From 1425adbb0572d6280ae70635baa53b0d9291ac07 Mon Sep 17 00:00:00 2001
From: Iury Gregory Melo Ferreira <imelofer@redhat.com>
Date: Wed, 18 Mar 2020 16:56:19 +0100
Subject: [PATCH] Do not use random to generate token

To avoid problems with FIPS 140-2 let's generate
the token using the secrets module instead of random.

Change-Id: I90c3c94112d093e2309414b9902f58d31d925ad3
Story: 2007444
Task: 39104
---
 ironic/conductor/utils.py                                | 7 ++-----
 ironic/tests/unit/conductor/test_utils.py                | 3 +--
 .../use_secrets_to_generate_token-55af0f43e5a80b9e.yaml  | 9 +++++++++
 3 files changed, 12 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml

diff --git a/ironic/conductor/utils.py b/ironic/conductor/utils.py
index 2d97d655c3..ee14dce50f 100644
--- a/ironic/conductor/utils.py
+++ b/ironic/conductor/utils.py
@@ -15,8 +15,7 @@
 import contextlib
 import datetime
 from distutils.version import StrictVersion
-import random
-import string
+import secrets
 import time
 
 from openstack.baremetal import configdrive as os_configdrive
@@ -1019,9 +1018,7 @@ def add_secret_token(node, pregenerated=False):
                          order to facilitate virtual media booting where
                          the token is embedded into the configuration.
     """
-    characters = string.ascii_letters + string.digits
-    token = ''.join(
-        random.SystemRandom().choice(characters) for i in range(128))
+    token = secrets.token_urlsafe()
     i_info = node.driver_internal_info
     i_info['agent_secret_token'] = token
     if pregenerated:
diff --git a/ironic/tests/unit/conductor/test_utils.py b/ironic/tests/unit/conductor/test_utils.py
index 6a437debe2..23127efe27 100644
--- a/ironic/tests/unit/conductor/test_utils.py
+++ b/ironic/tests/unit/conductor/test_utils.py
@@ -2030,8 +2030,7 @@ class AgentTokenUtilsTestCase(tests_base.TestCase):
     def test_add_secret_token(self):
         self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
         conductor_utils.add_secret_token(self.node)
-        self.assertEqual(
-            128, len(self.node.driver_internal_info['agent_secret_token']))
+        self.assertIn('agent_secret_token', self.node.driver_internal_info)
 
     def test_del_secret_token(self):
         conductor_utils.add_secret_token(self.node)
diff --git a/releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml b/releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml
new file mode 100644
index 0000000000..609c48e7bc
--- /dev/null
+++ b/releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    The secret token that is used for IPA verification will be generated by
+    the secrets module to be in compliance with the FIPS 140-2.
+fixes:
+  - |
+    The secret token that is used for IPA verification will be generated using
+    the secrets module.