diff options
author | Matthew Oliver <matt@oliver.net.au> | 2022-04-19 15:26:11 +1000 |
---|---|---|
committer | Matthew Oliver <matt@oliver.net.au> | 2022-07-26 10:39:58 +1000 |
commit | 2d063cd61f6915579840a41ac0248a26085e0245 (patch) | |
tree | 06df40ff2f9f4de175039b8641eb9fee89f4e64c /test/unit/proxy | |
parent | 25b6bd9f2cf1d0f9956c99cd418ba295196d2e6a (diff) | |
download | swift-2d063cd61f6915579840a41ac0248a26085e0245.tar.gz |
formpost: deprecate sha1 signatures
We've known this would eventually be necessary for a while [1], and
way back in 2017 we started seeing SHA-1 collisions [2].
This patch follows the approach of soft deprecation of SHA1 in tempurl.
It's still a default digest, but we'll start with warning as the
middleware is loaded and exposing any deprecated digests
(if they're still allowed) in /info.
Further, because there is much shared code between formpost and tempurl, this
patch also goes and refactors shared code out into swift.common.digest.
Now that we have a digest, we also move digest related code:
- get_hmac
- extract_digest_and_algorithm
[1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
[2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Change-Id: I581cadd6bc79e623f1dae071025e4d375254c1d9
Diffstat (limited to 'test/unit/proxy')
-rw-r--r-- | test/unit/proxy/controllers/test_info.py | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/test/unit/proxy/controllers/test_info.py b/test/unit/proxy/controllers/test_info.py index 560d4d660..5ddd76f3d 100644 --- a/test/unit/proxy/controllers/test_info.py +++ b/test/unit/proxy/controllers/test_info.py @@ -20,7 +20,7 @@ from mock import Mock from swift.proxy.controllers import InfoController from swift.proxy.server import Application as ProxyApp -from swift.common import utils, registry +from swift.common import registry, digest from swift.common.swob import Request, HTTPException from test.debug_logger import debug_logger @@ -133,7 +133,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('GET', '/info', expires, '') + sig = digest.get_hmac('GET', '/info', expires, '') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -149,7 +149,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('GET', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('GET', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -170,7 +170,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('GET', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('GET', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -180,7 +180,7 @@ class TestInfoController(unittest.TestCase): self.assertEqual('200 OK', str(resp)) expires = int(time.time() + 86400) - sig = utils.get_hmac('HEAD', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('HEAD', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -196,7 +196,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('HEAD', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('HEAD', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -212,7 +212,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = 1 - sig = utils.get_hmac('GET', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('GET', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -222,7 +222,7 @@ class TestInfoController(unittest.TestCase): self.assertEqual('401 Unauthorized', str(resp)) expires = 'abc' - sig = utils.get_hmac('GET', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('GET', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -238,7 +238,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('GET', '/foo', expires, 'secret-admin-key') + sig = digest.get_hmac('GET', '/foo', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -254,7 +254,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('GET', '/foo', expires, 'invalid-admin-key') + sig = digest.get_hmac('GET', '/foo', expires, 'invalid-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( @@ -272,7 +272,7 @@ class TestInfoController(unittest.TestCase): registry._swift_admin_info = {'qux': {'quux': 'corge'}} expires = int(time.time() + 86400) - sig = utils.get_hmac('GET', '/info', expires, 'secret-admin-key') + sig = digest.get_hmac('GET', '/info', expires, 'secret-admin-key') path = '/info?swiftinfo_sig={sig}&swiftinfo_expires={expires}'.format( sig=sig, expires=expires) req = Request.blank( |