openstack/ironic
Code Issues Proposed changes

Merge "Do not use random to generate token"

Browse Source
This commit is contained in:
Zuul 2020-03-22 22:40:49 +00:00 committed by Gerrit Code Review
commit 88d7b1e667
3 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ironic/conductor/utils.py
View File

@ -15,8 +15,7 @@
import contextlib
import datetime
from distutils.version import StrictVersion
import random
import string
import secrets
import time
from openstack.baremetal import configdrive as os_configdrive
@ -1019,9 +1018,7 @@ def add_secret_token(node, pregenerated=False):
order to facilitate virtual media booting where
the token is embedded into the configuration.
"""
characters = string.ascii_letters + string.digits
token = ''.join(
random.SystemRandom().choice(characters) for i in range(128))
token = secrets.token_urlsafe()
i_info = node.driver_internal_info
i_info['agent_secret_token'] = token
if pregenerated:

3
ironic/tests/unit/conductor/test_utils.py
View File

@ -2030,8 +2030,7 @@ class AgentTokenUtilsTestCase(tests_base.TestCase):
def test_add_secret_token(self):
self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
conductor_utils.add_secret_token(self.node)
self.assertEqual(
128, len(self.node.driver_internal_info['agent_secret_token']))
self.assertIn('agent_secret_token', self.node.driver_internal_info)
def test_del_secret_token(self):
conductor_utils.add_secret_token(self.node)

9
releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml Normal file
View File

@ -0,0 +1,9 @@
---
security:
- |
The secret token that is used for IPA verification will be generated by
the secrets module to be in compliance with the FIPS 140-2.
fixes:
- |
The secret token that is used for IPA verification will be generated using
the secrets module.