diff --git a/keystone/api/users.py b/keystone/api/users.py index 10f26bd428..3fd4e41903 100644 --- a/keystone/api/users.py +++ b/keystone/api/users.py @@ -13,7 +13,7 @@ # This file handles all flask-restful resources for /v3/users import base64 -import os +import secrets import uuid import flask @@ -577,7 +577,7 @@ class UserAppCredListCreateResource(ks_flask.ResourceBase): @staticmethod def _generate_secret(): length = 64 - secret = os.urandom(length) + secret = secrets.token_bytes(length) secret = base64.urlsafe_b64encode(secret) secret = secret.rstrip(b'=') secret = secret.decode('utf-8') diff --git a/keystone/common/cache/core.py b/keystone/common/cache/core.py index de0d8a0238..fb9fc1ca85 100644 --- a/keystone/common/cache/core.py +++ b/keystone/common/cache/core.py @@ -14,7 +14,7 @@ """Keystone Caching Layer Implementation.""" -import os +import secrets from dogpile.cache import region from dogpile.cache import util @@ -36,7 +36,7 @@ class RegionInvalidationManager(object): self._region_key = self.REGION_KEY_PREFIX + region_name def _generate_new_id(self): - return os.urandom(10) + return secrets.token_bytes(10) @property def region_id(self): diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index 5e93b842f4..92adbfb229 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -18,6 +18,8 @@ import datetime import functools import hashlib import json +import secrets + import ldap import os import shutil @@ -422,9 +424,9 @@ def new_ec2_credential(user_id, project_id=None, blob=None, **kwargs): def new_totp_credential(user_id, project_id=None, blob=None): if not blob: - # NOTE(notmorgan): 20 bytes of data from os.urandom for + # NOTE(notmorgan): 20 bytes of data from secrets.token_bytes for # a totp secret. - blob = base64.b32encode(os.urandom(20)).decode('utf-8') + blob = base64.b32encode(secrets.token_bytes(20)).decode('utf-8') credential = new_credential_ref(user_id=user_id, project_id=project_id, blob=blob,