Do not use random to generate token

To avoid problems with FIPS 140-2 let's generate
the token using the secrets module instead of random.

Change-Id: I90c3c94112d093e2309414b9902f58d31d925ad3
Story: 2007444
Task: 39104

2 files changed, 3 insertions, 7 deletions

diff --git a/ironic/conductor/utils.py b/ironic/conductor/utils.py
index 2d97d655c..ee14dce50 100644
--- a/ironic/conductor/utils.py
+++ b/ironic/conductor/utils.py
@@ -15,8 +15,7 @@
 import contextlib
 import datetime
 from distutils.version import StrictVersion
-import random
-import string
+import secrets
 import time
 
 from openstack.baremetal import configdrive as os_configdrive
@@ -1019,9 +1018,7 @@ def add_secret_token(node, pregenerated=False):
                          order to facilitate virtual media booting where
                          the token is embedded into the configuration.
     """
-    characters = string.ascii_letters + string.digits
-    token = ''.join(
-        random.SystemRandom().choice(characters) for i in range(128))
+    token = secrets.token_urlsafe()
     i_info = node.driver_internal_info
     i_info['agent_secret_token'] = token
     if pregenerated:
diff --git a/ironic/tests/unit/conductor/test_utils.py b/ironic/tests/unit/conductor/test_utils.py
index 6a437debe..23127efe2 100644
--- a/ironic/tests/unit/conductor/test_utils.py
+++ b/ironic/tests/unit/conductor/test_utils.py
@@ -2030,8 +2030,7 @@ class AgentTokenUtilsTestCase(tests_base.TestCase):
     def test_add_secret_token(self):
         self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
         conductor_utils.add_secret_token(self.node)
-        self.assertEqual(
-            128, len(self.node.driver_internal_info['agent_secret_token']))
+        self.assertIn('agent_secret_token', self.node.driver_internal_info)
 
     def test_del_secret_token(self):
         conductor_utils.add_secret_token(self.node)