Fix Python3 compatibility for kolla-genpwd
The method `Fernet.generate_key()` generates a binary string in Python 3:
```
>>> Fernet.generate_key()
b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```
Unless properly written as a string to the Kolla `passwords.yml` file,
the Fernet key will end up in the final Barbican config like this:
```
[simple_crypto_plugin]
kek = b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```
Due to the fact that the key is incorrectly written to the barbican
config file (it should be written as a string), every barbican secret
store fails with:
```
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 83, in store_secret
barbican.api.controllers encrypting_plugin, context.project_model)
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 290, in _find_or_create_kek_objects
barbican.api.controllers kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/crypto/simple_crypto.py", line 104, in bind_kek_metadata
barbican.api.controllers encryptor = fernet.Fernet(self.master_kek)
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/cryptography/fernet.py", line 38, in __init__
barbican.api.controllers "Fernet key must be 32 url-safe base64-encoded bytes."
barbican.api.controllers ValueError: Fernet key must be 32 url-safe base64-encoded bytes.
```
This commit fixes the issue described above by properly writing
the Fernet key as a string to the Kolla `passwords.yml` file.
Closes-Bug: #1848191
Change-Id: I27fc0159c889bc2e1576fdd69b7d02a320b620f8
(cherry picked from commit e3fccdfa65
)
This commit is contained in:
parent
285145bb6d
commit
8b46416425
@ -80,7 +80,7 @@ def genpwd(passwords_file, length, uuid_keys, ssh_keys, blank_keys,
|
|||||||
uuidutils.generate_uuid().encode(), ''.encode(), md5)
|
uuidutils.generate_uuid().encode(), ''.encode(), md5)
|
||||||
.hexdigest())
|
.hexdigest())
|
||||||
elif k in fernet_keys:
|
elif k in fernet_keys:
|
||||||
passwords[k] = fernet.Fernet.generate_key()
|
passwords[k] = fernet.Fernet.generate_key().decode()
|
||||||
else:
|
else:
|
||||||
passwords[k] = ''.join([
|
passwords[k] = ''.join([
|
||||||
random.SystemRandom().choice(
|
random.SystemRandom().choice(
|
||||||
|
Loading…
Reference in New Issue
Block a user