From b80a63f33f5e314757a331a527744e95b7a572ca Mon Sep 17 00:00:00 2001 From: Eduardo Gonzalez Date: Thu, 26 Jul 2018 21:58:47 +0200 Subject: [PATCH] Use fernet for barbican crypto key Sha password is not always valid for barbican cripto key. Use a fernet key so it always gets valid. Not need release note for upgrade, users with a working barbican not regenerate passwords, only new passwords will get new type. Change-Id: Ic8c4ca63219295d697062cff9cbf30fadbe49bf3 --- kolla_ansible/cmd/genpwd.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py index 8a0ab56420..366964df7b 100755 --- a/kolla_ansible/cmd/genpwd.py +++ b/kolla_ansible/cmd/genpwd.py @@ -19,11 +19,11 @@ import random import string import sys +from cryptography import fernet from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import serialization from hashlib import md5 -from hashlib import sha256 from oslo_utils import uuidutils import yaml @@ -85,8 +85,8 @@ def main(): hmac_md5_keys = ['designate_rndc_key', 'osprofiler_secret'] - # HMAC-SHA256 keys - hmac_sha256_keys = ['barbican_crypto_key'] + # Fernet keys + fernet_keys = ['barbican_crypto_key'] # length of password length = 40 @@ -114,10 +114,8 @@ def main(): passwords[k] = (hmac.new( uuidutils.generate_uuid().encode(), ''.encode(), md5) .hexdigest()) - elif k in hmac_sha256_keys: - passwords[k] = (hmac.new( - uuidutils.generate_uuid().encode(), ''.encode(), sha256) - .hexdigest()) + elif k in fernet_keys: + passwords[k] = fernet.Fernet.generate_key() else: passwords[k] = ''.join([ random.SystemRandom().choice(