From b80a63f33f5e314757a331a527744e95b7a572ca Mon Sep 17 00:00:00 2001
From: Eduardo Gonzalez <dabarren@gmail.com>
Date: Thu, 26 Jul 2018 21:58:47 +0200
Subject: [PATCH] Use fernet for barbican crypto key

Sha password is not always valid for barbican cripto key.
Use a fernet key so it always gets valid.

Not need release note for upgrade, users with a working
barbican not regenerate passwords, only new passwords will
get new type.

Change-Id: Ic8c4ca63219295d697062cff9cbf30fadbe49bf3
---
 kolla_ansible/cmd/genpwd.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py
index 8a0ab56420..366964df7b 100755
--- a/kolla_ansible/cmd/genpwd.py
+++ b/kolla_ansible/cmd/genpwd.py
@@ -19,11 +19,11 @@ import random
 import string
 import sys
 
+from cryptography import fernet
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import serialization
 from hashlib import md5
-from hashlib import sha256
 from oslo_utils import uuidutils
 import yaml
 
@@ -85,8 +85,8 @@ def main():
     hmac_md5_keys = ['designate_rndc_key',
                      'osprofiler_secret']
 
-    # HMAC-SHA256 keys
-    hmac_sha256_keys = ['barbican_crypto_key']
+    # Fernet keys
+    fernet_keys = ['barbican_crypto_key']
 
     # length of password
     length = 40
@@ -114,10 +114,8 @@ def main():
                 passwords[k] = (hmac.new(
                     uuidutils.generate_uuid().encode(), ''.encode(), md5)
                     .hexdigest())
-            elif k in hmac_sha256_keys:
-                passwords[k] = (hmac.new(
-                    uuidutils.generate_uuid().encode(), ''.encode(), sha256)
-                    .hexdigest())
+            elif k in fernet_keys:
+                passwords[k] = fernet.Fernet.generate_key()
             else:
                 passwords[k] = ''.join([
                     random.SystemRandom().choice(