Use a key derivation mechanism to generate the HMAC key

c6bea8e0 · Douglas Barbosa Alexandre · 1fb58b15 · c6bea8e0 · c6bea8e0
Commit c6bea8e0 authored Feb 14, 2019 by Douglas Barbosa Alexandre
Showing with 8 additions and 5 deletions

ee/lib/gitlab/geo/oauth/login_state.rb ee/lib/gitlab/geo/oauth/login_state.rb +6 -3

ee/spec/lib/gitlab/geo/oauth/login_state_spec.rb ee/spec/lib/gitlab/geo/oauth/login_state_spec.rb +2 -2

No files found.
--- a/ee/lib/gitlab/geo/oauth/login_state.rb
+++ b/ee/lib/gitlab/geo/oauth/login_state.rb
@@ -32,10 +32,13 @@ module Gitlab
        attr_reader :hmac

        def generate_hmac
-          digest = OpenSSL::Digest::SHA256.new
-          key = Gitlab::Application.secrets.secret_key_base + salt
+          OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, key, return_to.to_s)
+        end

-          OpenSSL::HMAC.hexdigest(digest, key, return_to.to_s)
+        def key
+          ActiveSupport::KeyGenerator
+            .new(Gitlab::Application.secrets.secret_key_base)
+            .generate_key(salt)
        end

        def salt

--- a/ee/spec/lib/gitlab/geo/oauth/login_state_spec.rb
+++ b/ee/spec/lib/gitlab/geo/oauth/login_state_spec.rb
@@ -3,8 +3,8 @@
 require 'spec_helper'

 describe Gitlab::Geo::Oauth::LoginState do
-  let(:salt) { '100d8cbd1750a2bb' }
-  let(:hmac) { '62fdcface89baab582f33de6672f10499974c28b5cc269795c4830b8b3ab06be' }
+  let(:salt) { 'b9653b6aa2ff6b54' }
+  let(:hmac) { '908844004aa6ba7237be5cd394499a79e64c054e9b8021bd9b43ff7dc508320b' }
  let(:oauth_return_to) { 'http://fake-secondary.com:3000/project/test' }

  before do