From 95758b165dd13893250d68d4617cc51095aabfb7 Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Thu, 14 Jul 2022 15:14:24 +0200 Subject: [PATCH] Add config option for algo to use in temp_url tests This is so to configure which hashlib algorithm should be used for the temp_url tests, defaulting to sha256 but preserving the ability to use sha1 for compatibility with other Swift implementations. Change-Id: Ia4923d47870fcb914a33adecb7155763ec1d0b2f --- ...temp_url_tests_digest_config-3d8c9bb271961ddd.yaml | 11 +++++++++++ tempest/api/object_storage/test_object_temp_url.py | 8 +++++++- .../object_storage/test_object_temp_url_negative.py | 8 +++++++- tempest/config.py | 5 +++++ 4 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml diff --git a/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml b/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml new file mode 100644 index 0000000000..f96c030c11 --- /dev/null +++ b/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Add configuration parameter `tempurl_digest_hashlib` into + `object-storage-feature-enabled` which configures the hashing algorithm to + use for the temp_url tests; defaults to 'sha256'. +security: + - | + Swift used to support only 'sha1' for temp_url hashing but from many + years now 'sha256' and 'sha512' are also available. These are stronger + than 'sha1' and tempest now allows configuring which one to use. diff --git a/tempest/api/object_storage/test_object_temp_url.py b/tempest/api/object_storage/test_object_temp_url.py index 4ca7412bd2..8f218e21d2 100644 --- a/tempest/api/object_storage/test_object_temp_url.py +++ b/tempest/api/object_storage/test_object_temp_url.py @@ -19,9 +19,12 @@ from urllib import parse as urlparse from tempest.api.object_storage import base from tempest.common import utils +from tempest import config from tempest.lib.common.utils import data_utils from tempest.lib import decorators +CONF = config.CONF + class ObjectTempUrlTest(base.BaseObjectTest): """Test object temp url""" @@ -77,8 +80,11 @@ class ObjectTempUrlTest(base.BaseObjectTest): container, object_name) hmac_body = '%s\n%s\n%s' % (method, expires, path) + hlib = getattr( + hashlib, + CONF.object_storage_feature_enabled.tempurl_digest_hashlib) sig = hmac.new( - key.encode(), hmac_body.encode(), hashlib.sha256 + key.encode(), hmac_body.encode(), hlib ).hexdigest() url = "%s/%s?temp_url_sig=%s&temp_url_expires=%s" % (container, diff --git a/tempest/api/object_storage/test_object_temp_url_negative.py b/tempest/api/object_storage/test_object_temp_url_negative.py index e5f4cf23d0..712697e364 100644 --- a/tempest/api/object_storage/test_object_temp_url_negative.py +++ b/tempest/api/object_storage/test_object_temp_url_negative.py @@ -19,10 +19,13 @@ from urllib import parse as urlparse from tempest.api.object_storage import base from tempest.common import utils +from tempest import config from tempest.lib.common.utils import data_utils from tempest.lib import decorators from tempest.lib import exceptions as lib_exc +CONF = config.CONF + class ObjectTempUrlNegativeTest(base.BaseObjectTest): """Negative tests of object temp url""" @@ -82,8 +85,11 @@ class ObjectTempUrlNegativeTest(base.BaseObjectTest): container, object_name) hmac_body = '%s\n%s\n%s' % (method, expires, path) + hlib = getattr( + hashlib, + CONF.object_storage_feature_enabled.tempurl_digest_hashlib) sig = hmac.new( - key.encode(), hmac_body.encode(), hashlib.sha256 + key.encode(), hmac_body.encode(), hlib ).hexdigest() url = "%s/%s?temp_url_sig=%s&temp_url_expires=%s" % (container, diff --git a/tempest/config.py b/tempest/config.py index 4098f32c5c..f986ddb4a7 100644 --- a/tempest/config.py +++ b/tempest/config.py @@ -1164,6 +1164,11 @@ ObjectStoreFeaturesGroup = [ cfg.BoolOpt('discoverability', default=True, help="Execute discoverability tests"), + cfg.StrOpt('tempurl_digest_hashlib', + default='sha256', + help="Hashing algorithm to use for the temp_url tests. " + "Needs to be supported both by Swift and the " + "hashlib module, for example sha1 or sha256"), ]