[ansible] Replace random with secrets for generating password salts

binary-manu · Sep 5, 2022 · e09170f · e09170f
1 parent eb3105a
commit e09170f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/ansible/filter_plugins/utilities.py b/ansible/filter_plugins/utilities.py
@@ -1,5 +1,5 @@
 import re
-import random
+import secrets
 import base64
 import crypt
 
@@ -41,6 +41,6 @@ def sha512_hash(self, pw, rounds):
         if not _SHA512_MIN_ROUNDS <= rounds <= _SHA512_MAX_ROUNDS:
             raise ValueError("sha512 password hashing requires a rounds value between "
                 f"{ _SHA512_MIN_ROUNDS } and { _SHA512_MAX_ROUNDS }")
-        salt = base64.b64encode(random.randbytes(_SHA512_SALT_BYTES)).decode("utf-8")
+        salt = base64.b64encode(secrets.token_bytes(_SHA512_SALT_BYTES)).decode("utf-8")
         return crypt.crypt(pw, f"{ _SHA512_PREFIX }rounds={ rounds }${ salt }")