PROTON-2502: Stop testing using MD5 SASL mechanisms

MD5 based mechanisms are now considered insecure and future systems will be configured without them available. We should stop using them to test Proton so we can build on securely configured machines.
apache · Feb 21, 2022 · ec305ef · ec305ef
1 parent ec535e7
commit ec305ef
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 34 deletions.
diff --git a/INSTALL.md b/INSTALL.md
@@ -19,10 +19,10 @@ Linux dependencies
 
   - GNU Make 3.81+
   - GCC 4.8.4+
-  - Cyrus SASL 2.1+ (for SASL support)
+  - Cyrus SASL 2.1.26+ (for SASL support)
   - OpenSSL 1.0+ (for SSL support)
   - JsonCpp 1.8+ for C++ connection configuration file support
-  - Python 2.7, 3.5+ (for the Python binding)
+  - Python 3.5+ (for the Python binding)
 
 Windows dependencies
 
@@ -44,7 +44,7 @@ language.
     $ yum install openssl-devel
 
     # Dependencies needed for Cyrus SASL support
-    $ yum install cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-md5
+    $ yum install cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-scram
 
     # Dependencies needed for bindings
     $ yum install swig                                       # Required for all bindings

diff --git a/python/setuputils/misc.py b/python/setuputils/misc.py
@@ -13,9 +13,7 @@
 
 
 import errno
-import os
 import subprocess
-import sys
 
 from . import log
 

diff --git a/python/tests/proton_tests/sasl.py b/python/tests/proton_tests/sasl.py
@@ -326,20 +326,6 @@ def testANON(self):
         self.t2.bind(self.c2)
         _testSaslMech(self, 'ANONYMOUS', authUser='anonymous')
 
-    def testCRAMMD5(self):
-        common.ensureCanTestExtendedSASL()
-
-        self.t1.bind(self.c1)
-        self.t2.bind(self.c2)
-        _testSaslMech(self, 'CRAM-MD5')
-
-    def testDIGESTMD5(self):
-        common.ensureCanTestExtendedSASL()
-
-        self.t1.bind(self.c1)
-        self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5')
-
     # PLAIN shouldn't work without encryption without special setting
     def testPLAINfail(self):
         common.ensureCanTestExtendedSASL()
@@ -367,15 +353,12 @@ def testPLAIN(self):
         self.t2.bind(self.c2)
         _testSaslMech(self, 'PLAIN')
 
-# SCRAM not supported before Cyrus SASL 2.1.26
-# so not universal and hence need a test for support
-# to keep it in tests.
-#  def testSCRAMSHA1(self):
-#    common.ensureCanTestExtendedSASL()
-#
-#    self.t1.bind(self.c1)
-#    self.t2.bind(self.c2)
-#    _testSaslMech(self, 'SCRAM-SHA-1')
+    def testSCRAMSHA1(self):
+        common.ensureCanTestExtendedSASL()
+
+        self.t1.bind(self.c1)
+        self.t2.bind(self.c2)
+        _testSaslMech(self, 'SCRAM-SHA-1')
 
 
 def _sslConnection(domain, transport, connection):
@@ -550,7 +533,7 @@ def testNormalAuthenticationClient(self):
         self.c1.collect(self.collector)
         self.t1.bind(self.c1)
         self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5')
+        _testSaslMech(self, 'SCRAM-SHA-1')
         self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND,
                     Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT,
                     Event.CONNECTION_REMOTE_OPEN)
@@ -560,7 +543,7 @@ def testNormalAuthenticationServer(self):
         self.c2.collect(self.collector)
         self.t1.bind(self.c1)
         self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5')
+        _testSaslMech(self, 'SCRAM-SHA-1')
         self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND,
                     Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT,
                     Event.CONNECTION_REMOTE_OPEN)
@@ -572,7 +555,7 @@ def testFailedAuthenticationClient(self):
         self.c1.collect(self.collector)
         self.t1.bind(self.c1)
         self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5', clientUser=clientUser, authenticated=False)
+        _testSaslMech(self, 'SCRAM-SHA-1', clientUser=clientUser, authenticated=False)
         self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND,
                     Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT,
                     Event.TRANSPORT_ERROR,
@@ -586,7 +569,7 @@ def testFailedAuthenticationServer(self):
         self.c2.collect(self.collector)
         self.t1.bind(self.c1)
         self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5', clientUser=clientUser, authenticated=False)
+        _testSaslMech(self, 'SCRAM-SHA-1', clientUser=clientUser, authenticated=False)
         self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND,
                     Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT,
                     Event.TRANSPORT_ERROR,
@@ -599,7 +582,7 @@ def testNoMechClient(self):
         self.s2.allowed_mechs('IMPOSSIBLE')
         self.t1.bind(self.c1)
         self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5', authenticated=False)
+        _testSaslMech(self, 'SCRAM-SHA-1', authenticated=False)
         self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND,
                     Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT,
                     Event.TRANSPORT_ERROR,
@@ -611,7 +594,7 @@ def testNoMechServer(self):
         self.s2.allowed_mechs('IMPOSSIBLE')
         self.t1.bind(self.c1)
         self.t2.bind(self.c2)
-        _testSaslMech(self, 'DIGEST-MD5', authenticated=False)
+        _testSaslMech(self, 'SCRAM-SHA-1', authenticated=False)
         self.expect(Event.CONNECTION_INIT, Event.CONNECTION_BOUND,
                     Event.CONNECTION_LOCAL_OPEN, Event.TRANSPORT,
                     Event.TRANSPORT_TAIL_CLOSED,