From 25b6bd9f2cf1d0f9956c99cd418ba295196d2e6a Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Tue, 14 Jun 2022 17:22:55 -0700 Subject: [PATCH] tempurl: Continue allowing sha1 by default Go back to allowing sha1 by default, but still warn that the deprecation is happening, removal from default will come soon, and removal of all support will come after that. Change-Id: I4ebd92ff9358ca0679716a4af085333dde1f726a --- swift/common/middleware/tempurl.py | 14 ++++++++++---- test/unit/common/middleware/test_tempurl.py | 15 +++++---------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py index aef3e6de2c..5b0d10ed64 100644 --- a/swift/common/middleware/tempurl.py +++ b/swift/common/middleware/tempurl.py @@ -340,7 +340,7 @@ DEFAULT_OUTGOING_REMOVE_HEADERS = 'x-object-meta-*' #: '*' to indicate a prefix match. DEFAULT_OUTGOING_ALLOW_HEADERS = 'x-object-meta-public-*' -DEFAULT_ALLOWED_DIGESTS = 'sha256 sha512' +DEFAULT_ALLOWED_DIGESTS = 'sha1 sha256 sha512' DEPRECATED_DIGESTS = {'sha1'} SUPPORTED_DIGESTS = set(DEFAULT_ALLOWED_DIGESTS.split()) | DEPRECATED_DIGESTS @@ -855,9 +855,15 @@ def filter_factory(global_conf, **local_conf): deprecated = allowed_digests & DEPRECATED_DIGESTS if deprecated: - logger.warning('The following digest algorithms are configured but ' - 'deprecated: %s. Support will be removed in a future ' - 'release.', ', '.join(deprecated)) + if not conf.get('allowed_digests'): + logger.warning('The following digest algorithms are allowed by ' + 'default but deprecated: %s. Support will be ' + 'disabled by default in a future release, and ' + 'later removed entirely.', ', '.join(deprecated)) + else: + logger.warning('The following digest algorithms are configured ' + 'but deprecated: %s. Support will be removed in a ' + 'future release.', ', '.join(deprecated)) if not allowed_digests: raise ValueError('No valid digest algorithms are configured ' diff --git a/test/unit/common/middleware/test_tempurl.py b/test/unit/common/middleware/test_tempurl.py index 4c6a31bc1b..7e984ca274 100644 --- a/test/unit/common/middleware/test_tempurl.py +++ b/test/unit/common/middleware/test_tempurl.py @@ -131,11 +131,9 @@ class TestTempURL(unittest.TestCase): self.assertEqual(resp.status_int, 200) def assert_valid_sig(self, expires, path, keys, sig, environ=None, - prefix=None, tempurl=None): + prefix=None): if not environ: environ = {} - if tempurl is None: - tempurl = self.tempurl if six.PY3 and isinstance(sig, six.binary_type): sig = sig.decode('utf-8') environ['QUERY_STRING'] = 'temp_url_sig=%s&temp_url_expires=%s' % ( @@ -143,8 +141,8 @@ class TestTempURL(unittest.TestCase): if prefix is not None: environ['QUERY_STRING'] += '&temp_url_prefix=%s' % prefix req = self._make_request(path, keys=keys, environ=environ) - tempurl.app = FakeApp(iter([('200 Ok', (), '123')])) - resp = req.get_response(tempurl) + self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')])) + resp = req.get_response(self.tempurl) self.assertEqual(resp.status_int, 200) self.assertEqual(resp.headers['content-disposition'], 'attachment; filename="o"; ' + "filename*=UTF-8''o") @@ -161,11 +159,8 @@ class TestTempURL(unittest.TestCase): key = b'abc' hmac_body = ('%s\n%i\n%s' % (method, expires, path)).encode('utf-8') - tempurl1 = tempurl.filter_factory({ - 'allowed_digests': 'sha1'})(self.auth) - tempurl1.logger = self.logger sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest() - self.assert_valid_sig(expires, path, [key], sig, tempurl=tempurl1) + self.assert_valid_sig(expires, path, [key], sig) sig = hmac.new(key, hmac_body, hashlib.sha256).hexdigest() self.assert_valid_sig(expires, path, [key], sig) @@ -1629,7 +1624,7 @@ class TestSwiftInfo(unittest.TestCase): set(('x-object-meta-*',))) self.assertEqual(set(info['outgoing_allow_headers']), set(('x-object-meta-public-*',))) - self.assertEqual(info['allowed_digests'], ['sha256', 'sha512']) + self.assertEqual(info['allowed_digests'], ['sha1', 'sha256', 'sha512']) def test_non_default_methods(self): tempurl.filter_factory({