Use secrets and fall back to random.SystemRandom for keys

The random module uses the Mersenne Twister pseudorandom number
generator and is not a cryptographically secure random number
generator[0]. The secrets[1] module is intended for generating
cryptographically strong random numbers, so recommend using that to
generate the secret key. It's new in Python 3, so if it's unavailable
fall back to using the ``os.urandom()`` backed implementation of random.

NOTE(stephenfin): Modified to include change to 'config.yaml'. Also
renamed reno to just stick with hyphens for filenames.

[0] https://docs.python.org/3/library/random.html
[1] https://docs.python.org/3/library/secrets.html

Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Stephen Finucane <stephen@that.guru>

diff --git a/docs/deployment/installation.rst b/docs/deployment/installation.rst
index d422573d4c27d0bb7843c4c4aee417aa1808ffb2..f477a110f292aac3354ea08f15d0e1a651e33dea 100644 (file)
--- a/docs/deployment/installation.rst
+++ b/docs/deployment/installation.rst
@@ -254,9 +254,15 @@ This should be a random value and kept secret. You can generate and a value for
 
 .. code-block:: python
 
-   import string, random
+   import string
+   try:
+       import secrets
+   except ImportError:  # Python < 3.6
+       import random
+       secrets = random.SystemRandom()
+
    chars = string.ascii_letters + string.digits + string.punctuation
-   print(repr("".join([random.choice(chars) for i in range(0,50)])))
+   print("".join([secrets.choice(chars) for i in range(50)]))
 
 Once again, store this in ``production.py``.
 

diff --git a/patchwork/settings/production.example.py b/patchwork/settings/production.example.py
index c6aa2f2850c0c26a93d366c5e3258e2e62a858cc..80585374c9ff3d16c51d1694189c2e395654b14b 100644 (file)
--- a/patchwork/settings/production.example.py
+++ b/patchwork/settings/production.example.py
@@ -21,9 +21,15 @@ from .base import *  # noqa
 # You'll need to replace this to a random string. The following python code can
 # be used to generate a secret key:
 #
-#      import string, random
-#      chars = string.letters + string.digits + string.punctuation
-#      print repr("".join([random.choice(chars) for i in range(0,50)]))
+#      import string
+#      try:
+#          import secrets
+#      except ImportError:  # Python < 3.6
+#          import random
+#          secrets = random.SystemRandom()
+#
+#      chars = string.ascii_letters + string.digits + string.punctuation
+#      print("".join([secrets.choice(chars) for i in range(50)]))
 
 SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
 

diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml
index cd319406d3cbd7fc68e66593292fd41d244697fc..bb6f2151959481b26bd58b5d35ea8d828f900ed4 100644 (file)
--- a/releasenotes/config.yaml
+++ b/releasenotes/config.yaml
@@ -10,4 +10,5 @@ sections:
   - [deprecations, Deprecation Notes]
   - [fixes, Bug Fixes]
   - [api, API Changes]
+  - [security, Security Notes]
   - [other, Other Notes]

diff --git a/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml b/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml
new file mode 100644 (file)
index 0000000..7b101cb
--- /dev/null
+++ b/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Change the recommended method for generating the Django secret key to use a
+    cryptographically secure random number generator.