Add config option for algo to use in temp_url tests

This is so to configure which hashlib algorithm should be used for the temp_url tests, defaulting to sha256 but preserving the ability to use sha1 for compatibility with other Swift implementations. Change-Id: Ia4923d47870fcb914a33adecb7155763ec1d0b2f
2022-07-14 15:14:24 +02:00 · 2022-07-14 15:14:24 +02:00 · 95758b165d
parent f57154e083
commit 95758b165d
4 changed files with 30 additions and 2 deletions
--- a/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml
+++ b/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml
@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Add configuration parameter `tempurl_digest_hashlib` into
+    `object-storage-feature-enabled` which configures the hashing algorithm to
+    use for the temp_url tests; defaults to 'sha256'.
+security:
+  - |
+    Swift used to support only 'sha1' for temp_url hashing but from many
+    years now 'sha256' and 'sha512' are also available. These are stronger
+    than 'sha1' and tempest now allows configuring which one to use.
--- a/tempest/api/object_storage/test_object_temp_url.py
+++ b/tempest/api/object_storage/test_object_temp_url.py
@ -19,9 +19,12 @@ from urllib import parse as urlparse

 from tempest.api.object_storage import base
 from tempest.common import utils
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

+CONF = config.CONF
+

 class ObjectTempUrlTest(base.BaseObjectTest):
    """Test object temp url"""
@ -77,8 +80,11 @@ class ObjectTempUrlTest(base.BaseObjectTest):
            container, object_name)

        hmac_body = '%s\n%s\n%s' % (method, expires, path)
+        hlib = getattr(
+            hashlib,
+            CONF.object_storage_feature_enabled.tempurl_digest_hashlib)
        sig = hmac.new(
-            key.encode(), hmac_body.encode(), hashlib.sha256
+            key.encode(), hmac_body.encode(), hlib
        ).hexdigest()

        url = "%s/%s?temp_url_sig=%s&temp_url_expires=%s" % (container,
--- a/tempest/api/object_storage/test_object_temp_url_negative.py
+++ b/tempest/api/object_storage/test_object_temp_url_negative.py
@ -19,10 +19,13 @@ from urllib import parse as urlparse

 from tempest.api.object_storage import base
 from tempest.common import utils
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators
 from tempest.lib import exceptions as lib_exc

+CONF = config.CONF
+

 class ObjectTempUrlNegativeTest(base.BaseObjectTest):
    """Negative tests of object temp url"""
@ -82,8 +85,11 @@ class ObjectTempUrlNegativeTest(base.BaseObjectTest):
            container, object_name)

        hmac_body = '%s\n%s\n%s' % (method, expires, path)
+        hlib = getattr(
+            hashlib,
+            CONF.object_storage_feature_enabled.tempurl_digest_hashlib)
        sig = hmac.new(
-            key.encode(), hmac_body.encode(), hashlib.sha256
+            key.encode(), hmac_body.encode(), hlib
        ).hexdigest()

        url = "%s/%s?temp_url_sig=%s&temp_url_expires=%s" % (container,
--- a/tempest/config.py
+++ b/tempest/config.py
@ -1164,6 +1164,11 @@ ObjectStoreFeaturesGroup = [
    cfg.BoolOpt('discoverability',
                default=True,
                help="Execute discoverability tests"),
+    cfg.StrOpt('tempurl_digest_hashlib',
+               default='sha256',
+               help="Hashing algorithm to use for the temp_url tests. "
+                    "Needs to be supported both by Swift and the "
+                    "hashlib module, for example sha1 or sha256"),
 ]