"Resolve" bandit issue with sha1 hashes

We only use them as a consistent hash, not for anything security
related. Even if someone could manage a hash collision or something,
the worst that could happen is their own LB stops working...
So, just tell bandit to ignore them.
Added a docstring to one function to attempt to be extra clear.

Change-Id: Ic337c32020e12183e2246b844ded07a83c6d3ad8
This commit is contained in:
Adam Harwell 2018-08-17 07:22:27 +09:00
parent 790f29e006
commit 91fae05a7d
2 changed files with 9 additions and 2 deletions
octavia/common

@ -361,7 +361,10 @@ def load_certificates_data(cert_mngr, listener, context=None):
def _map_cert_tls_container(cert):
return data_models.TLSContainer(
id=hashlib.sha1(cert.get_certificate()).hexdigest(),
# TODO(rm_work): applying nosec here because this is not intended to be
# secure, it's just a way to get a consistent ID. Changing this would
# break backwards compatibility with existing loadbalancers.
id=hashlib.sha1(cert.get_certificate()).hexdigest(), # nosec
primary_cn=get_primary_cn(cert),
private_key=prepare_private_key(
cert.get_private_key(),

@ -38,7 +38,11 @@ def get_hostname():
def base64_sha1_string(string_to_hash):
hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest()
"""Get a b64-encoded sha1 hash of a string. Not intended to be secure!"""
# TODO(rm_work): applying nosec here because this is not intended to be
# secure, it's just a way to get a consistent ID. Changing this would
# break backwards compatibility with existing loadbalancers.
hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest() # nosec
b64_str = base64.b64encode(hash_str, str.encode('_-', 'ascii'))
return b64_str.decode('UTF-8')