)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"ee8b18b13a857fdf44f59ce644fdc4d1a28e0222","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Do not use random to generate token"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"To avoid problems with FIPS 140\u003d2 let\u0027s generate"},{"line_number":10,"context_line":"the token using the secrets module instead of random."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Change-Id: I90c3c94112d093e2309414b9902f58d31d925ad3"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"1fa4df85_75136b5d","line":9,"range":{"start_line":9,"start_character":28,"end_line":9,"end_character":33},"updated":"2020-03-19 17:38:12.000000000","message":"nit: 140-2","commit_id":"60d4e7f12897243cf96f32f0e9ef64d8ac5504a7"}],"ironic/conductor/utils.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"fd36d35a75b63343cdc1f7211956b6762fcb27f4","unresolved":false,"context_lines":[{"line_number":1020,"context_line":"                         the token is embedded into the configuration."},{"line_number":1021,"context_line":"    \"\"\""},{"line_number":1022,"context_line":"    characters \u003d string.ascii_letters + string.digits"},{"line_number":1023,"context_line":"    token \u003d \u0027\u0027.join(secrets.choice(characters) for i in range(128))"},{"line_number":1024,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1025,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1026,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1fa4df85_34ee63b4","line":1023,"updated":"2020-03-19 08:54:18.000000000","message":"Let us just use secrets.token_urlsafe?","commit_id":"dea5cd324b1339d0e5fec073266dd767df40d981"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"758215486504b1516b06966d073b1cab42b008be","unresolved":false,"context_lines":[{"line_number":1020,"context_line":"                         the token is embedded into the configuration."},{"line_number":1021,"context_line":"    \"\"\""},{"line_number":1022,"context_line":"    characters \u003d string.ascii_letters + string.digits"},{"line_number":1023,"context_line":"    token \u003d \u0027\u0027.join(secrets.choice(characters) for i in range(128))"},{"line_number":1024,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1025,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1026,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1fa4df85_8f138266","line":1023,"in_reply_to":"1fa4df85_2f304ee8","updated":"2020-03-19 10:09:41.000000000","message":"I\u0027d keep the default. Julia has updated her patch to match that: https://opendev.org/openstack/ironic-python-agent/src/branch/master/ironic_python_agent/agent.py#L449","commit_id":"dea5cd324b1339d0e5fec073266dd767df40d981"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"a74eebe079010d1b2abe6c23506b262daed040dd","unresolved":false,"context_lines":[{"line_number":1020,"context_line":"                         the token is embedded into the configuration."},{"line_number":1021,"context_line":"    \"\"\""},{"line_number":1022,"context_line":"    characters \u003d string.ascii_letters + string.digits"},{"line_number":1023,"context_line":"    token \u003d \u0027\u0027.join(secrets.choice(characters) for i in range(128))"},{"line_number":1024,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1025,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1026,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1fa4df85_2f304ee8","line":1023,"in_reply_to":"1fa4df85_34ee63b4","updated":"2020-03-19 09:22:33.000000000","message":"I just wanted to keep the same function from random, do we want the token_urlsafe with the default (32 bytes - 43 chars), or we want with 128 chars (96 bytes)?","commit_id":"dea5cd324b1339d0e5fec073266dd767df40d981"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"83ad99c5949dd1e3c9bda9c15feceb677e84e99b","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":2,"id":"1fa4df85_82a03492","line":1021,"updated":"2020-03-19 13:44:35.000000000","message":"This only seems to generate a 43 byte long token. Is this long enough?","commit_id":"30c940db41245ba41e2aaeb3a1b41bd3e4b64ac0"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"c89c5730a66abd4e3046c4240acb0e02d7de4dc7","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":2,"id":"1fa4df85_622898e1","line":1021,"in_reply_to":"1fa4df85_82a03492","updated":"2020-03-19 13:49:23.000000000","message":"This is deemed long enough by the Python core team, so should be fine for us: https://docs.python.org/3/library/secrets.html#how-many-bytes-should-tokens-use. As a nice bonus, they\u0027ll increase it if the security requirements change in the future, no code change required.","commit_id":"30c940db41245ba41e2aaeb3a1b41bd3e4b64ac0"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"b4e1713e30c1797fe1938705d9d2596cd84ca938","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":4,"id":"1fa4df85_0b59b333","line":1021,"updated":"2020-03-20 01:31:33.000000000","message":"I have a potential worry for the test, as the python doc says \"a reasonable default is used\", then \"That default is subject to change at any time, including during maintenance releases.\"\n\nHow about add an argument to specify the nbytes to add_secret_token? Let it defaults to None, so we can pass specific argument to get the specific length?","commit_id":"bd3600acff829546108ed64d2a8ecdcfbac87b58"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"9459ee59f8df44dc11ae3637f38865dd13fd27f0","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":4,"id":"1fa4df85_94b2a093","line":1021,"in_reply_to":"1fa4df85_0b59b333","updated":"2020-03-20 09:31:04.000000000","message":"Yeah we can have problems in the unit tests if they change the default (the length of the token will be different), we can fix this by generating a secret there and check the length instead of using a specific number.\n\n\nI\u0027m ok with adding an argument to specify the nbytes default to None, if the value is set we would check if it\u0027s higher than 32 (to ensure that the token generated is secure).\n\nDmitry, Julia any thoughts? \u003d)","commit_id":"bd3600acff829546108ed64d2a8ecdcfbac87b58"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"14fc45c0dac79f928ae75d3d709e2f876227bda7","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":4,"id":"1fa4df85_240b7924","line":1021,"in_reply_to":"1fa4df85_119c7d0c","updated":"2020-03-20 13:49:45.000000000","message":"I am thinking about this: suppose python 3.8 changed default length, how do we pass ci without changing unit test this way if python 3.7 and python 3.8 are both running in the gate?","commit_id":"bd3600acff829546108ed64d2a8ecdcfbac87b58"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"ee10a9df78d54aa14d5d5d2847894c1dfca353db","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":4,"id":"1fa4df85_64341194","line":1021,"in_reply_to":"1fa4df85_240b7924","updated":"2020-03-20 14:08:28.000000000","message":"one way I can see is add  \"token_length \u003d len(secrets.token_urlsafe()) and use the variable on the test","commit_id":"bd3600acff829546108ed64d2a8ecdcfbac87b58"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"89ed576726b0d1e96a77a4fa2e1ae64f20043165","unresolved":false,"context_lines":[{"line_number":1018,"context_line":"                         order to facilitate virtual media booting where"},{"line_number":1019,"context_line":"                         the token is embedded into the configuration."},{"line_number":1020,"context_line":"    \"\"\""},{"line_number":1021,"context_line":"    token \u003d secrets.token_urlsafe()"},{"line_number":1022,"context_line":"    i_info \u003d node.driver_internal_info"},{"line_number":1023,"context_line":"    i_info[\u0027agent_secret_token\u0027] \u003d token"},{"line_number":1024,"context_line":"    if pregenerated:"}],"source_content_type":"text/x-python","patch_set":4,"id":"1fa4df85_119c7d0c","line":1021,"in_reply_to":"1fa4df85_94b2a093","updated":"2020-03-20 13:41:19.000000000","message":"We\u0027re overthinking it, I\u0027m afraid. The defaults should be fine. We don\u0027t need to assert the specific length in the tests though, we can be reasonably confident that Python\u0027s stdlib works.","commit_id":"bd3600acff829546108ed64d2a8ecdcfbac87b58"}],"ironic/tests/unit/conductor/test_utils.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"83ad99c5949dd1e3c9bda9c15feceb677e84e99b","unresolved":false,"context_lines":[{"line_number":2031,"context_line":"        self.assertNotIn(\u0027agent_secret_token\u0027, self.node.driver_internal_info)"},{"line_number":2032,"context_line":"        conductor_utils.add_secret_token(self.node)"},{"line_number":2033,"context_line":"        self.assertEqual("},{"line_number":2034,"context_line":"            43, len(self.node.driver_internal_info[\u0027agent_secret_token\u0027]))"},{"line_number":2035,"context_line":""},{"line_number":2036,"context_line":"    def test_del_secret_token(self):"},{"line_number":2037,"context_line":"        conductor_utils.add_secret_token(self.node)"}],"source_content_type":"text/x-python","patch_set":2,"id":"1fa4df85_02be84b3","line":2034,"updated":"2020-03-19 13:44:35.000000000","message":"Is 43 long enough?","commit_id":"30c940db41245ba41e2aaeb3a1b41bd3e4b64ac0"}],"releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"3aee1538518cdcea23e27d2603670c18817d7d6b","unresolved":false,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The secret token that is used for IPA verification will be generated by"},{"line_number":5,"context_line":"    the secrets module to be in compliance with the FIPS 140-2."},{"line_number":6,"context_line":"fixes:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The secret token that is used for IPA verification will be generated using"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"df33271e_722c7899","line":5,"updated":"2020-03-22 20:54:58.000000000","message":"++ although I\u0027m not sure the note is needed at all","commit_id":"1425adbb0572d6280ae70635baa53b0d9291ac07"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d014beac0e8d1ad8f4b8f12600ebca7ab57fda4f","unresolved":false,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The secret token that is used for IPA verification will be generated by"},{"line_number":5,"context_line":"    the secrets module to be in compliance with the FIPS 140-2."},{"line_number":6,"context_line":"fixes:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The secret token that is used for IPA verification will be generated using"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"df33271e_03f04590","line":5,"range":{"start_line":5,"start_character":57,"end_line":5,"end_character":62},"updated":"2020-03-21 15:43:19.000000000","message":"I\u0027d add the word \"standard\" to the end of this sentence.","commit_id":"1425adbb0572d6280ae70635baa53b0d9291ac07"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d014beac0e8d1ad8f4b8f12600ebca7ab57fda4f","unresolved":false,"context_lines":[{"line_number":6,"context_line":"fixes:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The secret token that is used for IPA verification will be generated using"},{"line_number":9,"context_line":"    the secrets module."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"df33271e_432fedf5","line":9,"updated":"2020-03-21 15:43:19.000000000","message":"I\u0027m not sure it really needs a fixes note, given how recently it merged.","commit_id":"1425adbb0572d6280ae70635baa53b0d9291ac07"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"3aee1538518cdcea23e27d2603670c18817d7d6b","unresolved":false,"context_lines":[{"line_number":6,"context_line":"fixes:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The secret token that is used for IPA verification will be generated using"},{"line_number":9,"context_line":"    the secrets module."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"df33271e_d22104a2","line":9,"updated":"2020-03-22 20:54:58.000000000","message":"It\u0027s not, let\u0027s remove in a follow-up.","commit_id":"1425adbb0572d6280ae70635baa53b0d9291ac07"}]}
