Merge "Replace md5 for fips"

lower-constraints.txt

@@ -91,7 +91,7 @@ oslo.reports==1.18.0
 oslo.serialization==2.28.1
 oslo.service==1.30.0
 oslo.upgradecheck==1.3.0
-oslo.utils==4.5.0
+oslo.utils==4.7.0
 oslotest==3.2.0
 packaging==20.4
 paramiko==2.4.1

octavia/amphorae/backends/agent/api_server/loadbalancer.py

@@ -12,7 +12,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import hashlib
 import io
 import os
 import re
@@ -24,6 +23,7 @@ import flask
 import jinja2
 from oslo_config import cfg
 from oslo_log import log as logging
+from oslo_utils.secretutils import md5
 import webob
 from werkzeug import exceptions
 
@@ -56,7 +56,7 @@ SYSTEMD_TEMPLATE = JINJA_ENV.get_template(SYSTEMD_CONF)
 class Wrapped(object):
     def __init__(self, stream_):
         self.stream = stream_
-        self.hash = hashlib.md5()  # nosec
+        self.hash = md5(usedforsecurity=False)  # nosec
 
     def read(self, line):
         block = self.stream.read(line)
@@ -86,7 +86,8 @@ class Loadbalancer(object):
             cfg = file.read()
             resp = webob.Response(cfg, content_type='text/plain')
             resp.headers['ETag'] = (
-                hashlib.md5(octavia_utils.b(cfg)).hexdigest())  # nosec
+                md5(octavia_utils.b(cfg),
+                    usedforsecurity=False).hexdigest())  # nosec
             return resp
 
     def upload_haproxy_config(self, amphora_id, lb_id):
@@ -415,9 +416,10 @@ class Loadbalancer(object):
 
         with open(cert_path, 'r') as crt_file:
             cert = crt_file.read()
-            md5 = hashlib.md5(octavia_utils.b(cert)).hexdigest()  # nosec
+            md5sum = md5(octavia_utils.b(cert),
-            resp = webob.Response(json=dict(md5sum=md5))
+                         usedforsecurity=False).hexdigest()  # nosec
-            resp.headers['ETag'] = md5
+            resp = webob.Response(json=dict(md5sum=md5sum))
+            resp.headers['ETag'] = md5sum
             return resp
 
     def delete_certificate(self, lb_id, filename):

octavia/amphorae/drivers/haproxy/rest_api_driver.py

@@ -21,6 +21,7 @@ import warnings
 
 from oslo_context import context as oslo_context
 from oslo_log import log as logging
+from oslo_utils.secretutils import md5
 import requests
 import simplejson
 from stevedore import driver as stevedore_driver
@@ -468,20 +469,21 @@ class HaproxyAmphoraLoadBalancerDriver(
         if amphora and obj_id:
             for cert in certs:
                 pem = cert_parser.build_pem(cert)
-                md5 = hashlib.md5(pem).hexdigest()  # nosec
+                md5sum = md5(pem, usedforsecurity=False).hexdigest()  # nosec
                 name = '{id}.pem'.format(id=cert.id)
                 cert_filename_list.append(
                     os.path.join(
                         CONF.haproxy_amphora.base_cert_dir, obj_id, name))
-                self._upload_cert(amphora, obj_id, pem, md5, name)
+                self._upload_cert(amphora, obj_id, pem, md5sum, name)
 
             if certs:
                 # Build and upload the crt-list file for haproxy
                 crt_list = "\n".join(cert_filename_list)
                 crt_list = f'{crt_list}\n'.encode('utf-8')
-                md5 = hashlib.md5(crt_list).hexdigest()  # nosec
+                md5sum = md5(crt_list,
+                             usedforsecurity=False).hexdigest()  # nosec
                 name = '{id}.pem'.format(id=listener.id)
-                self._upload_cert(amphora, obj_id, crt_list, md5, name)
+                self._upload_cert(amphora, obj_id, crt_list, md5sum, name)
         return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
 
     def _process_secret(self, listener, secret_ref, amphora=None, obj_id=None):
@@ -497,13 +499,13 @@ class HaproxyAmphoraLoadBalancerDriver(
             secret = secret.encode('utf-8')
         except AttributeError:
             pass
-        md5 = hashlib.md5(secret).hexdigest()  # nosec
+        md5sum = md5(secret, usedforsecurity=False).hexdigest()  # nosec
         id = hashlib.sha1(secret).hexdigest()  # nosec
         name = '{id}.pem'.format(id=id)
 
         if amphora and obj_id:
             self._upload_cert(
-                amphora, obj_id, pem=secret, md5=md5, name=name)
+                amphora, obj_id, pem=secret, md5sum=md5sum, name=name)
         return name
 
     def _process_listener_pool_certs(self, listener, amphora, obj_id):
@@ -536,10 +538,11 @@ class HaproxyAmphoraLoadBalancerDriver(
                 pem = pem.encode('utf-8')
             except AttributeError:
                 pass
-            md5 = hashlib.md5(pem).hexdigest()  # nosec
+            md5sum = md5(pem, usedforsecurity=False).hexdigest()  # nosec
             name = '{id}.pem'.format(id=tls_cert.id)
             if amphora and obj_id:
-                self._upload_cert(amphora, obj_id, pem=pem, md5=md5, name=name)
+                self._upload_cert(amphora, obj_id, pem=pem,
+                                  md5sum=md5sum, name=name)
             pool_cert_dict['client_cert'] = os.path.join(
                 CONF.haproxy_amphora.base_cert_dir, obj_id, name)
         if pool.ca_tls_certificate_id:
@@ -555,10 +558,10 @@ class HaproxyAmphoraLoadBalancerDriver(
 
         return pool_cert_dict
 
-    def _upload_cert(self, amp, listener_id, pem, md5, name):
+    def _upload_cert(self, amp, listener_id, pem, md5sum, name):
         try:
             if self.clients[amp.api_version].get_cert_md5sum(
-                    amp, listener_id, name, ignore=(404,)) == md5:
+                    amp, listener_id, name, ignore=(404,)) == md5sum:
                 return
         except exc.NotFound:
             pass

octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py

@@ -12,7 +12,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import hashlib
 import os
 import random
 import socket
@@ -23,6 +22,7 @@ from unittest import mock
 import fixtures
 from oslo_config import fixture as oslo_fixture
 from oslo_serialization import jsonutils
+from oslo_utils.secretutils import md5
 from oslo_utils import uuidutils
 
 from octavia.amphorae.backends.agent import api_server
@@ -862,8 +862,8 @@ class TestServerTestCase(base.TestCase):
             rv = self.centos_app.get('/' + api_server.VERSION +
                                      '/loadbalancer/123/certificates/test.pem')
         self.assertEqual(200, rv.status_code)
-        self.assertEqual(dict(md5sum=hashlib.md5(octavia_utils.
+        self.assertEqual(dict(md5sum=md5(octavia_utils.b(CONTENT),
-                                                 b(CONTENT)).hexdigest()),
+                                         usedforsecurity=False).hexdigest()),
                          jsonutils.loads(rv.data.decode('utf-8')))
 
     def test_ubuntu_upload_certificate_md5(self):

octavia/tests/unit/amphorae/drivers/haproxy/test_rest_api_driver_0_5.py

@@ -17,6 +17,7 @@ from unittest import mock
 
 from oslo_config import cfg
 from oslo_config import fixture as oslo_fixture
+from oslo_utils.secretutils import md5
 from oslo_utils import uuidutils
 import requests
 import requests_mock
@@ -342,7 +343,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_oslo.return_value = fake_context
         self.driver.cert_manager.get_secret.reset_mock()
         self.driver.cert_manager.get_secret.return_value = fake_secret
-        ref_md5 = hashlib.md5(fake_secret).hexdigest()  # nosec
+        ref_md5 = md5(fake_secret, usedforsecurity=False).hexdigest()  # nosec
         ref_id = hashlib.sha1(fake_secret).hexdigest()  # nosec
         ref_name = '{id}.pem'.format(id=ref_id)
 
@@ -356,7 +357,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
             fake_context, sample_listener.client_ca_tls_certificate_id)
         mock_upload_cert.assert_called_once_with(
             self.amp, sample_listener.id, pem=fake_secret,
-            md5=ref_md5, name=ref_name)
+            md5sum=ref_md5, name=ref_name)
         self.assertEqual(ref_name, result)
 
     @mock.patch('octavia.amphorae.drivers.haproxy.rest_api_driver.'
@@ -406,7 +407,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_load_certs.return_value = pool_data
         fake_pem = b'fake pem'
         mock_build_pem.return_value = fake_pem
-        ref_md5 = hashlib.md5(fake_pem).hexdigest()  # nosec
+        ref_md5 = md5(fake_pem, usedforsecurity=False).hexdigest()  # nosec
         ref_name = '{id}.pem'.format(id=pool_cert.id)
         ref_path = '{cert_dir}/{list_id}/{name}'.format(
             cert_dir=fake_cert_dir, list_id=sample_listener.id, name=ref_name)
@@ -437,7 +438,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_build_pem.assert_called_once_with(pool_cert)
         mock_upload_cert.assert_called_once_with(
             self.amp, sample_listener.id, pem=fake_pem,
-            md5=ref_md5, name=ref_name)
+            md5sum=ref_md5, name=ref_name)
         mock_secret.assert_has_calls(secret_calls)
         self.assertEqual(ref_result, result)
 

octavia/tests/unit/amphorae/drivers/haproxy/test_rest_api_driver_1_0.py

@@ -17,6 +17,7 @@ from unittest import mock
 
 from oslo_config import cfg
 from oslo_config import fixture as oslo_fixture
+from oslo_utils.secretutils import md5
 from oslo_utils import uuidutils
 import requests
 import requests_mock
@@ -343,7 +344,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_oslo.return_value = fake_context
         self.driver.cert_manager.get_secret.reset_mock()
         self.driver.cert_manager.get_secret.return_value = fake_secret
-        ref_md5 = hashlib.md5(fake_secret).hexdigest()  # nosec
+        ref_md5 = md5(fake_secret, usedforsecurity=False).hexdigest()  # nosec
         ref_id = hashlib.sha1(fake_secret).hexdigest()  # nosec
         ref_name = '{id}.pem'.format(id=ref_id)
 
@@ -357,7 +358,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
             fake_context, sample_listener.client_ca_tls_certificate_id)
         mock_upload_cert.assert_called_once_with(
             self.amp, sample_listener.id, pem=fake_secret,
-            md5=ref_md5, name=ref_name)
+            md5sum=ref_md5, name=ref_name)
         self.assertEqual(ref_name, result)
 
     @mock.patch('octavia.amphorae.drivers.haproxy.rest_api_driver.'
@@ -407,7 +408,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_load_certs.return_value = pool_data
         fake_pem = b'fake pem'
         mock_build_pem.return_value = fake_pem
-        ref_md5 = hashlib.md5(fake_pem).hexdigest()  # nosec
+        ref_md5 = md5(fake_pem, usedforsecurity=False).hexdigest()  # nosec
         ref_name = '{id}.pem'.format(id=pool_cert.id)
         ref_path = '{cert_dir}/{lb_id}/{name}'.format(
             cert_dir=fake_cert_dir, lb_id=sample_listener.load_balancer.id,
@@ -439,7 +440,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_build_pem.assert_called_once_with(pool_cert)
         mock_upload_cert.assert_called_once_with(
             self.amp, sample_listener.load_balancer.id, pem=fake_pem,
-            md5=ref_md5, name=ref_name)
+            md5sum=ref_md5, name=ref_name)
         mock_secret.assert_has_calls(secret_calls)
         self.assertEqual(ref_result, result)
 

requirements.txt

@@ -26,7 +26,7 @@ oslo.policy>=3.7.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization>=2.28.1 # Apache-2.0
 oslo.upgradecheck>=1.3.0 # Apache-2.0
-oslo.utils>=4.5.0 # Apache-2.0
+oslo.utils>=4.7.0 # Apache-2.0
 pyasn1!=0.2.3,>=0.1.8 # BSD
 pyasn1-modules>=0.0.6 # BSD
 python-barbicanclient>=4.5.2 # Apache-2.0