From e1ee648fc0936fb7b990b76e336a99586146859b Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 25 Jun 2021 16:10:59 -0400
Subject: [PATCH] Replace md5 for fips

md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

In this case, md5 is used to calculate the hash of a database record
to ensure record uniqueness.

Change-Id: Ic2571caa71dc99c417ea0933d5d4947287cbe312
(cherry picked from commit 7ea564329097c078ac4db9ed02dac7d54ef467db)
---
 designate/storage/impl_sqlalchemy/__init__.py | 10 +++++-----
 lower-constraints.txt                         |  2 +-
 requirements.txt                              |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/designate/storage/impl_sqlalchemy/__init__.py b/designate/storage/impl_sqlalchemy/__init__.py
index 00e2575d2..7449f9e21 100644
--- a/designate/storage/impl_sqlalchemy/__init__.py
+++ b/designate/storage/impl_sqlalchemy/__init__.py
@@ -14,9 +14,9 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 import time
-import hashlib
 
 from oslo_log import log as logging
+from oslo_utils.secretutils import md5
 from sqlalchemy import select, distinct, func
 from sqlalchemy.sql.expression import or_
 
@@ -799,11 +799,11 @@ class SQLAlchemyStorage(sqlalchemy_base.SQLAlchemy, storage_base.Storage):
         """
         Calculates the hash of the record, used to ensure record uniqueness.
         """
-        md5 = hashlib.md5()
-        md5.update(("%s:%s" % (record.recordset_id,
-                               record.data)).encode('utf-8'))
+        md5sum = md5(usedforsecurity=False)
+        md5sum.update(("%s:%s" % (record.recordset_id,
+                                  record.data)).encode('utf-8'))
 
-        return md5.hexdigest()
+        return md5sum.hexdigest()
 
     def create_record(self, context, zone_id, recordset_id, record):
         # Fetch the zone as we need the tenant_id
diff --git a/lower-constraints.txt b/lower-constraints.txt
index 90985cdbe..1a2e8ad5d 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -83,7 +83,7 @@ oslo.rootwrap==5.8.0
 oslo.serialization==2.25.0
 oslo.service==1.31.0
 oslo.upgradecheck==1.3.0
-oslo.utils==4.5.0
+oslo.utils==4.7.0
 oslo.versionedobjects==1.31.2
 oslotest==3.2.0
 packaging==20.4
diff --git a/requirements.txt b/requirements.txt
index 26c39be30..6f622631a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -20,7 +20,7 @@ oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.serialization>=2.25.0 # Apache-2.0
 oslo.service>=1.31.0 # Apache-2.0
 oslo.upgradecheck>=1.3.0
-oslo.utils>=4.5.0 # Apache-2.0
+oslo.utils>=4.7.0 # Apache-2.0
 oslo.versionedobjects>=1.31.2 # Apache-2.0
 Paste>=2.0.2 # MIT
 PasteDeploy>=1.5.0 # MIT