Use SHA256 fingerprint instead of MD5 for LFS token secret

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/355878 **Problem** FIPS restricted environments don't support MD5 fingerprints. LFS secrets based on MD5 fingerpritn won't work there. **Solution** Use SHA256 fingerprint as a base for secret generation. Changelog: changed

Use SHA256 fingerprint instead of MD5 for LFS token secret
Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/355878 **Problem** FIPS restricted environments don't support MD5 fingerprints. LFS secrets based on MD5 fingerpritn won't work there. **Solution** Use SHA256 fingerprint as a base for secret generation. Changelog: changed
ea76f3c2 · Vasilii Iakliushin · bbc989ca · ea76f3c2
Commit ea76f3c2 authored Apr 07, 2022 by Vasilii Iakliushin
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

lib/gitlab/lfs_token.rb lib/gitlab/lfs_token.rb +1 -1

No files found.
--- a/lib/gitlab/lfs_token.rb
+++ b/lib/gitlab/lfs_token.rb
@@ -99,7 +99,7 @@ module Gitlab
        case actor
        when DeployKey, Key
          # Since fingerprint is based on the public key, let's take more bytes from attr_encrypted_db_key_base
-          actor.fingerprint.delete(':').first(16) + Settings.attr_encrypted_db_key_base_32
+          actor.fingerprint_sha256.first(16) + Settings.attr_encrypted_db_key_base_32
        when User
          # Take the last 16 characters as they're more unique than the first 16
          actor.id.to_s + actor.encrypted_password.last(16) + Settings.attr_encrypted_db_key_base.first(16)