From ad2cadeb2462e538fe90436a1facbcda1295a6f7 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 8 Oct 2024 07:57:50 -0700
Subject: [PATCH] [WIP] Copy: opt for sha256 instead of sha1

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 lib/ansible/modules/copy.py         | 11 ++++++-----
 lib/ansible/modules/fetch.py        |  1 +
 lib/ansible/plugins/action/copy.py  |  5 +++--
 lib/ansible/plugins/action/fetch.py |  7 ++++---
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/lib/ansible/modules/copy.py b/lib/ansible/modules/copy.py
index bb9ea0493d3c54..5c94d8f9bc1c0e 100644
--- a/lib/ansible/modules/copy.py
+++ b/lib/ansible/modules/copy.py
@@ -112,9 +112,10 @@
     version_added: '2.4'
   checksum:
     description:
-    - SHA1 checksum of the file being transferred.
+    - SHA256 checksum of the file being transferred.
     - Used to validate that the copy of the file was successful.
     - If this is not provided, ansible will use the local calculated checksum of the src file.
+    - Ansible 2.19 and onwards, SHA256 is default instead of SHA1.
     type: str
     version_added: '2.5'
 extends_documentation_fragment:
@@ -238,10 +239,10 @@
     type: str
     sample: 2a5aeecc61dc98c4d780b14b330e3282
 checksum:
-    description: SHA1 checksum of the file after running copy.
+    description: SHA256 checksum of the file after running copy.
     returned: success
     type: str
-    sample: 6e642bb8dd5c2e027bf21dd923337cbb4214f827
+    sample: e1ace7b1f177f35749523ce34721d2b1e1ad0b1e3196754f476a69730d24cb53
 backup_file:
     description: Name of backup file created.
     returned: changed and if backup=yes
@@ -562,9 +563,9 @@ def main():
 
     if os.path.isfile(src):
         try:
-            checksum_src = module.sha1(src)
+            checksum_src = module.sha256(src)
         except (OSError, IOError) as e:
-            module.warn("Unable to calculate src checksum, assuming change: %s" % to_native(e))
+            module.warn(f"Unable to calculate src checksum, assuming change: {to_native(e)}")
         try:
             # Backwards compat only.  This will be None in FIPS mode
             md5sum_src = module.md5(src)
diff --git a/lib/ansible/modules/fetch.py b/lib/ansible/modules/fetch.py
index a5edb767df08a9..89178e2b88a641 100644
--- a/lib/ansible/modules/fetch.py
+++ b/lib/ansible/modules/fetch.py
@@ -89,6 +89,7 @@
   C(fail_when) or C(ignore_errors) to get this ability. They may
   also explicitly set O(fail_on_missing) to V(false) to get the
   non-failing behaviour.
+- Ansible 2.19 and onwards, SHA256 is used to calculate checksum.
 seealso:
 - module: ansible.builtin.copy
 - module: ansible.builtin.slurp
diff --git a/lib/ansible/plugins/action/copy.py b/lib/ansible/plugins/action/copy.py
index 3799d110fd28ce..53b6436902fd9c 100644
--- a/lib/ansible/plugins/action/copy.py
+++ b/lib/ansible/plugins/action/copy.py
@@ -18,6 +18,7 @@
 
 from __future__ import annotations
 
+import hashlib
 import json
 import os
 import os.path
@@ -31,7 +32,7 @@
 from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 from ansible.module_utils.parsing.convert_bool import boolean
 from ansible.plugins.action import ActionBase
-from ansible.utils.hashing import checksum
+from ansible.utils.hashing import secure_hash
 
 
 # Supplement the FILE_COMMON_ARGUMENTS with arguments that are specific to file
@@ -278,7 +279,7 @@ def _copy_file(self, source_full, source_rel, content, content_tempfile,
             return None
 
         # Generate a hash of the local file.
-        local_checksum = checksum(source_full)
+        local_checksum = secure_hash(source_full, hash_func=hashlib.sha256)
 
         if local_checksum != dest_status['checksum']:
             # The checksums don't match and we will change or error out.
diff --git a/lib/ansible/plugins/action/fetch.py b/lib/ansible/plugins/action/fetch.py
index b7b6f30f9f8dc7..a5fe89dd9dde24 100644
--- a/lib/ansible/plugins/action/fetch.py
+++ b/lib/ansible/plugins/action/fetch.py
@@ -16,8 +16,9 @@
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 from __future__ import annotations
 
-import os
 import base64
+import hashlib
+import os
 from ansible.errors import AnsibleConnectionFailure, AnsibleError, AnsibleActionFail, AnsibleActionSkip
 from ansible.module_utils.common.text.converters import to_bytes, to_text
 from ansible.module_utils.six import string_types
@@ -167,7 +168,7 @@ def run(self, tmp=None, task_vars=None):
             dest = os.path.normpath(dest)
 
             # calculate checksum for the local file
-            local_checksum = checksum(dest)
+            local_checksum = checksum(dest, hash_func=hashlib.sha256)
 
             if remote_checksum != local_checksum:
                 # create the containing directories, if needed
@@ -183,7 +184,7 @@ def run(self, tmp=None, task_vars=None):
                         f.close()
                     except (IOError, OSError) as e:
                         raise AnsibleActionFail("Failed to fetch the file: %s" % e)
-                new_checksum = secure_hash(dest)
+                new_checksum = secure_hash(dest, hash_func=hashlib.sha256)
                 # For backwards compatibility. We'll return None on FIPS enabled systems
                 try:
                     new_md5 = md5(dest)