From bcc00a10a6a5e42f261ad88feaec8019d68f25f8 Mon Sep 17 00:00:00 2001 From: "Bernhard M. Wiedemann" Date: Thu, 28 Feb 2019 14:06:22 +0100 Subject: Make tests pass in 2020 Without this patch, build failed after 2019-12-31 with Traceback (most recent call last): File "keystoneclient/tests/unit/v3/test_auth.py", line 226, in test_authenticate_success_password_unscoped self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) File "keystoneclient/tests/unit/utils.py", line 72, in assertRequestBodyIs self.assertEqual(json, val) NOTE: in addition to the orginal backport, this patch adds the following changes. The changes has to be combined into a single patch in order to avoid circular dependencies. 1. fixed bandit complains in keystoneclient/common/cms.py. The literal 'sha256' is the default hash algorithm, not a sensitive password. Marking it as false positive so bandit can stop chirping. 2. combined with cherry pick from commit f2d3fec9b254f9c47e97ddf48e3c5f7614b87f1b to avoid circular dependency. Without combining them, neither backport will pass all the gates since pep8 has switched over to use python3 now. 3. combined with cherry pick from commit b29f478f28c4989156cfe87392cbd308e3f55c1e to avoid circular dependency. Without combining them, neither backport will pass all the gates since bandit will have a false positive on the hash algorithm. Change-Id: I0e44d9896c5970f0ca07438c372aec826aeb5c77 (cherry picked from commit f2d3fec9b254f9c47e97ddf48e3c5f7614b87f1b) (cherry picked from commit acc21ff06154e16de16583fe6994207d689ed054) (cherry picked from commit b29f478f28c4989156cfe87392cbd308e3f55c1e) (cherry picked from commit 9da2e0bdd83d481091814a8c6f40ab3ff39ffa9c) --- keystoneclient/session.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'keystoneclient/session.py') diff --git a/keystoneclient/session.py b/keystoneclient/session.py index 9faedac..d55b01b 100644 --- a/keystoneclient/session.py +++ b/keystoneclient/session.py @@ -171,7 +171,9 @@ class Session(object): secure_headers = ('authorization', 'x-auth-token', 'x-subject-token', 'x-service-token') if header[0].lower() in secure_headers: - token_hasher = hashlib.sha1() + # hashlib.sha1() bandit nosec, as it is HMAC-SHA1 in + # keystone, which is considered secure (unlike just sha1) + token_hasher = hashlib.sha1() # nosec(lhinds) token_hasher.update(header[1].encode('utf-8')) token_hash = token_hasher.hexdigest() return (header[0], '{SHA1}%s' % token_hash) -- cgit v1.2.1