Configurable token hashing algorithm

The Keystone server and auth_token middleware were enhanced to
support a configurable hash algorithm.

With this change, the user can set

 KEYSTONE_TOKEN_HASH_ALGORITHM=sha256

in their localrc to use the SHA256 algorithm rather than the
default md5. Any hash algorithm supported by Python's hashlib can
be used. The MD5 algorithm doesn't provide enough protection from
hash collisions and some security standards mandate a SHA2 hash
algorithm.

Change-Id: I8b373291ceb760a03c4c14aebfeb53d8d0dfbcc1
Closes-Bug: #1174499

lib/horizon

@@ -112,6 +112,9 @@ function init_horizon {
 
     _horizon_config_set $local_settings "" OPENSTACK_HOST \"${KEYSTONE_SERVICE_HOST}\"
     _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_URL "\"${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v2.0\""
+    if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
+        _horizon_config_set $local_settings "" OPENSTACK_TOKEN_HASH_ALGORITHM \""$KEYSTONE_TOKEN_HASH_ALGORITHM"\"
+    fi
 
     if [ -f $SSL_BUNDLE_FILE ]; then
         _horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"

lib/keystone

@@ -296,6 +296,10 @@ function configure_keystone {
 
     iniset $KEYSTONE_CONF DEFAULT admin_workers "$API_WORKERS"
     # Public workers will use the server default, typically number of CPU.
+
+    if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
+        iniset $KEYSTONE_CONF token hash_algorithm "$KEYSTONE_TOKEN_HASH_ALGORITHM"
+    fi
 }
 
 function configure_keystone_extensions {
@@ -417,6 +421,9 @@ function configure_auth_token_middleware {
     iniset $conf_file $section admin_user $admin_user
     iniset $conf_file $section admin_password $SERVICE_PASSWORD
     iniset $conf_file $section signing_dir $signing_dir
+    if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
+        iniset $conf_file keystone_authtoken hash_algorithms "$KEYSTONE_TOKEN_HASH_ALGORITHM"
+    fi
 }
 
 # init_keystone() - Initialize databases, etc.