Handle proxy-based TLS when placed in front of Swift

Force the URL for storage operations to use https if the authentication
URL is already forced to use https. This avoids following an http URL
based on the response of a Swift proxy unaware that a terminator placed
in front of it was used for the authentication.

Bug: T160616
Change-Id: Ia6c8c99ebb38d5828773b2f7aa8cf14ced6bdfde

diff --git a/includes/libs/filebackend/SwiftFileBackend.php b/includes/libs/filebackend/SwiftFileBackend.php
index ae0ad6f..029f94c 100644 (file)
--- a/includes/libs/filebackend/SwiftFileBackend.php
+++ b/includes/libs/filebackend/SwiftFileBackend.php
@@ -35,25 +35,20 @@
 class SwiftFileBackend extends FileBackendStore {
        /** @var MultiHttpClient */
        protected $http;
-
        /** @var int TTL in seconds */
        protected $authTTL;
-
        /** @var string Authentication base URL (without version) */
        protected $swiftAuthUrl;
-
+       /** @var string Override of storage base URL */
+       protected $swiftStorageUrl;
        /** @var string Swift user (account:user) to authenticate as */
        protected $swiftUser;
-
        /** @var string Secret key for user */
        protected $swiftKey;
-
        /** @var string Shared secret value for making temp URLs */
        protected $swiftTempUrlKey;
-
        /** @var string S3 access key (RADOS Gateway) */
        protected $rgwS3AccessKey;
-
        /** @var string S3 authentication key (RADOS Gateway) */
        protected $rgwS3SecretKey;
 
@@ -65,10 +60,8 @@ class SwiftFileBackend extends FileBackendStore {
 
        /** @var array */
        protected $authCreds;
-
        /** @var int UNIX timestamp */
        protected $authSessionTimestamp = 0;
-
        /** @var int UNIX timestamp */
        protected $authErrorTimestamp = null;
 
@@ -84,6 +77,8 @@ class SwiftFileBackend extends FileBackendStore {
         *   - swiftAuthTTL       : Swift authentication TTL (seconds)
         *   - swiftTempUrlKey    : Swift "X-Account-Meta-Temp-URL-Key" value on the account.
         *                          Do not set this until it has been set in the backend.
+        *   - swiftStorageUrl    : Swift storage URL (overrides that of the authentication response).
+        *                          This is useful to set if a TLS proxy is in use.
         *   - shardViaHashLevels : Map of container names to sharding config with:
         *                             - base   : base of hash characters, 16 or 36
         *                             - levels : the number of hash levels (and digits)
@@ -116,6 +111,9 @@ class SwiftFileBackend extends FileBackendStore {
                $this->swiftTempUrlKey = isset( $config['swiftTempUrlKey'] )
                        ? $config['swiftTempUrlKey']
                        : '';
+               $this->swiftStorageUrl = isset( $config['swiftStorageUrl'] )
+                       ? $config['swiftStorageUrl']
+                       : null;
                $this->shardViaHashLevels = isset( $config['shardViaHashLevels'] )
                        ? $config['shardViaHashLevels']
                        : '';
@@ -1674,8 +1672,11 @@ class SwiftFileBackend extends FileBackendStore {
                                if ( $rcode >= 200 && $rcode <= 299 ) { // OK
                                        $this->authCreds = [
                                                'auth_token' => $rhdrs['x-auth-token'],
-                                               'storage_url' => $rhdrs['x-storage-url']
+                                               'storage_url' => ( $this->swiftStorageUrl !== null )
+                                                       ? $this->swiftStorageUrl
+                                                       : $rhdrs['x-storage-url']
                                        ];
+
                                        $this->srvCache->set( $cacheKey, $this->authCreds, ceil( $this->authTTL / 2 ) );
                                        $this->authSessionTimestamp = time();
                                } elseif ( $rcode === 401 ) {