Add config option for algo to use in temp_url tests

This is so to configure which hashlib algorithm should be used for
the temp_url tests, defaulting to sha256 but preserving the
ability to use sha1 for compatibility with other Swift implementations.

Change-Id: Ia4923d47870fcb914a33adecb7155763ec1d0b2f

4 files changed, 30 insertions, 2 deletions

diff --git a/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml b/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml
new file mode 100644
index 000000000..f96c030c1
--- /dev/null
+++ b/releasenotes/notes/temp_url_tests_digest_config-3d8c9bb271961ddd.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Add configuration parameter `tempurl_digest_hashlib` into
+    `object-storage-feature-enabled` which configures the hashing algorithm to
+    use for the temp_url tests; defaults to 'sha256'.
+security:
+  - |
+    Swift used to support only 'sha1' for temp_url hashing but from many
+    years now 'sha256' and 'sha512' are also available. These are stronger
+    than 'sha1' and tempest now allows configuring which one to use.
diff --git a/tempest/api/object_storage/test_object_temp_url.py b/tempest/api/object_storage/test_object_temp_url.py
index 4ca7412bd..8f218e21d 100644
--- a/tempest/api/object_storage/test_object_temp_url.py
+++ b/tempest/api/object_storage/test_object_temp_url.py
@@ -19,9 +19,12 @@ from urllib import parse as urlparse
 
 from tempest.api.object_storage import base
 from tempest.common import utils
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators
 
+CONF = config.CONF
+
 
 class ObjectTempUrlTest(base.BaseObjectTest):
     """Test object temp url"""
@@ -77,8 +80,11 @@ class ObjectTempUrlTest(base.BaseObjectTest):
             container, object_name)
 
         hmac_body = '%s\n%s\n%s' % (method, expires, path)
+        hlib = getattr(
+            hashlib,
+            CONF.object_storage_feature_enabled.tempurl_digest_hashlib)
         sig = hmac.new(
-            key.encode(), hmac_body.encode(), hashlib.sha256
+            key.encode(), hmac_body.encode(), hlib
         ).hexdigest()
 
         url = "%s/%s?temp_url_sig=%s&temp_url_expires=%s" % (container,
diff --git a/tempest/api/object_storage/test_object_temp_url_negative.py b/tempest/api/object_storage/test_object_temp_url_negative.py
index e5f4cf23d..712697e36 100644
--- a/tempest/api/object_storage/test_object_temp_url_negative.py
+++ b/tempest/api/object_storage/test_object_temp_url_negative.py
@@ -19,10 +19,13 @@ from urllib import parse as urlparse
 
 from tempest.api.object_storage import base
 from tempest.common import utils
+from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators
 from tempest.lib import exceptions as lib_exc
 
+CONF = config.CONF
+
 
 class ObjectTempUrlNegativeTest(base.BaseObjectTest):
     """Negative tests of object temp url"""
@@ -82,8 +85,11 @@ class ObjectTempUrlNegativeTest(base.BaseObjectTest):
             container, object_name)
 
         hmac_body = '%s\n%s\n%s' % (method, expires, path)
+        hlib = getattr(
+            hashlib,
+            CONF.object_storage_feature_enabled.tempurl_digest_hashlib)
         sig = hmac.new(
-            key.encode(), hmac_body.encode(), hashlib.sha256
+            key.encode(), hmac_body.encode(), hlib
         ).hexdigest()
 
         url = "%s/%s?temp_url_sig=%s&temp_url_expires=%s" % (container,
diff --git a/tempest/config.py b/tempest/config.py
index 4098f32c5..f986ddb4a 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -1164,6 +1164,11 @@ ObjectStoreFeaturesGroup = [
     cfg.BoolOpt('discoverability',
                 default=True,
                 help="Execute discoverability tests"),
+    cfg.StrOpt('tempurl_digest_hashlib',
+               default='sha256',
+               help="Hashing algorithm to use for the temp_url tests. "
+                    "Needs to be supported both by Swift and the "
+                    "hashlib module, for example sha1 or sha256"),
 ]