From ccf6cb79033b2083d9177823094f7836eb68ae0d Mon Sep 17 00:00:00 2001
From: Gage Hugo <gagehugo@gmail.com>
Date: Fri, 17 Aug 2018 10:57:32 -0500
Subject: [PATCH] Change log hashing to SHA256

With the recent Bandit update[0], the usage of SHA1 is now being
tagged as an issue. This changes the hashing of logs to SHA256
instead of SHA1.

Change-Id: Icde62b8d5ff78b4155e9df8231d63be3ecc53520
---
 keystoneauth1/session.py                 | 4 ++--
 keystoneauth1/tests/unit/test_session.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/keystoneauth1/session.py b/keystoneauth1/session.py
index 2e3e8874..2a5d4d05 100644
--- a/keystoneauth1/session.py
+++ b/keystoneauth1/session.py
@@ -365,10 +365,10 @@ class Session(object):
         secure_headers = ('authorization', 'x-auth-token',
                           'x-subject-token', 'x-service-token')
         if header[0].lower() in secure_headers:
-            token_hasher = hashlib.sha1()
+            token_hasher = hashlib.sha256()
             token_hasher.update(header[1].encode('utf-8'))
             token_hash = token_hasher.hexdigest()
-            return (header[0], '{SHA1}%s' % token_hash)
+            return (header[0], '{SHA256}%s' % token_hash)
         return header
 
     def _get_split_loggers(self, split_loggers):
diff --git a/keystoneauth1/tests/unit/test_session.py b/keystoneauth1/tests/unit/test_session.py
index 09c7cd5e..2927740349 100644
--- a/keystoneauth1/tests/unit/test_session.py
+++ b/keystoneauth1/tests/unit/test_session.py
@@ -324,7 +324,7 @@ class SessionTests(utils.TestCase):
         # Assert that response headers contains actual values and
         # only debug logs has been masked
         for k, v in security_headers.items():
-            self.assertIn('%s: {SHA1}' % k, self.logger.output)
+            self.assertIn('%s: {SHA256}' % k, self.logger.output)
             self.assertEqual(v, resp.headers[k])
             self.assertNotIn(v, self.logger.output)