Add secure string generator for Password generator #149
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I have had some occurrences where a service in different environments, newly bootstrapped, was getting the same password for both environments (dev and staging). I am not very proficient in Go, but I assume it has to do with the usage of the math random function without a seed. In any case I have been reading and it seems to be recommended the usage of
crypto/rand
for password generation (and also the usage of Seed is deprecated)As I said I am not an expert Go programmer, but I have tried to add a new function following the same structure of the current one but with the usage of the
crypto/rand
library. I think it likely that this is not a totally secure implementation, as while investigating how to do this I have seen implementations that go in a lot more detail, but I thought that this was a good enough step in this direction.One thing to note is that apparently the password generation can fail if the secure number generation has issues, so now when creating the password a new error has to be handled. I have chose for re queuing the instance, as it is done in other errors, though I have to say I am not certain if this would be a recoverable error.
Resources that I looked into for this implementation:
https://pkg.go.dev/crypto/rand
golang/go#56319
https://stackoverflow.com/a/32351471
https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-go
https://gist.github.com/denisbrodbeck/635a644089868a51eccd6ae22b2eb800