Hash functions support different hash algorithms
The token hash functions always used MD5. With this change, the hash function can be passed in to the hash functions. SecurityImpact Related-Bug: #1174499 Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
This commit is contained in:
		| @@ -261,7 +261,7 @@ def cms_to_token(cms_text): | |||||||
|     return signed_text |     return signed_text | ||||||
|  |  | ||||||
|  |  | ||||||
| def cms_hash_token(token_id): | def cms_hash_token(token_id, mode='md5'): | ||||||
|     """Hash PKI tokens. |     """Hash PKI tokens. | ||||||
|  |  | ||||||
|     return: for ans1_token, returns the hash of the passed in token |     return: for ans1_token, returns the hash of the passed in token | ||||||
| @@ -270,7 +270,7 @@ def cms_hash_token(token_id): | |||||||
|     if token_id is None: |     if token_id is None: | ||||||
|         return None |         return None | ||||||
|     if is_ans1_token(token_id): |     if is_ans1_token(token_id): | ||||||
|         hasher = hashlib.md5() |         hasher = hashlib.new(mode) | ||||||
|         if isinstance(token_id, six.text_type): |         if isinstance(token_id, six.text_type): | ||||||
|             token_id = token_id.encode('utf-8') |             token_id = token_id.encode('utf-8') | ||||||
|         hasher.update(token_id) |         hasher.update(token_id) | ||||||
|   | |||||||
| @@ -15,6 +15,7 @@ import subprocess | |||||||
|  |  | ||||||
| import mock | import mock | ||||||
| import testresources | import testresources | ||||||
|  | from testtools import matchers | ||||||
|  |  | ||||||
| from keystoneclient.common import cms | from keystoneclient.common import cms | ||||||
| from keystoneclient import exceptions | from keystoneclient import exceptions | ||||||
| @@ -111,6 +112,32 @@ class CMSTest(utils.TestCase, testresources.ResourcedTestCase): | |||||||
|                                        self.examples.SIGNING_CERT_FILE, |                                        self.examples.SIGNING_CERT_FILE, | ||||||
|                                        self.examples.SIGNING_CA_FILE)) |                                        self.examples.SIGNING_CA_FILE)) | ||||||
|  |  | ||||||
|  |     def test_cms_hash_token_no_token_id(self): | ||||||
|  |         token_id = None | ||||||
|  |         self.assertThat(cms.cms_hash_token(token_id), matchers.Is(None)) | ||||||
|  |  | ||||||
|  |     def test_cms_hash_token_not_pki(self): | ||||||
|  |         """If the token_id is not a PKI token then it returns the token_id.""" | ||||||
|  |         token = 'something' | ||||||
|  |         self.assertFalse(cms.is_ans1_token(token)) | ||||||
|  |         self.assertThat(cms.cms_hash_token(token), matchers.Is(token)) | ||||||
|  |  | ||||||
|  |     def test_cms_hash_token_default_md5(self): | ||||||
|  |         """The default hash method is md5.""" | ||||||
|  |         token = self.examples.SIGNED_TOKEN_SCOPED | ||||||
|  |         token_id_default = cms.cms_hash_token(token) | ||||||
|  |         token_id_md5 = cms.cms_hash_token(token, mode='md5') | ||||||
|  |         self.assertThat(token_id_default, matchers.Equals(token_id_md5)) | ||||||
|  |         # md5 hash is 32 chars. | ||||||
|  |         self.assertThat(token_id_default, matchers.HasLength(32)) | ||||||
|  |  | ||||||
|  |     def test_cms_hash_token_sha256(self): | ||||||
|  |         """Can also hash with sha256.""" | ||||||
|  |         token = self.examples.SIGNED_TOKEN_SCOPED | ||||||
|  |         token_id = cms.cms_hash_token(token, mode='sha256') | ||||||
|  |         # sha256 hash is 64 chars. | ||||||
|  |         self.assertThat(token_id, matchers.HasLength(64)) | ||||||
|  |  | ||||||
|  |  | ||||||
| def load_tests(loader, tests, pattern): | def load_tests(loader, tests, pattern): | ||||||
|     return testresources.OptimisingTestSuite(tests) |     return testresources.OptimisingTestSuite(tests) | ||||||
|   | |||||||
| @@ -14,8 +14,11 @@ import logging | |||||||
| import sys | import sys | ||||||
|  |  | ||||||
| import six | import six | ||||||
|  | import testresources | ||||||
|  | from testtools import matchers | ||||||
|  |  | ||||||
| from keystoneclient import exceptions | from keystoneclient import exceptions | ||||||
|  | from keystoneclient.tests import client_fixtures | ||||||
| from keystoneclient.tests import utils as test_utils | from keystoneclient.tests import utils as test_utils | ||||||
| from keystoneclient import utils | from keystoneclient import utils | ||||||
|  |  | ||||||
| @@ -204,3 +207,34 @@ class TestPositional(test_utils.TestCase): | |||||||
|     def test_normal_method(self): |     def test_normal_method(self): | ||||||
|         self.assertEqual((self, 1, 2), self.normal_method(1, b=2)) |         self.assertEqual((self, 1, 2), self.normal_method(1, b=2)) | ||||||
|         self.assertRaises(TypeError, self.normal_method, 1, 2) |         self.assertRaises(TypeError, self.normal_method, 1, 2) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class HashSignedTokenTestCase(test_utils.TestCase, | ||||||
|  |                               testresources.ResourcedTestCase): | ||||||
|  |     """Unit tests for utils.hash_signed_token().""" | ||||||
|  |  | ||||||
|  |     resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] | ||||||
|  |  | ||||||
|  |     def test_default_md5(self): | ||||||
|  |         """The default hash method is md5.""" | ||||||
|  |         token = self.examples.SIGNED_TOKEN_SCOPED | ||||||
|  |         if six.PY3: | ||||||
|  |             token = token.encode('utf-8') | ||||||
|  |         token_id_default = utils.hash_signed_token(token) | ||||||
|  |         token_id_md5 = utils.hash_signed_token(token, mode='md5') | ||||||
|  |         self.assertThat(token_id_default, matchers.Equals(token_id_md5)) | ||||||
|  |         # md5 hash is 32 chars. | ||||||
|  |         self.assertThat(token_id_default, matchers.HasLength(32)) | ||||||
|  |  | ||||||
|  |     def test_sha256(self): | ||||||
|  |         """Can also hash with sha256.""" | ||||||
|  |         token = self.examples.SIGNED_TOKEN_SCOPED | ||||||
|  |         if six.PY3: | ||||||
|  |             token = token.encode('utf-8') | ||||||
|  |         token_id = utils.hash_signed_token(token, mode='sha256') | ||||||
|  |         # sha256 hash is 64 chars. | ||||||
|  |         self.assertThat(token_id, matchers.HasLength(64)) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | def load_tests(loader, tests, pattern): | ||||||
|  |     return testresources.OptimisingTestSuite(tests) | ||||||
|   | |||||||
| @@ -141,8 +141,8 @@ def isunauthenticated(f): | |||||||
|     return getattr(f, 'unauthenticated', False) |     return getattr(f, 'unauthenticated', False) | ||||||
|  |  | ||||||
|  |  | ||||||
| def hash_signed_token(signed_text): | def hash_signed_token(signed_text, mode='md5'): | ||||||
|     hash_ = hashlib.md5() |     hash_ = hashlib.new(mode) | ||||||
|     hash_.update(signed_text) |     hash_.update(signed_text) | ||||||
|     return hash_.hexdigest() |     return hash_.hexdigest() | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Brant Knudson
					Brant Knudson