')
remote_ip = req.headers.get('X-Forwarded-For')
if not remote_ip:
raise exception.EC2MetadataInvalidAddress()
if os_instance_id is None:
msg = _('X-Instance-ID header is missing from request.')
elif project_id is None:
msg = _('X-Tenant-ID header is missing from request.')
elif not isinstance(os_instance_id, six.string_types):
msg = _('Multiple X-Instance-ID headers found within request.')
elif not isinstance(project_id, six.string_types):
msg = _('Multiple X-Tenant-ID headers found within request.')
else:
msg = None
if msg:
raise webob.exc.HTTPBadRequest(explanation=msg)
expected_signature = hmac.new(
CONF.metadata.metadata_proxy_shared_secret, os_instance_id,
hashlib.sha256).hexdigest()
if not utils.constant_time_compare(expected_signature, signature):
LOG.warning(
_LW('X-Instance-ID-Signature: %(signature)s does '
'not match the expected value: '
'%(expected_signature)s for id: '
'%(instance_id)s. Request From: '
'%(remote_ip)s'), {
'signature': signature,
'expected_signature': expected_signature,
'instance_id': os_instance_id,
'remote_ip': remote_ip
})
msg = _('Invalid proxy request signature.')
raise webob.exc.HTTPForbidden(explanation=msg)
return os_instance_id, project_id, remote_ip