Replace random with SystemRandom for RandomString

it might be theoretically possible to infer the state of
standard Python's RNG in a long-running heat-engine service
from multiple created RandomString resources.

Let's use the random.SystemRandom (and os.urandom) for
OS::Heat::RandomString instead.

Change-Id: Iac5c03176fc8bae95ada883621196bd9cb453be3
Closes-Bug: #1745931
(cherry picked from commit 41605aaac1ec9fb0020c663b703255ee2cf3615f)

2 files changed, 11 insertions, 1 deletions

diff --git a/heat/engine/resources/openstack/heat/random_string.py b/heat/engine/resources/openstack/heat/random_string.py
index d4758531e..9052b5062 100644
--- a/heat/engine/resources/openstack/heat/random_string.py
+++ b/heat/engine/resources/openstack/heat/random_string.py
@@ -11,7 +11,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import random
+import random as random_module
 import string
 
 import six
@@ -25,6 +25,10 @@ from heat.engine import resource
 from heat.engine import support
 from heat.engine import translation
 
+# NOTE(pas-ha) Heat officially supports only POSIX::Linux platform
+# where os.urandom() and random.SystemRandom() are available
+random = random_module.SystemRandom()
+
 
 class RandomString(resource.Resource):
     """A resource which generates a random string.
diff --git a/releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml b/releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml
new file mode 100644
index 000000000..713317c8f
--- /dev/null
+++ b/releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Heat no longer uses standard Python RNG when generating values for
+    OS::Heat::RandomString resource, and instead relies on system's RNG
+    for that.