Do not use random to generate token

To avoid problems with FIPS 140-2 let's generate
the token using the secrets module instead of random.

Change-Id: I90c3c94112d093e2309414b9902f58d31d925ad3
Story: 2007444
Task: 39104

ironic/conductor/utils.py

@@ -15,8 +15,7 @@
 import contextlib
 import datetime
 from distutils.version import StrictVersion
-import random
-import string
+import secrets
 import time
 
 from openstack.baremetal import configdrive as os_configdrive
@@ -1019,9 +1018,7 @@ def add_secret_token(node, pregenerated=False):
                          order to facilitate virtual media booting where
                          the token is embedded into the configuration.
     """
-    characters = string.ascii_letters + string.digits
-    token = ''.join(
-        random.SystemRandom().choice(characters) for i in range(128))
+    token = secrets.token_urlsafe()
     i_info = node.driver_internal_info
     i_info['agent_secret_token'] = token
     if pregenerated:

ironic/tests/unit/conductor/test_utils.py

@@ -2030,8 +2030,7 @@ class AgentTokenUtilsTestCase(tests_base.TestCase):
     def test_add_secret_token(self):
         self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
         conductor_utils.add_secret_token(self.node)
-        self.assertEqual(
-            128, len(self.node.driver_internal_info['agent_secret_token']))
+        self.assertIn('agent_secret_token', self.node.driver_internal_info)
 
     def test_del_secret_token(self):
         conductor_utils.add_secret_token(self.node)

releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml

@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    The secret token that is used for IPA verification will be generated by
+    the secrets module to be in compliance with the FIPS 140-2.
+fixes:
+  - |
+    The secret token that is used for IPA verification will be generated using
+    the secrets module.