Use better token generation for the secret key

apiserver/config/default/secure.conf

@@ -1,13 +1,13 @@
 {
     http {
         session_secret {
-            apiserver: "Gx*gB-L2U8!Naqzd#8=7A4&+=In4H(da424H33ZTDQRGF6=FWw"
+            apiserver: "V8gcW3EneNDcNfO7G_TSUsWe7uLozyacc9_I33o7bxUo8rCN31VLRg"
         }
     }
 
     auth {
         # token sign secret
-        token_secret: "7E1ua3xP9GT2(cIQOfhjp+gwN6spBeCAmN-XuugYle00I=Wc+u"
+        token_secret: "Rq8FW84sSqVgq7WvBB_4EzNl9y8z8IGiDXX3C345_a5AZfcwZcwCIA"
     }
 
     credentials {
@@ -15,24 +15,24 @@
         apiserver {
             role: "system"
             user_key: "62T8CP7HGBC6647XF9314C2VY67RJO"
-            user_secret: "FhS8VZv_I4%6Mo$8S1BWc$n$=o1dMYSivuiWU-Vguq7qGOKskG-d+b@tn_Iq"
+            user_secret: "gaOfhDX2-bpkeI7-cwEcaMuGijxaG2UG3jbIvg4DxmVGF0LNI7rgvCb1-ne38IlBo1w"
         }
         webserver {
             role: "system"
             user_key: "EYVQ385RW7Y2QQUH88CZ7DWIQ1WUHP"
-            user_secret: "yfc8KQo*GMXb*9p((qcYC7ByFIpF7I&4VH3BfUYXH%o9vX1ZUZQEEw1Inc)S"
+            user_secret: "XhkH6a6ds9JBnM_MrahYyYdO-wS2bqFSm8gl-V0UZXH26Ydd6Eyi28TeBEoSr6Z3Bes"
             revoke_in_fixed_mode: true
         }
         services_agent {
             role: "admin"
             user_key: "P4BMJA7RK3TKBXGSY8OAA1FA8TOD11"
-            user_secret: "9LsgSfa0SYz0zli1_c500ZcLqanre2xkWOpepyt1w-BKK3_DKPHrtoj3JSHvyy8bIi0"
+            user_secret: "OjxF-nxfMMZ-pzFNQpLqHKBlca9OxmD8C-ZbQqTx5Ill1kwCVFj2CR2HQGjLlFGvYTc"
         }
         tests {
             role: "user"
             display_name: "Default User"
             user_key: "EGRTCO8JMSIGI6S39GTP43NFWXDQOW"
-            user_secret: "x!XTov_G-#vspE*Y(h$Anm&DIc5Ou-F)jsl$PdOyj5wG1&E!Z8"
+            user_secret: "LPEJbGJ6bK4tujQcmrD3i1dbMBDdwUwelVa-LG0K0FFmY9bzH_H0Sw"
             revoke_in_fixed_mode: true
         }
     }

apiserver/service_repo/auth/utils.py

@@ -1,40 +1,38 @@
-import random
+import secrets
 import string
 
-sys_random = random.SystemRandom()
+
+def get_random_string(length):
+    """
+    Create a random crypto-safe sequence of 'length' or more characters
+    Possible characters: alphanumeric, '-' and '_'
+    Make sure that it starts from alphanumeric for better compatibility with yaml files
+    """
+    token = secrets.token_urlsafe(length)
+    for _ in range(10):
+        if not (token.startswith("-") or token.startswith("_")):
+            break
+        token = secrets.token_urlsafe(length)
+
+    return token
 
 
-def get_random_string(
+def get_client_id(
-    length: int = 12, allowed_chars: str = string.ascii_letters + string.digits
+    length: int = 30, allowed_chars: str = string.ascii_uppercase + string.digits
 ) -> str:
     """
-    Returns a securely generated random string.
+    Create a random client id composed of 'length' upper case characters or digits
-
-    The default length of 12 with the a-z, A-Z, 0-9 character set returns
-    a 71-bit value. log_2((26+26+10)^12) =~ 71 bits.
-
-    Taken from the django.utils.crypto module.
     """
-    return "".join(sys_random.choice(allowed_chars) for _ in range(length))
+    return "".join(secrets.choice(allowed_chars) for _ in range(length))
-
-
-def get_client_id(length: int = 20) -> str:
-    """
-    Create a random secret key.
-
-    Taken from the Django project.
-    """
-    chars = string.ascii_uppercase + string.digits
-    return get_random_string(length, chars)
 
 
 def get_secret_key(length: int = 50) -> str:
     """
-    Create a random secret key.
+    Create a random secret key
-
-    Taken from the Django project.
-    NOTE: asterisk is not supported due to issues with environment variables containing
-     asterisks (in case the secret key is stored in an environment variable)
     """
-    chars = string.ascii_letters + string.digits
+    return get_random_string(length)
-    return get_random_string(length, chars)
+
+
+if __name__ == "__main__":
+    print(get_client_id())
+    print(get_secret_key())