Replace random with SystemRandom for RandomString

it might be theoretically possible to infer the state of
standard Python's RNG in a long-running heat-engine service
from multiple created RandomString resources.

Let's use the random.SystemRandom (and os.urandom) for
OS::Heat::RandomString instead.

Change-Id: Iac5c03176fc8bae95ada883621196bd9cb453be3
Closes-Bug: #1745931
This commit is contained in:
Pavlo Shchelokovskyy 2018-01-22 18:17:37 +02:00
parent 9e4cda46e6
commit 41605aaac1
2 changed files with 11 additions and 1 deletions

View File

@ -11,7 +11,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import random import random as random_module
import string import string
import six import six
@ -25,6 +25,10 @@ from heat.engine import resource
from heat.engine import support from heat.engine import support
from heat.engine import translation from heat.engine import translation
# NOTE(pas-ha) Heat officially supports only POSIX::Linux platform
# where os.urandom() and random.SystemRandom() are available
random = random_module.SystemRandom()
class RandomString(resource.Resource): class RandomString(resource.Resource):
"""A resource which generates a random string. """A resource which generates a random string.

View File

@ -0,0 +1,6 @@
---
security:
- |
Heat no longer uses standard Python RNG when generating values for
OS::Heat::RandomString resource, and instead relies on system's RNG
for that.