potiuk commented on code in PR #24519:
URL: https://github.com/apache/airflow/pull/24519#discussion_r900782570
##########
airflow/utils/serve_logs.py:
##########
@@ -16,55 +16,86 @@
# under the License.
"""Serve logs process"""
+import logging
import os
-import time
import gunicorn.app.base
from flask import Flask, abort, request, send_from_directory
-from itsdangerous import TimedJSONWebSignatureSerializer
+from jwt.exceptions import (
+ ExpiredSignatureError,
+ ImmatureSignatureError,
+ InvalidAudienceError,
+ InvalidIssuedAtError,
+ InvalidSignatureError,
+)
from setproctitle import setproctitle
from airflow.configuration import conf
+from airflow.utils.jwt_signer import JWTSigner
+
+logger = logging.getLogger(__name__)
def create_app():
flask_app = Flask(__name__, static_folder=None)
- max_request_age = conf.getint('webserver', 'log_request_clock_grace',
fallback=30)
+ expiration_time_in_seconds = conf.getint('webserver',
'log_request_clock_grace', fallback=30)
log_directory = os.path.expanduser(conf.get('logging', 'BASE_LOG_FOLDER'))
- signer = TimedJSONWebSignatureSerializer(
+ signer = JWTSigner(
secret_key=conf.get('webserver', 'secret_key'),
- algorithm_name='HS512',
- expires_in=max_request_age,
- # This isn't really a "salt", more of a signing context
- salt='task-instance-logs',
+ expiration_time_in_seconds=expiration_time_in_seconds,
+ audience="task-instance-logs",
)
# Prevent direct access to the logs port
@flask_app.before_request
def validate_pre_signed_url():
try:
- auth = request.headers['Authorization']
-
- # We don't actually care about the payload, just that the signature
- # was valid and the `exp` claim is correct
- filename, headers = signer.loads(auth, return_header=True)
-
- issued_at = int(headers['iat'])
- expires_at = int(headers['exp'])
- except Exception:
+ auth = request.headers.get('Authorization')
+ if auth is None:
+ logger.warning(f"The Authorization header is missing:
{request.headers}")
+ abort(403)
+ payload = signer.verify_token(auth)
+ token_filename = payload.get("filename")
+ request_filename = request.view_args['filename']
+ if token_filename is None:
+ logger.warning(f"The payload does not contain 'filename' key:
{payload}")
+ abort(403)
+ if token_filename != request_filename:
+ logger.warning(
+ f"The payload log_relative_path key is different than the
one in token:"
+ f"Request path: {request_filename}. Token path:
{token_filename}"
+ )
+ abort(403)
+ except InvalidAudienceError:
+ logger.warning("Invalid audience for the request", exc_info=True)
abort(403)
-
- if filename != request.view_args['filename']:
+ except InvalidSignatureError:
+ logger.warning("The signature of the request was wrong",
exc_info=True)
abort(403)
-
- # Validate the `iat` and `exp` are within `max_request_age` of now.
- now = int(time.time())
- if abs(now - issued_at) > max_request_age:
+ except ImmatureSignatureError:
+ logger.warning("The signature of the request was sent from the
future", exc_info=True)
abort(403)
- if abs(now - expires_at) > max_request_age:
+ except ExpiredSignatureError:
+ logger.warning(
+ "The signature of the request has expired. Make sure that all
components "
+ "in your system have synchronized clocks. "
+ "See more at https://airflow.apache.org/docs/apache-airflow/";
Review Comment:
Ah. I keep on forgetting we have it :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
