using standard library secrets function token_bytes to replace os.urandom

token_bytes is an standard library secrets function ,we can get the information from link https://www.python.org/dev/peps/pep-0506/ Change-Id: I7e6b1df5eac59bac33674934d7b3e8cdd16cea27
author: linjiang <linjiangbieji@qq.com> 2021-12-23 01:23:39 +0800
committer: linjiang <linjiangbieji@qq.com> 2022-01-03 19:16:29 +0800
commit: 0b64050e6b3daeed0aee4496d6cba2c31eeb7d83 (patch)
tree: 9266ee576d1718fd5444e55c277d3060f1cc1597
parent: a9fa5131cda296743e4916577ed968b488a414d6 (diff)
download: keystone-0b64050e6b3daeed0aee4496d6cba2c31eeb7d83.tar.gz
3 files changed, 8 insertions, 6 deletions
diff --git a/keystone/api/users.py b/keystone/api/users.py
index 10f26bd42..3fd4e4190 100644
--- a/keystone/api/users.py
+++ b/keystone/api/users.py
@@ -13,7 +13,7 @@
 # This file handles all flask-restful resources for /v3/users
 
 import base64
-import os
+import secrets
 import uuid
 
 import flask
@@ -577,7 +577,7 @@ class UserAppCredListCreateResource(ks_flask.ResourceBase):
     @staticmethod
     def _generate_secret():
         length = 64
-        secret = os.urandom(length)
+        secret = secrets.token_bytes(length)
         secret = base64.urlsafe_b64encode(secret)
         secret = secret.rstrip(b'=')
         secret = secret.decode('utf-8')
diff --git a/keystone/common/cache/core.py b/keystone/common/cache/core.py
index de0d8a023..fb9fc1ca8 100644
--- a/keystone/common/cache/core.py
+++ b/keystone/common/cache/core.py
@@ -14,7 +14,7 @@
 
 """Keystone Caching Layer Implementation."""
 
-import os
+import secrets
 
 from dogpile.cache import region
 from dogpile.cache import util
@@ -36,7 +36,7 @@ class RegionInvalidationManager(object):
         self._region_key = self.REGION_KEY_PREFIX + region_name
 
     def _generate_new_id(self):
-        return os.urandom(10)
+        return secrets.token_bytes(10)
 
     @property
     def region_id(self):
diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py
index 5e93b842f..92adbfb22 100644
--- a/keystone/tests/unit/core.py
+++ b/keystone/tests/unit/core.py
@@ -18,6 +18,8 @@ import datetime
 import functools
 import hashlib
 import json
+import secrets
+
 import ldap
 import os
 import shutil
@@ -422,9 +424,9 @@ def new_ec2_credential(user_id, project_id=None, blob=None, **kwargs):
 
 def new_totp_credential(user_id, project_id=None, blob=None):
     if not blob:
-        # NOTE(notmorgan): 20 bytes of data from os.urandom for
+        # NOTE(notmorgan): 20 bytes of data from secrets.token_bytes for
         # a totp secret.
-        blob = base64.b32encode(os.urandom(20)).decode('utf-8')
+        blob = base64.b32encode(secrets.token_bytes(20)).decode('utf-8')
     credential = new_credential_ref(user_id=user_id,
                                     project_id=project_id,
                                     blob=blob,
author	linjiang <linjiangbieji@qq.com>	2021-12-23 01:23:39 +0800
committer	linjiang <linjiangbieji@qq.com>	2022-01-03 19:16:29 +0800
commit	0b64050e6b3daeed0aee4496d6cba2c31eeb7d83 (patch)
tree	9266ee576d1718fd5444e55c277d3060f1cc1597
parent	a9fa5131cda296743e4916577ed968b488a414d6 (diff)
download	keystone-0b64050e6b3daeed0aee4496d6cba2c31eeb7d83.tar.gz