Class: Gitlab::DoorkeeperSecretStoring::Secret::Pbkdf2Sha512

Inherits:

Doorkeeper::SecretStoring::Base

Object
Doorkeeper::SecretStoring::Base
Gitlab::DoorkeeperSecretStoring::Secret::Pbkdf2Sha512

Defined in:: lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb

Constant Summary collapse

STRETCHES =

20_000

SALT = An empty salt is used because we need to look tokens up solely by their hashed value. Additionally, tokens are always cryptographically pseudo-random and unique, therefore salting provides no additional security.

''

Class Method Summary collapse

.allows_restoring_secrets? ⇒ Boolean

Determines whether this strategy supports restoring secrets from the database.
.secret_matches?(input, stored) ⇒ Boolean

Securely compare the given input value with a stored value processed by transform_secret.
.transform_secret(plain_secret) ⇒ Object

Class Method Details

.allows_restoring_secrets? ⇒ `Boolean`

Determines whether this strategy supports restoring secrets from the database. This allows detecting users trying to use a non-restorable strategy with reuse_access_tokens.

Returns:

(Boolean)



21
22
23

# File 'lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb', line 21

def self.allows_restoring_secrets?
  false
end

.secret_matches?(input, stored) ⇒ `Boolean`

Securely compare the given input value with a stored value processed by transform_secret.

Returns:

(Boolean)

# File 'lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb', line 28

def self.secret_matches?(input, stored)
  transformed_input = transform_secret(input)
  ActiveSupport::SecurityUtils.secure_compare transformed_input, stored
end

.transform_secret(plain_secret) ⇒ `Object`



13
14
15

# File 'lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb', line 13

def self.transform_secret(plain_secret)
  Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
end