)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"24b733f740d0e8138d3ff4bea86ec1aa38b8caeb","unresolved":false,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2016-04-21 17:38:09 +0300"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Added X-Forwarding-For support"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: Ifb955f9d35fdcaa8053600613bf50536e337a0d5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"1a122d0e_908f05cc","line":8,"updated":"2016-04-21 15:15:54.000000000","message":"This should have a reference to the bugreport. Please read https://wiki.openstack.org/wiki/GitCommitMessages for more info. There should be something like Closes-Bug: #bugnumber","commit_id":"49e87806aeeb50d9bdb35055ab090297660ed6ed"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"54bf46424cbbc0cd325dca907a9ec548acfc2c8f","unresolved":false,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2016-04-21 17:38:09 +0300"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Added X-Forwarding-For support"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: Ifb955f9d35fdcaa8053600613bf50536e337a0d5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"1a122d0e_a5f8004b","line":8,"in_reply_to":"1a122d0e_908f05cc","updated":"2016-04-21 16:16:59.000000000","message":"reference bug https://bugs.launchpad.net/keystone/+bug/1550127\nand bug https://bugs.launchpad.net/keystone/+bug/1554274\n\nwith:\n\nCloses-Bug: 155...\nCloses-Bug: 155...","commit_id":"49e87806aeeb50d9bdb35055ab090297660ed6ed"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"8fc9a0621bfbdba65cfe7f59783577e86ac34b79","unresolved":false,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2016-04-22 16:56:05 +0300"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Added X-Forwarding-For support"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: Ifb955f9d35fdcaa8053600613bf50536e337a0d5"},{"line_number":10,"context_line":"Closes-Bug: #1550127"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"1a122d0e_257dbe1c","line":8,"updated":"2016-04-24 12:18:42.000000000","message":"please add more details in the commit message, explaining this change.","commit_id":"5a57c009c5180bd87bf5ca92f1aa36828adea537"}],"etc/keystone.conf.sample":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"4ca028cb3ddef8b48ef7758821552fe8735a9f16","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"1a122d0e_114344b0","updated":"2016-04-28 06:44:22.000000000","message":"no need to create this change, there is a proposal bot to update the sample config -- see the second paragraph here: http://docs.openstack.org/developer/keystone/developing.html#generating-updated-sample-config-file","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"41ad730de8042f7c1f05a4ff7f48768ae578ac51","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"# Treat X-Forwarded-For as the canonical remote address. Only enable this if"},{"line_number":94,"context_line":"# you have a sanitizing proxy. (boolean value)"},{"line_number":95,"context_line":"#use_forwarded_for \u003d false"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"#"},{"line_number":98,"context_line":"# From keystone.notifications"}],"source_content_type":"application/octet-stream","patch_set":4,"id":"1a122d0e_f51654a5","line":95,"range":{"start_line":95,"start_character":1,"end_line":95,"end_character":18},"updated":"2016-04-29 02:38:23.000000000","message":"I don\u0027t think this configuration is needed. I\u0027ve never seen a production deployment where external clients are allowed to directly connect to Keystone. Client also terminates at proxy/LB and the request is LBed into the Keystone nodes. If X-Forwarded-For header is set, we should automatically use it.","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f88da844fb14cbcc95ea58ab04c92eb18ce3180b","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"# Treat X-Forwarded-For as the canonical remote address. Only enable this if"},{"line_number":94,"context_line":"# you have a sanitizing proxy. (boolean value)"},{"line_number":95,"context_line":"#use_forwarded_for \u003d false"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"#"},{"line_number":98,"context_line":"# From keystone.notifications"}],"source_content_type":"application/octet-stream","patch_set":4,"id":"dab17558_18333763","line":95,"in_reply_to":"1a122d0e_f51654a5","updated":"2016-05-17 20:54:35.000000000","message":"++ I agree. Do we have a use case for *not* doing this?","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"},{"author":{"_account_id":12980,"name":"Thomas Hsiao","email":"thomas.hsiao@gmail.com","username":"thsiao"},"change_message_id":"7ef24f93165a5af7bd5e3b0c9c44829d47d9ad92","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"# Treat X-Forwarded-For as the canonical remote address. Only enable this if"},{"line_number":94,"context_line":"# you have a sanitizing proxy. (boolean value)"},{"line_number":95,"context_line":"#use_forwarded_for \u003d false"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"#"},{"line_number":98,"context_line":"# From keystone.notifications"}],"source_content_type":"application/octet-stream","patch_set":4,"id":"bab6814e_7d88b5c5","line":95,"in_reply_to":"dab17558_18333763","updated":"2016-05-20 21:00:47.000000000","message":"+1 no config is needed.","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"}],"keystone/common/config.py":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"54bf46424cbbc0cd325dca907a9ec548acfc2c8f","unresolved":false,"context_lines":[{"line_number":817,"context_line":"        cfg.StrOpt(\u0027oauth1\u0027,"},{"line_number":818,"context_line":"                   help\u003d\u0027Entrypoint for the oAuth1.0 auth plugin module in \u0027"},{"line_number":819,"context_line":"                        \u0027the keystone.auth.oauth1 namespace.\u0027),"},{"line_number":820,"context_line":"        cfg.BoolOpt(\u0027use_forwarded_for\u0027,"},{"line_number":821,"context_line":"                    default\u003dFalse,"},{"line_number":822,"context_line":"                    help\u003d\u0027Treat X-Forwarded-For as the canonical remote address. \u0027"},{"line_number":823,"context_line":"                         \u0027Only enable this if you have a sanitizing proxy.\u0027)"},{"line_number":824,"context_line":"    ],"},{"line_number":825,"context_line":"    \u0027tokenless_auth\u0027: ["},{"line_number":826,"context_line":"        cfg.MultiStrOpt(\u0027trusted_issuer\u0027, default\u003d[],"}],"source_content_type":"text/x-python","patch_set":1,"id":"1a122d0e_4582ccc9","line":823,"range":{"start_line":820,"start_character":0,"end_line":823,"end_character":76},"updated":"2016-04-21 16:16:59.000000000","message":"i don\u0027t think we want this in the [auth] section, the [DEFAULT] section would be better, since this will work for all requests, not just auth","commit_id":"49e87806aeeb50d9bdb35055ab090297660ed6ed"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"5347e13eb4e90a693344d69f3b42ef1195740636","unresolved":false,"context_lines":[{"line_number":155,"context_line":"                         \u0027be useful for debugging but is insecure.\u0027),"},{"line_number":156,"context_line":"        cfg.BoolOpt(\u0027use_forwarded_for\u0027,"},{"line_number":157,"context_line":"                    default\u003dFalse,"},{"line_number":158,"context_line":"                    help\u003d\u0027Treat X-Forwarded-For as the canonical remote \u0027"},{"line_number":159,"context_line":"                         \u0027address. Only enable this if you have a \u0027"},{"line_number":160,"context_line":"                         \u0027sanitizing proxy.\u0027)"},{"line_number":161,"context_line":"    ],"},{"line_number":162,"context_line":"    \u0027identity\u0027: ["},{"line_number":163,"context_line":"        cfg.StrOpt(\u0027default_domain_id\u0027, default\u003d\u0027default\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"1a122d0e_4720cc49","line":160,"range":{"start_line":158,"start_character":20,"end_line":160,"end_character":45},"updated":"2016-04-23 05:15:07.000000000","message":"thanks for matching this text with nova\u0027s ! https://github.com/openstack/nova/blob/bc5035343d366a18cae587f92ecb4e871aba974a/nova/api/auth.py#L47","commit_id":"5a57c009c5180bd87bf5ca92f1aa36828adea537"}],"keystone/common/wsgi.py":[{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"24b733f740d0e8138d3ff4bea86ec1aa38b8caeb","unresolved":false,"context_lines":[{"line_number":228,"context_line":"        context[\u0027accept_header\u0027] \u003d req.accept"},{"line_number":229,"context_line":"        req.environ \u003d None"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        if CONF.auth.use_forwarded_for:"},{"line_number":232,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d req.headers[\u0027X-Forwarded-For\u0027]"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"        params.update(arg_dict)"}],"source_content_type":"text/x-python","patch_set":1,"id":"1a122d0e_701fc909","line":231,"range":{"start_line":231,"start_character":8,"end_line":231,"end_character":39},"updated":"2016-04-21 15:15:54.000000000","message":"why do you need this check? Why not just use X-Forwarded-For if it exists?","commit_id":"49e87806aeeb50d9bdb35055ab090297660ed6ed"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"54bf46424cbbc0cd325dca907a9ec548acfc2c8f","unresolved":false,"context_lines":[{"line_number":228,"context_line":"        context[\u0027accept_header\u0027] \u003d req.accept"},{"line_number":229,"context_line":"        req.environ \u003d None"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        if CONF.auth.use_forwarded_for:"},{"line_number":232,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d req.headers[\u0027X-Forwarded-For\u0027]"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"        params.update(arg_dict)"}],"source_content_type":"text/x-python","patch_set":1,"id":"1a122d0e_85afc42a","line":231,"range":{"start_line":231,"start_character":8,"end_line":231,"end_character":39},"in_reply_to":"1a122d0e_701fc909","updated":"2016-04-21 16:16:59.000000000","message":"from https://bugs.launchpad.net/keystone/+bug/1550127\n\nOne reason to make it an option is that the value should only be trusted if Keystone is behind a trusted proxy that ensures it is set correctly. Otherwise, a malicious client can set the value to anything (the wrong IP address, unprintable characters, etc). By setting this option, an operator is letting Keystone know the header can be trusted based on the deployment.","commit_id":"49e87806aeeb50d9bdb35055ab090297660ed6ed"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"5347e13eb4e90a693344d69f3b42ef1195740636","unresolved":false,"context_lines":[{"line_number":229,"context_line":"        req.environ \u003d None"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        if CONF.use_forwarded_for:"},{"line_number":232,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d req.headers[\u0027X-Forwarded-For\u0027]"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"        params.update(arg_dict)"},{"line_number":235,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"1a122d0e_0726d467","line":232,"range":{"start_line":232,"start_character":41,"end_line":232,"end_character":71},"updated":"2016-04-23 05:15:07.000000000","message":"just because the option is set to true, doesn\u0027t guarantee that x-forwarded-for is set\n\n  forwarded_value \u003d req.headers.get(\u0027X-Forwarded-For\u0027)\n  if CONF.use_forwarded_for and forwarded_value:\n    req.environ[\u0027REMOTE_ADDR\u0027] \u003d forwarded_value","commit_id":"5a57c009c5180bd87bf5ca92f1aa36828adea537"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"8fc9a0621bfbdba65cfe7f59783577e86ac34b79","unresolved":false,"context_lines":[{"line_number":229,"context_line":"        req.environ \u003d None"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        if CONF.use_forwarded_for:"},{"line_number":232,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d req.headers[\u0027X-Forwarded-For\u0027]"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"        params.update(arg_dict)"},{"line_number":235,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"1a122d0e_6577b63a","line":232,"range":{"start_line":232,"start_character":41,"end_line":232,"end_character":71},"in_reply_to":"1a122d0e_0726d467","updated":"2016-04-24 12:18:42.000000000","message":"++","commit_id":"5a57c009c5180bd87bf5ca92f1aa36828adea537"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f88da844fb14cbcc95ea58ab04c92eb18ce3180b","unresolved":false,"context_lines":[{"line_number":228,"context_line":"        context[\u0027accept_header\u0027] \u003d req.accept"},{"line_number":229,"context_line":"        req.environ \u003d None"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        forward_value \u003d req.headers.get(\u0027X-Forwarded-For\u0027)"},{"line_number":232,"context_line":"        if CONF.use_forwarded_for and forward_value:"},{"line_number":233,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d forward_value"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"dab17558_0c1e585e","line":231,"updated":"2016-05-17 20:54:35.000000000","message":"X-Forwarded-For is suppose to be: \n\n    client, proxy1, proxy2, ...\n\nAre we sure we\u0027re grabbing the client IP in this case?","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"4ca028cb3ddef8b48ef7758821552fe8735a9f16","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        forward_value \u003d req.headers.get(\u0027X-Forwarded-For\u0027)"},{"line_number":232,"context_line":"        if CONF.use_forwarded_for and forward_value:"},{"line_number":233,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d forward_value"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"        params.update(arg_dict)"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"1a122d0e_51177ca2","line":233,"range":{"start_line":233,"start_character":12,"end_line":233,"end_character":38},"updated":"2016-04-28 06:44:22.000000000","message":"not crazy about overriding remote_addr, but this should work","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f88da844fb14cbcc95ea58ab04c92eb18ce3180b","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        forward_value \u003d req.headers.get(\u0027X-Forwarded-For\u0027)"},{"line_number":232,"context_line":"        if CONF.use_forwarded_for and forward_value:"},{"line_number":233,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d forward_value"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"        params.update(arg_dict)"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"dab17558_386a7b1a","line":233,"in_reply_to":"1a122d0e_51177ca2","updated":"2016-05-17 20:54:35.000000000","message":"Shouldn\u0027t we be detecting if REMOTE_ADDR is already populated and appending the forward_value if there is already something there?","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"},{"author":{"_account_id":12980,"name":"Thomas Hsiao","email":"thomas.hsiao@gmail.com","username":"thsiao"},"change_message_id":"7ef24f93165a5af7bd5e3b0c9c44829d47d9ad92","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"        forward_value \u003d req.headers.get(\u0027X-Forwarded-For\u0027)"},{"line_number":232,"context_line":"        if CONF.use_forwarded_for and forward_value:"},{"line_number":233,"context_line":"            req.environ[\u0027REMOTE_ADDR\u0027] \u003d forward_value"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"        params.update(arg_dict)"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"bab6814e_1dc9a926","line":233,"in_reply_to":"dab17558_386a7b1a","updated":"2016-05-20 21:00:47.000000000","message":"It is a good idea to append the forward_value instead of replacing REMOTE_ADDR.","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"}],"keystone/tests/unit/test_wsgi.py":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"5347e13eb4e90a693344d69f3b42ef1195740636","unresolved":false,"context_lines":[{"line_number":239,"context_line":"        self.assertEqual({\u0027name\u0027: u\u0027nonexit\\xe8nt\u0027},"},{"line_number":240,"context_line":"                         jsonutils.loads(resp.body))"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"    def test_x_forwarded_for_enable(self):"},{"line_number":243,"context_line":"        req \u003d self._make_request()"},{"line_number":244,"context_line":"        req.environ[\u0027REMOTE_ADDR\u0027] \u003d \u00271.1.1.1\u0027"},{"line_number":245,"context_line":"        req.headers[\u0027X-Forwarded-For\u0027] \u003d \u00271.1.1.2\u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"1a122d0e_c7d21c34","line":242,"range":{"start_line":242,"start_character":8,"end_line":242,"end_character":35},"updated":"2016-04-23 05:15:07.000000000","message":"you could add a test where x-forwarded-for is enabled but not set, so it defaults to remote-addr","commit_id":"5a57c009c5180bd87bf5ca92f1aa36828adea537"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f88da844fb14cbcc95ea58ab04c92eb18ce3180b","unresolved":false,"context_lines":[{"line_number":252,"context_line":"    def test_x_forwarded_for_enable(self):"},{"line_number":253,"context_line":"        req \u003d self._make_request()"},{"line_number":254,"context_line":"        req.environ[\u0027REMOTE_ADDR\u0027] \u003d \u00271.1.1.1\u0027"},{"line_number":255,"context_line":"        req.headers[\u0027X-Forwarded-For\u0027] \u003d \u00271.1.1.2\u0027"},{"line_number":256,"context_line":"        wsgi.CONF.use_forwarded_for \u003d True"},{"line_number":257,"context_line":"        app \u003d FakeApp()"},{"line_number":258,"context_line":"        app(req)"}],"source_content_type":"text/x-python","patch_set":4,"id":"dab17558_18cfb729","line":255,"updated":"2016-05-17 20:54:35.000000000","message":"The syntax of X-Forwarded-For is: \n\n    client, proxy1, proxy2\n\nWe should be enforcing that syntax here (unless I\u0027m missing something?). \n\nhttps://en.wikipedia.org/wiki/X-Forwarded-For","commit_id":"55be31781e20e89577d67adff55c12321dd7ba83"}],"releasenotes/notes/bug-1550127-b961cf27dea7ef4e.yaml":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdc54c1c489893260a62c38238fd32ad4ef9e964","unresolved":false,"context_lines":[{"line_number":10,"context_line":"    [`bug 1550127 \u003chttps://bugs.launchpad.net/keystone/+bug/1550127\u003e`_]"},{"line_number":11,"context_line":"    Originally, log file contained a reverse proxy address when keystone"},{"line_number":12,"context_line":"    endpoint was behind the proxy. Now, address from X-Forwarded-For is used"},{"line_number":13,"context_line":"    in the log file if \"use_forwarded_for\" is set by \"True\" in the config file."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"bab6814e_08362db4","line":13,"range":{"start_line":13,"start_character":20,"end_line":13,"end_character":77},"updated":"2016-05-24 06:07:22.000000000","message":"this is no longer the case","commit_id":"3ecb24b4b034b03e102f18a813b3f394e031f4e6"}]}