def _get_remote_ip(self, req): remote_ip = req.remote_addr if CONF.use_forwarded_for: remote_ip = req.headers.get('X-Forwarded-For', remote_ip) if not remote_ip: raise exception.EC2MetadataInvalidAddress() return remote_ip
def _unpack_neutron_request(self, req): os_instance_id = req.headers.get('X-Instance-ID') project_id = req.headers.get('X-Tenant-ID') signature = req.headers.get('X-Instance-ID-Signature') remote_ip = req.headers.get('X-Forwarded-For') if not remote_ip: raise exception.EC2MetadataInvalidAddress() if os_instance_id is None: msg = _('X-Instance-ID header is missing from request.') elif project_id is None: msg = _('X-Tenant-ID header is missing from request.') elif not isinstance(os_instance_id, six.string_types): msg = _('Multiple X-Instance-ID headers found within request.') elif not isinstance(project_id, six.string_types): msg = _('Multiple X-Tenant-ID headers found within request.') else: msg = None if msg: raise webob.exc.HTTPBadRequest(explanation=msg) self._validate_signature(signature, os_instance_id, remote_ip) return os_instance_id, project_id, remote_ip
def _unpack_request_attributes(self, req): os_instance_id = req.headers.get('X-Instance-ID') project_id = req.headers.get('X-Tenant-ID') signature = req.headers.get('X-Instance-ID-Signature') remote_ip = req.headers.get('X-Forwarded-For') if not remote_ip: raise exception.EC2MetadataInvalidAddress() if os_instance_id is None: msg = _('X-Instance-ID header is missing from request.') elif project_id is None: msg = _('X-Tenant-ID header is missing from request.') elif not isinstance(os_instance_id, six.string_types): msg = _('Multiple X-Instance-ID headers found within request.') elif not isinstance(project_id, six.string_types): msg = _('Multiple X-Tenant-ID headers found within request.') else: msg = None if msg: raise webob.exc.HTTPBadRequest(explanation=msg) expected_signature = hmac.new( CONF.metadata.metadata_proxy_shared_secret, os_instance_id, hashlib.sha256).hexdigest() if not utils.constant_time_compare(expected_signature, signature): LOG.warning( _LW('X-Instance-ID-Signature: %(signature)s does ' 'not match the expected value: ' '%(expected_signature)s for id: ' '%(instance_id)s. Request From: ' '%(remote_ip)s'), { 'signature': signature, 'expected_signature': expected_signature, 'instance_id': os_instance_id, 'remote_ip': remote_ip }) msg = _('Invalid proxy request signature.') raise webob.exc.HTTPForbidden(explanation=msg) return os_instance_id, project_id, remote_ip