feat(entropy): Remove entropy check and MINIMUM option and just seed urandom

bless/aws_lambda/bless_lambda_common.py

@@ -8,8 +8,7 @@
 
 import boto3
 from bless.cache.bless_lambda_cache import BlessLambdaCache
-from bless.config.bless_config import BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION, ENTROPY_MINIMUM_BITS_OPTION, \
-    RANDOM_SEED_BYTES_OPTION
+from bless.config.bless_config import BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION, RANDOM_SEED_BYTES_OPTION
 
 global_bless_cache = None
 
@@ -38,32 +37,23 @@ def set_logger(config):
     return logger
 
 
-def check_entropy(config, logger):
-    """
-    Check the entropy pool and seed it with KMS if desired
-    """
+def seed_entropy(config):
+    """ Seed randomness using KMS """
+
     region = os.environ['AWS_REGION']
     kms_client = boto3.client('kms', region_name=region)
-    entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
+
     random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
+    response = kms_client.generate_random(NumberOfBytes=random_seed_bytes)
+    random_seed = response['Plaintext']
 
-    with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
-        entropy = int(f.read())
-        logger.debug(entropy)
-        if entropy < entropy_minimum_bits:
-            logger.info(
-                'System entropy was {}, which is lower than the entropy_'
-                'minimum {}.  Using KMS to seed /dev/urandom'.format(
-                    entropy, entropy_minimum_bits))
-            response = kms_client.generate_random(
-                NumberOfBytes=random_seed_bytes)
-            random_seed = response['Plaintext']
-            with open('/dev/urandom', 'wb') as urandom:
-                urandom.write(random_seed)
+    with open('/dev/urandom', 'wb') as urandom:
+        urandom.write(random_seed)
 
 
 def setup_lambda_cache(ca_private_key_password, config_file):
-    # For testing, ignore the static bless_cache, otherwise fill the cache one time.
+    """ For testing, ignore the static bless_cache, otherwise fill the cache one time. """
+
     global global_bless_cache
     if ca_private_key_password is not None or config_file is not None:
         bless_cache = BlessLambdaCache(ca_private_key_password, config_file)

bless/aws_lambda/bless_lambda_host.py

@@ -5,7 +5,7 @@
 """
 import time
 
-from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, check_entropy, \
+from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, seed_entropy, \
     setup_lambda_cache
 from bless.config.bless_config import BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION, \
     SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION, HOSTNAME_VALIDATION_OPTION
@@ -18,7 +18,7 @@
 
 def lambda_handler_host(
         event, context=None, ca_private_key_password=None,
-        entropy_check=True,
+        entropy_seeding=True,
         config_file=None):
     """
     This is the function that will be called when the lambda function starts.
@@ -27,7 +27,7 @@ def lambda_handler_host(
     http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
     :param ca_private_key_password: For local testing, if the password is provided, skip the KMS
     decrypt.
-    :param entropy_check: For local testing, if set to false, it will skip checking entropy and
+    :param entropy_seeding: For local testing, if set to false, it will skip checking entropy and
     won't try to fetch additional random from KMS.
     :param config_file: The config file to load the SSH CA private key from, and additional settings.
     :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
@@ -66,8 +66,8 @@ def lambda_handler_host(
         ca_private_key_password = bless_cache.ca_private_key_password
 
     # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
-    if entropy_check:
-        check_entropy(config, logger)
+    if entropy_seeding:
+        seed_entropy(config, logger)
 
     # cert values determined only by lambda and its configs
     current_time = int(time.time())

bless/aws_lambda/bless_lambda_user.py

@@ -6,7 +6,7 @@
 import time
 
 import boto3
-from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, check_entropy, \
+from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, seed_entropy, \
     setup_lambda_cache
 from bless.config.bless_config import BLESS_OPTIONS_SECTION, \
     CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION, \
@@ -33,7 +33,7 @@
 
 def lambda_handler_user(
         event, context=None, ca_private_key_password=None,
-        entropy_check=True,
+        entropy_seeding=True,
         config_file=None):
     """
     This is the function that will be called when the lambda function starts.
@@ -42,7 +42,7 @@ def lambda_handler_user(
     http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
     :param ca_private_key_password: For local testing, if the password is provided, skip the KMS
     decrypt.
-    :param entropy_check: For local testing, if set to false, it will skip checking entropy and
+    :param entropy_seeding: For local testing, if set to false, it will skip checking entropy and
     won't try to fetch additional random from KMS.
     :param config_file: The config file to load the SSH CA private key from, and additional settings.
     :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
@@ -89,9 +89,9 @@ def lambda_handler_user(
     else:
         ca_private_key_password = bless_cache.ca_private_key_password
 
-    # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
-    if entropy_check:
-        check_entropy(config, logger)
+    # if running as a Lambda, we can seed more entropy with KMS
+    if entropy_seeding:
+        seed_entropy(config)
 
     # cert values determined only by lambda and its configs
     current_time = int(time.time())

bless/config/bless_config.py

@@ -19,9 +19,6 @@
 SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION = 'server_certificate_validity_after_seconds'
 SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_DEFAULT = 31536000
 
-ENTROPY_MINIMUM_BITS_OPTION = 'entropy_minimum_bits'
-ENTROPY_MINIMUM_BITS_DEFAULT = 2048
-
 RANDOM_SEED_BYTES_OPTION = 'random_seed_bytes'
 RANDOM_SEED_BYTES_DEFAULT = 256
 
@@ -94,7 +91,6 @@ def __init__(self, aws_region, config_file):
         self.aws_region = aws_region
         defaults = {CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION: CERTIFICATE_VALIDITY_SEC_DEFAULT,
                     CERTIFICATE_VALIDITY_AFTER_SEC_OPTION: CERTIFICATE_VALIDITY_SEC_DEFAULT,
-                    ENTROPY_MINIMUM_BITS_OPTION: ENTROPY_MINIMUM_BITS_DEFAULT,
                     RANDOM_SEED_BYTES_OPTION: RANDOM_SEED_BYTES_DEFAULT,
                     LOGGING_LEVEL_OPTION: LOGGING_LEVEL_DEFAULT,
                     TEST_USER_OPTION: TEST_USER_DEFAULT,

tests/aws_lambda/test_bless_lambda_host.py

@@ -30,7 +30,7 @@ class Context(object):
 def test_basic_local_request():
     output = lambda_handler_host(VALID_TEST_REQUEST, context=Context,
                                  ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
-                                 entropy_check=False,
+                                 entropy_seeding=False,
                                  config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg'))
     print(output)
     assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ')
@@ -39,7 +39,7 @@ def test_basic_local_request():
 def test_basic_local_request_with_multiple_hosts():
     output = lambda_handler_host(VALID_TEST_REQUEST_MULTIPLE_HOSTS, context=Context,
                                  ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
-                                 entropy_check=False,
+                                 entropy_seeding=False,
                                  config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg'))
     print(output)
     assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ')
@@ -48,6 +48,6 @@ def test_basic_local_request_with_multiple_hosts():
 def test_invalid_request():
     output = lambda_handler_host(INVALID_TEST_REQUEST, context=Context,
                                  ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
-                                 entropy_check=False,
+                                 entropy_seeding=False,
                                  config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg'))
     assert output['errorType'] == 'InputValidationError'