Merge "tempurl: Continue allowing sha1 by default"

swift/common/middleware/tempurl.py

@@ -340,7 +340,7 @@ DEFAULT_OUTGOING_REMOVE_HEADERS = 'x-object-meta-*'
 #: '*' to indicate a prefix match.
 DEFAULT_OUTGOING_ALLOW_HEADERS = 'x-object-meta-public-*'
 
-DEFAULT_ALLOWED_DIGESTS = 'sha256 sha512'
+DEFAULT_ALLOWED_DIGESTS = 'sha1 sha256 sha512'
 DEPRECATED_DIGESTS = {'sha1'}
 SUPPORTED_DIGESTS = set(DEFAULT_ALLOWED_DIGESTS.split()) | DEPRECATED_DIGESTS
 
@@ -855,9 +855,15 @@ def filter_factory(global_conf, **local_conf):
 
     deprecated = allowed_digests & DEPRECATED_DIGESTS
     if deprecated:
-        logger.warning('The following digest algorithms are configured but '
+        if not conf.get('allowed_digests'):
-                       'deprecated: %s. Support will be removed in a future '
+            logger.warning('The following digest algorithms are allowed by '
-                       'release.', ', '.join(deprecated))
+                           'default but deprecated: %s. Support will be '
+                           'disabled by default in a future release, and '
+                           'later removed entirely.', ', '.join(deprecated))
+        else:
+            logger.warning('The following digest algorithms are configured '
+                           'but deprecated: %s. Support will be removed in a '
+                           'future release.', ', '.join(deprecated))
 
     if not allowed_digests:
         raise ValueError('No valid digest algorithms are configured '

test/unit/common/middleware/test_tempurl.py

@@ -131,11 +131,9 @@ class TestTempURL(unittest.TestCase):
         self.assertEqual(resp.status_int, 200)
 
     def assert_valid_sig(self, expires, path, keys, sig, environ=None,
-                         prefix=None, tempurl=None):
+                         prefix=None):
         if not environ:
             environ = {}
-        if tempurl is None:
-            tempurl = self.tempurl
         if six.PY3 and isinstance(sig, six.binary_type):
             sig = sig.decode('utf-8')
         environ['QUERY_STRING'] = 'temp_url_sig=%s&temp_url_expires=%s' % (
@@ -143,8 +141,8 @@ class TestTempURL(unittest.TestCase):
         if prefix is not None:
             environ['QUERY_STRING'] += '&temp_url_prefix=%s' % prefix
         req = self._make_request(path, keys=keys, environ=environ)
-        tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
+        self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
-        resp = req.get_response(tempurl)
+        resp = req.get_response(self.tempurl)
         self.assertEqual(resp.status_int, 200)
         self.assertEqual(resp.headers['content-disposition'],
                          'attachment; filename="o"; ' + "filename*=UTF-8''o")
@@ -161,11 +159,8 @@ class TestTempURL(unittest.TestCase):
         key = b'abc'
         hmac_body = ('%s\n%i\n%s' % (method, expires, path)).encode('utf-8')
 
-        tempurl1 = tempurl.filter_factory({
-            'allowed_digests': 'sha1'})(self.auth)
-        tempurl1.logger = self.logger
         sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
-        self.assert_valid_sig(expires, path, [key], sig, tempurl=tempurl1)
+        self.assert_valid_sig(expires, path, [key], sig)
 
         sig = hmac.new(key, hmac_body, hashlib.sha256).hexdigest()
         self.assert_valid_sig(expires, path, [key], sig)
@@ -1629,7 +1624,7 @@ class TestSwiftInfo(unittest.TestCase):
                          set(('x-object-meta-*',)))
         self.assertEqual(set(info['outgoing_allow_headers']),
                          set(('x-object-meta-public-*',)))
-        self.assertEqual(info['allowed_digests'], ['sha256', 'sha512'])
+        self.assertEqual(info['allowed_digests'], ['sha1', 'sha256', 'sha512'])
 
     def test_non_default_methods(self):
         tempurl.filter_factory({