Merge "using standard library secrets function token_bytes to replace os.urandom"

keystone/api/users.py

@@ -13,7 +13,7 @@
 # This file handles all flask-restful resources for /v3/users
 
 import base64
-import os
+import secrets
 import uuid
 
 import flask
@@ -577,7 +577,7 @@ class UserAppCredListCreateResource(ks_flask.ResourceBase):
     @staticmethod
     def _generate_secret():
         length = 64
-        secret = os.urandom(length)
+        secret = secrets.token_bytes(length)
         secret = base64.urlsafe_b64encode(secret)
         secret = secret.rstrip(b'=')
         secret = secret.decode('utf-8')

keystone/common/cache/core.py

@@ -14,7 +14,7 @@
 
 """Keystone Caching Layer Implementation."""
 
-import os
+import secrets
 
 from dogpile.cache import region
 from dogpile.cache import util
@@ -36,7 +36,7 @@ class RegionInvalidationManager(object):
         self._region_key = self.REGION_KEY_PREFIX + region_name
 
     def _generate_new_id(self):
-        return os.urandom(10)
+        return secrets.token_bytes(10)
 
     @property
     def region_id(self):

keystone/tests/unit/core.py

@@ -19,6 +19,8 @@ import datetime
 import functools
 import hashlib
 import json
+import secrets
+
 import ldap
 import os
 import shutil
@@ -421,9 +423,9 @@ def new_ec2_credential(user_id, project_id=None, blob=None, **kwargs):
 
 def new_totp_credential(user_id, project_id=None, blob=None):
     if not blob:
-        # NOTE(notmorgan): 20 bytes of data from os.urandom for
+        # NOTE(notmorgan): 20 bytes of data from secrets.token_bytes for
         # a totp secret.
-        blob = base64.b32encode(os.urandom(20)).decode('utf-8')
+        blob = base64.b32encode(secrets.token_bytes(20)).decode('utf-8')
     credential = new_credential_ref(user_id=user_id,
                                     project_id=project_id,
                                     blob=blob,