Add timeout in HTTP requests

... to resolve the new bandit check error.

Change-Id: I7dc09f329111d2c571aa31d8a1a05f2bcdded92a

oslo_policy/_external.py

@@ -18,11 +18,12 @@
 import contextlib
 import copy
 import os
+import requests
+from requests.exceptions import Timeout
 
 from oslo_policy import _checks
 from oslo_policy._i18n import _
 from oslo_serialization import jsonutils
-import requests
 
 
 class HttpCheck(_checks.Check):
@@ -33,13 +34,18 @@ class HttpCheck(_checks.Check):
     """
 
     def __call__(self, target, creds, enforcer, current_rule=None):
+        timeout = enforcer.conf.oslo_policy.remote_timeout
+
         url = ('http:' + self.match) % target
         data, json = self._construct_payload(creds, current_rule,
                                              enforcer, target)
-        with contextlib.closing(
-                requests.post(url, json=json, data=data)
-        ) as r:
-            return r.text.lstrip('"').rstrip('"') == 'True'
+        try:
+            with contextlib.closing(
+                    requests.post(url, json=json, data=data, timeout=timeout)
+            ) as r:
+                return r.text.lstrip('"').rstrip('"') == 'True'
+        except Timeout:
+            raise RuntimeError("Timeout in REST API call")
 
     @staticmethod
     def _construct_payload(creds, current_rule, enforcer, target):
@@ -78,6 +84,7 @@ class HttpsCheck(HttpCheck):
         key_file = enforcer.conf.oslo_policy.remote_ssl_client_key_file
         ca_crt_file = enforcer.conf.oslo_policy.remote_ssl_ca_crt_file
         verify_server = enforcer.conf.oslo_policy.remote_ssl_verify_server_crt
+        timeout = enforcer.conf.oslo_policy.remote_timeout
 
         if cert_file:
             if not os.path.exists(cert_file):
@@ -103,9 +110,13 @@ class HttpsCheck(HttpCheck):
 
         data, json = self._construct_payload(creds, current_rule,
                                              enforcer, target)
-        with contextlib.closing(
-                requests.post(url, json=json,
-                              data=data, cert=cert,
-                              verify=verify_server)
-        ) as r:
-            return r.text.lstrip('"').rstrip('"') == 'True'
+        try:
+            with contextlib.closing(
+                    requests.post(url, json=json,
+                                  data=data, cert=cert,
+                                  verify=verify_server,
+                                  timeout=timeout)
+            ) as r:
+                return r.text.lstrip('"').rstrip('"') == 'True'
+        except Timeout:
+            raise RuntimeError("Timeout in REST API call")

oslo_policy/opts.py

@@ -90,6 +90,10 @@ _options = [
     cfg.StrOpt('remote_ssl_client_key_file',
                help=_("Absolute path client key file REST based "
                       "policy check")),
+    cfg.FloatOpt('remote_timeout',
+                 default=60,
+                 min=0,
+                 help=_("Timeout in seconds for REST based policy check"))
 ]
 
 

releasenotes/notes/requests-timeout-fbd57c7a4fdd908f.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``[oslo_policy] remote_timeout`` option has been added. This option
+    determines timeout in HTTP(S) requests in REST based policy check. Its
+    default value is 60 seconds.