Add latest changes from gitlab-org/gitlab@15-4-stable-eev15.4.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-20 02:18:09 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-20 02:18:09 +0300
commit: 6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde (patch)
tree: dc4d20fe6064752c0bd323187252c77e0a89144b /lib/gitlab/doorkeeper_secret_storing
parent: 9868dae7fc0655bd7ce4a6887d4e6d487690eeed (diff)
3 files changed, 68 insertions, 28 deletions
diff --git a/lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb b/lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb
deleted file mode 100644
index 4bfb5f9e64c..00000000000
--- a/lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb
+++ /dev/null
@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-module Gitlab
-  module DoorkeeperSecretStoring
-    class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
-      STRETCHES = 20_000
-      # An empty salt is used because we need to look tokens up solely by
-      # their hashed value. Additionally, tokens are always cryptographically
-      # pseudo-random and unique, therefore salting provides no
-      # additional security.
-      SALT = ''
-
-      def self.transform_secret(plain_secret)
-        return plain_secret unless Feature.enabled?(:hash_oauth_tokens)
-
-        Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
-      end
-
-      ##
-      # Determines whether this strategy supports restoring
-      # secrets from the database. This allows detecting users
-      # trying to use a non-restorable strategy with +reuse_access_tokens+.
-      def self.allows_restoring_secrets?
-        false
-      end
-    end
-  end
-end
diff --git a/lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb b/lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb
new file mode 100644
index 00000000000..e0884557496
--- /dev/null
+++ b/lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+module Gitlab
+  module DoorkeeperSecretStoring
+    module Secret
+      class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
+        STRETCHES = 20_000
+        # An empty salt is used because we need to look tokens up solely by
+        # their hashed value. Additionally, tokens are always cryptographically
+        # pseudo-random and unique, therefore salting provides no
+        # additional security.
+        SALT = ''
+
+        def self.transform_secret(plain_secret, stored_as_hash = false)
+          return plain_secret if Feature.disabled?(:hash_oauth_secrets) && !stored_as_hash
+
+          Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
+        end
+
+        ##
+        # Determines whether this strategy supports restoring
+        # secrets from the database. This allows detecting users
+        # trying to use a non-restorable strategy with +reuse_access_tokens+.
+        def self.allows_restoring_secrets?
+          false
+        end
+
+        ##
+        # Securely compare the given +input+ value with a +stored+ value
+        # processed by +transform_secret+.
+        def self.secret_matches?(input, stored)
+          stored_as_hash = stored.starts_with?('$pbkdf2-')
+          transformed_input = transform_secret(input, stored_as_hash)
+          ActiveSupport::SecurityUtils.secure_compare transformed_input, stored
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb b/lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb
new file mode 100644
index 00000000000..f9e6d4076f3
--- /dev/null
+++ b/lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module DoorkeeperSecretStoring
+    module Token
+      class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
+        STRETCHES = 20_000
+        # An empty salt is used because we need to look tokens up solely by
+        # their hashed value. Additionally, tokens are always cryptographically
+        # pseudo-random and unique, therefore salting provides no
+        # additional security.
+        SALT = ''
+
+        def self.transform_secret(plain_secret)
+          return plain_secret unless Feature.enabled?(:hash_oauth_tokens)
+
+          Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
+        end
+
+        ##
+        # Determines whether this strategy supports restoring
+        # secrets from the database. This allows detecting users
+        # trying to use a non-restorable strategy with +reuse_access_tokens+.
+        def self.allows_restoring_secrets?
+          false
+        end
+      end
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-20 02:18:09 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-20 02:18:09 +0300
commit	6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde (patch)
tree	dc4d20fe6064752c0bd323187252c77e0a89144b /lib/gitlab/doorkeeper_secret_storing
parent	9868dae7fc0655bd7ce4a6887d4e6d487690eeed (diff)