From 91df2bb3b7d14664bba576d4fa7811ad3a13a80c Mon Sep 17 00:00:00 2001 From: allegroai <> Date: Thu, 20 Jun 2024 17:46:23 +0300 Subject: [PATCH] Use better token generation for the secret key --- apiserver/config/default/secure.conf | 12 +++---- apiserver/service_repo/auth/utils.py | 54 ++++++++++++++-------------- 2 files changed, 32 insertions(+), 34 deletions(-) diff --git a/apiserver/config/default/secure.conf b/apiserver/config/default/secure.conf index 9c0294f..e2cfce1 100644 --- a/apiserver/config/default/secure.conf +++ b/apiserver/config/default/secure.conf @@ -1,13 +1,13 @@ { http { session_secret { - apiserver: "Gx*gB-L2U8!Naqzd#8=7A4&+=In4H(da424H33ZTDQRGF6=FWw" + apiserver: "V8gcW3EneNDcNfO7G_TSUsWe7uLozyacc9_I33o7bxUo8rCN31VLRg" } } auth { # token sign secret - token_secret: "7E1ua3xP9GT2(cIQOfhjp+gwN6spBeCAmN-XuugYle00I=Wc+u" + token_secret: "Rq8FW84sSqVgq7WvBB_4EzNl9y8z8IGiDXX3C345_a5AZfcwZcwCIA" } credentials { @@ -15,24 +15,24 @@ apiserver { role: "system" user_key: "62T8CP7HGBC6647XF9314C2VY67RJO" - user_secret: "FhS8VZv_I4%6Mo$8S1BWc$n$=o1dMYSivuiWU-Vguq7qGOKskG-d+b@tn_Iq" + user_secret: "gaOfhDX2-bpkeI7-cwEcaMuGijxaG2UG3jbIvg4DxmVGF0LNI7rgvCb1-ne38IlBo1w" } webserver { role: "system" user_key: "EYVQ385RW7Y2QQUH88CZ7DWIQ1WUHP" - user_secret: "yfc8KQo*GMXb*9p((qcYC7ByFIpF7I&4VH3BfUYXH%o9vX1ZUZQEEw1Inc)S" + user_secret: "XhkH6a6ds9JBnM_MrahYyYdO-wS2bqFSm8gl-V0UZXH26Ydd6Eyi28TeBEoSr6Z3Bes" revoke_in_fixed_mode: true } services_agent { role: "admin" user_key: "P4BMJA7RK3TKBXGSY8OAA1FA8TOD11" - user_secret: "9LsgSfa0SYz0zli1_c500ZcLqanre2xkWOpepyt1w-BKK3_DKPHrtoj3JSHvyy8bIi0" + user_secret: "OjxF-nxfMMZ-pzFNQpLqHKBlca9OxmD8C-ZbQqTx5Ill1kwCVFj2CR2HQGjLlFGvYTc" } tests { role: "user" display_name: "Default User" user_key: "EGRTCO8JMSIGI6S39GTP43NFWXDQOW" - user_secret: "x!XTov_G-#vspE*Y(h$Anm&DIc5Ou-F)jsl$PdOyj5wG1&E!Z8" + user_secret: "LPEJbGJ6bK4tujQcmrD3i1dbMBDdwUwelVa-LG0K0FFmY9bzH_H0Sw" revoke_in_fixed_mode: true } } diff --git a/apiserver/service_repo/auth/utils.py b/apiserver/service_repo/auth/utils.py index b514434..09ea12a 100644 --- a/apiserver/service_repo/auth/utils.py +++ b/apiserver/service_repo/auth/utils.py @@ -1,40 +1,38 @@ -import random +import secrets import string -sys_random = random.SystemRandom() + +def get_random_string(length): + """ + Create a random crypto-safe sequence of 'length' or more characters + Possible characters: alphanumeric, '-' and '_' + Make sure that it starts from alphanumeric for better compatibility with yaml files + """ + token = secrets.token_urlsafe(length) + for _ in range(10): + if not (token.startswith("-") or token.startswith("_")): + break + token = secrets.token_urlsafe(length) + + return token -def get_random_string( - length: int = 12, allowed_chars: str = string.ascii_letters + string.digits +def get_client_id( + length: int = 30, allowed_chars: str = string.ascii_uppercase + string.digits ) -> str: """ - Returns a securely generated random string. - - The default length of 12 with the a-z, A-Z, 0-9 character set returns - a 71-bit value. log_2((26+26+10)^12) =~ 71 bits. - - Taken from the django.utils.crypto module. + Create a random client id composed of 'length' upper case characters or digits """ - return "".join(sys_random.choice(allowed_chars) for _ in range(length)) - - -def get_client_id(length: int = 20) -> str: - """ - Create a random secret key. - - Taken from the Django project. - """ - chars = string.ascii_uppercase + string.digits - return get_random_string(length, chars) + return "".join(secrets.choice(allowed_chars) for _ in range(length)) def get_secret_key(length: int = 50) -> str: """ - Create a random secret key. - - Taken from the Django project. - NOTE: asterisk is not supported due to issues with environment variables containing - asterisks (in case the secret key is stored in an environment variable) + Create a random secret key """ - chars = string.ascii_letters + string.digits - return get_random_string(length, chars) + return get_random_string(length) + + +if __name__ == "__main__": + print(get_client_id()) + print(get_secret_key())