Use oslo_utils constant_time_compare

The olso_utils library already contains a constant_time_compare
function and the Anchor version is nearly identical. Might as
well use the global util rather than have a copy of its own.

Change-Id: Iaf02c20560ca244d244a88127996139f8abcce9b

anchor/auth/static.py

@@ -17,8 +17,8 @@ import logging
 
 from anchor.auth import results
 from anchor import jsonloader
-from anchor import util
 
+from oslo_utils import secretutils as util
 
 logger = logging.getLogger(__name__)
 

anchor/util.py

@@ -14,7 +14,6 @@
 from __future__ import absolute_import
 
 import base64
-import hmac
 import os
 import re
 import stat
@@ -22,36 +21,6 @@ import stat
 from anchor import errors
 
 
-def constant_time_compare(val1, val2):
-    """Returns True if the two strings are equal, False otherwise.
-
-       Tries to use the standard library, if available. Otherwise
-       falls back to a local implementation.
-    """
-    try:
-        return hmac.compare_digest(val1, val2)
-    except AttributeError:
-        return _constant_time_compare(val1, val2)
-
-
-def _constant_time_compare(val1, val2):
-    """Returns True if the two strings are equal, False otherwise.
-
-       The time taken is independent of the number of characters that
-       match. For the sake of simplicity, this function executes in
-       constant time only when the two strings have the same length. It
-       short-circuits when they have different lengths.
-
-       This function was derrived from the django crypto utils.
-    """
-    if len(val1) != len(val2):
-        return False
-    result = 0
-    for x, y in zip(val1, val2):
-        result |= ord(x) ^ ord(y)
-    return result == 0
-
-
 # RFC1034 allows a simple " " too, but it's not allowed in certificates, so it
 # will not match
 RE_DOMAIN_LABEL = re.compile("^[a-z](?:[-a-z0-9]*[a-z0-9])?$", re.IGNORECASE)

requirements.txt

@@ -14,3 +14,4 @@ stevedore>=1.5.0 # Apache-2.0
 pycadf!=2.0.0,>=1.1.0 # Apache-2.0
 oslo.config>=3.4.0 # Apache-2.0
 oslo.messaging>=4.0.0 # Apache-2.0
+oslo.utils>=3.5.0 # Apache-2.0

tests/test_util.py

@@ -1,48 +0,0 @@
-# -*- coding:utf-8 -*-
-#
-# Copyright 2015 Hewlett-Packard Development Company, L.P.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-
-import unittest
-
-import mock
-
-from anchor import util
-
-
-class UtilTests(unittest.TestCase):
-
-    @mock.patch('hmac.compare_digest', create=True)
-    def test_compare_with_hmac(self, compare_digest):
-        compare_digest.return_value = True
-        self.assertTrue(util.constant_time_compare("", ""))
-
-    @mock.patch('hmac.compare_digest', create=True)
-    def test_compare_with_shim_eq(self, compare_digest):
-        compare_digest.side_effect = AttributeError(
-            "'hmac' has no attribute 'compare_digest'")
-        self.assertTrue(util.constant_time_compare("abc", "abc"))
-
-    @mock.patch('hmac.compare_digest', create=True)
-    def test_compare_with_shim_ne(self, compare_digest):
-        compare_digest.side_effect = AttributeError(
-            "'hmac' has no attribute 'compare_digest'")
-        self.assertFalse(util.constant_time_compare("abc", "def"))
-
-    @mock.patch('hmac.compare_digest', create=True)
-    def test_compare_with_shim_different_len(self, compare_digest):
-        compare_digest.side_effect = AttributeError(
-            "'hmac' has no attribute 'compare_digest'")
-        self.assertFalse(util.constant_time_compare("abc", ""))