openstack/ironic
Code Issues Proposed changes

Merge "Do not use random to generate token"

Browse Source
This commit is contained in:
Zuul 2020-03-22 22:40:49 +00:00 committed by Gerrit Code Review
commit 88d7b1e667
3 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ironic/conductor/utils.py
View File

@ -15,8 +15,7 @@
import contextlib import contextlib
import datetime import datetime
from distutils.version import StrictVersion from distutils.version import StrictVersion
import random import secrets
import string
import time import time
from openstack.baremetal import configdrive as os_configdrive from openstack.baremetal import configdrive as os_configdrive
@ -1019,9 +1018,7 @@ def add_secret_token(node, pregenerated=False):
order to facilitate virtual media booting where order to facilitate virtual media booting where
the token is embedded into the configuration. the token is embedded into the configuration.
""" """
characters = string.ascii_letters + string.digits token = secrets.token_urlsafe()
token = ''.join(
random.SystemRandom().choice(characters) for i in range(128))
i_info = node.driver_internal_info i_info = node.driver_internal_info
i_info['agent_secret_token'] = token i_info['agent_secret_token'] = token
if pregenerated: if pregenerated:

3
ironic/tests/unit/conductor/test_utils.py
View File

@ -2030,8 +2030,7 @@ class AgentTokenUtilsTestCase(tests_base.TestCase):
def test_add_secret_token(self): def test_add_secret_token(self):
self.assertNotIn('agent_secret_token', self.node.driver_internal_info) self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
conductor_utils.add_secret_token(self.node) conductor_utils.add_secret_token(self.node)
self.assertEqual( self.assertIn('agent_secret_token', self.node.driver_internal_info)
128, len(self.node.driver_internal_info['agent_secret_token']))
def test_del_secret_token(self): def test_del_secret_token(self):
conductor_utils.add_secret_token(self.node) conductor_utils.add_secret_token(self.node)

9
releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml Normal file
View File

@ -0,0 +1,9 @@
---
security:
- |
The secret token that is used for IPA verification will be generated by
the secrets module to be in compliance with the FIPS 140-2.
fixes:
- |
The secret token that is used for IPA verification will be generated using
the secrets module.