Add latest changes from gitlab-org/gitlab@15-3-stable-eev15.3.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-08-18 11:17:02 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-08-18 11:17:02 +0300
commit: b39512ed755239198a9c294b6a45e65c05900235 (patch)
tree: d234a3efade1de67c46b9e5a38ce813627726aa7 /lib/gitlab/doorkeeper_secret_storing
parent: d31474cf3b17ece37939d20082b07f6657cc79a9 (diff)
1 files changed, 28 insertions, 0 deletions
diff --git a/lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb b/lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb
new file mode 100644
index 00000000000..4bfb5f9e64c
--- /dev/null
+++ b/lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module DoorkeeperSecretStoring
+    class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
+      STRETCHES = 20_000
+      # An empty salt is used because we need to look tokens up solely by
+      # their hashed value. Additionally, tokens are always cryptographically
+      # pseudo-random and unique, therefore salting provides no
+      # additional security.
+      SALT = ''
+
+      def self.transform_secret(plain_secret)
+        return plain_secret unless Feature.enabled?(:hash_oauth_tokens)
+
+        Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
+      end
+
+      ##
+      # Determines whether this strategy supports restoring
+      # secrets from the database. This allows detecting users
+      # trying to use a non-restorable strategy with +reuse_access_tokens+.
+      def self.allows_restoring_secrets?
+        false
+      end
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-08-18 11:17:02 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-08-18 11:17:02 +0300
commit	b39512ed755239198a9c294b6a45e65c05900235 (patch)
tree	d234a3efade1de67c46b9e5a38ce813627726aa7 /lib/gitlab/doorkeeper_secret_storing
parent	d31474cf3b17ece37939d20082b07f6657cc79a9 (diff)