feat(api): capture client connection info via ConnectInfo#842
Merged
gtema merged 1 commit intoJun 25, 2026
Merged
Conversation
27c0b69 to
84c414a
Compare
Wire the public listener's make-service to into_make_service_with_connect_info::<SocketAddr>() so the raw TCP peer address is stored in a ConnectInfo<SocketAddr> request extension and surfaced on the request tracing span as `client.addr`. This mirrors how upstream Python Keystone exposes the client via WSGI REMOTE_ADDR / flask.request.remote_addr, and is the enabling step for future IP-based login control. This captures the raw peer only; it is not proxy-aware. Behind a reverse proxy/load balancer it is the proxy's address. A config-gated forwarded-header layer (mirroring oslo_middleware's enable_proxy_headers_parsing, off by default) is a required follow-up before this is used for any IP-based control. Composes with the NormalizePathLayer wrap from openstack-experimental#734: the connect-info make-service is taken from axum's ServiceExt (blanket-impl'd for any Service), so it applies to the NormalizePath<Router> value. Closes openstack-experimental#358 Note: This commit was done with the help of AI. Signed-off-by: Yousef Hussein <ymh1874@gmail.com>
84c414a to
b6b0c09
Compare
5 tasks
gtema
approved these changes
Jun 25, 2026
gtema
left a comment
Collaborator
There was a problem hiding this comment.
Nice, but would need a followup
| // `into_make_service_with_connect_info::<SocketAddr>` stores the | ||
| // raw TCP peer address in a `ConnectInfo<SocketAddr>` request | ||
| // extension (the analogue of Python Keystone's WSGI REMOTE_ADDR). | ||
| // This is the *raw* peer, not proxy-resolved: behind a reverse |
Collaborator
There was a problem hiding this comment.
This need to be addressed of course as well. Follow-up should be absolutely fine
| // `into_make_service_with_connect_info` on the public | ||
| // listener (the keystone-ng analogue of Python Keystone's | ||
| // WSGI REMOTE_ADDR / flask.request.remote_addr). `None` for | ||
| // the SPIFFE interfaces, which do not populate ConnectInfo. |
Collaborator
There was a problem hiding this comment.
this is an interesting point. I agree for spiffe we currently go absolutely different way, but it should be possible to capture the information there as well. You can definitely capture the remote IP address and at a later phase the headers (for x-forward) should be also available. Please evaluate this in the followup
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #358.
What this does
Starts capturing client connection information (the client IP) in request processing, as the enabling step for a future IP-based login-control feature. The lockout/rate-limit mechanism itself is out of scope here — this is the plumbing that makes the client address available to handlers and middleware.
into_make_service_with_connect_info::<SocketAddr>(), so the raw TCP peer address is stored in aConnectInfo<SocketAddr>request extension.requesttracing span as aclient.addrfield (reusing the previously-empty placeholder slot), so the capture is verifiable in request logs.Mirrors Python Keystone
This deliberately follows how upstream Python Keystone captures the client address:
REMOTE_ADDR/flask.request.remote_addr(raw peer when no proxy parsing applies)ConnectInfo<SocketAddr>remote_addrsurfaced in the auth-failure log lineclient.addrfield on therequestspan[oslo_middleware] enable_proxy_headers_parsing(default off)Python captures a single
REMOTE_ADDRat the WSGI front door; the analogue here is the public HTTP interface. The internal (SPIFFE mTLS/TCP) and admin (SPIFFE mTLS/UDS) interfaces are intentionally not covered: they bypassaxum::serve, and a Unix socket has no meaningfulSocketAddr.Important: raw peer only — not proxy-aware
The captured address is the raw TCP peer. Behind a reverse proxy / load balancer (the normal production topology) it is the proxy's address, not the real client. It must not be used directly for IP-based login control until a trusted forwarded-header layer exists.
Required follow-up (after this merges)
A config-gated forwarded-header layer that parses
X-Forwarded-For/ RFC 7239Forwarded, mirroring Python's[oslo_middleware] enable_proxy_headers_parsing— off by default, so a deployment that is not actually behind a trusted proxy cannot be tricked into trusting a spoofed header. (axum-client-ipis a candidate, or a hand-rolled middleware.) This is required before any IP-based login control is built on top of this capture.Composition with #734
Issue #734 wraps the router with
NormalizePathLayerfrom the outside, so the public listener serves aNormalizePath<Router>, not a plainRouter.into_make_service_with_connect_infois available on the sameaxum::ServiceExttrait already in use (blanket impl for anyService), so it applies directly — no restructuring needed.Tests
Added
connect_info_is_captured_and_normalizes, which drives the exact production make-service path fully in-process and asserts a/echo/request both normalizes the trailing slash and delivers the injected peer address to the handler — proving #358 and #734 compose. The existingtrailing_slash_is_normalizedregression still passes.