Increase LFS token entropy for keys/deploy keys

Since fingerprint is based on the public key Let's take more bytes from attr_encrypted_db_key_base To have the same entropy as a secret for a user Changelog: changed

Increase LFS token entropy for keys/deploy keys
Since fingerprint is based on the public key Let's take more bytes from attr_encrypted_db_key_base To have the same entropy as a secret for a user Changelog: changed
9a2e2837 · Igor Drozdov · 7c76abc7 · 9a2e2837
Commit 9a2e2837 authored Nov 17, 2021 by Igor Drozdov
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 12 deletions

lib/gitlab/lfs_token.rb lib/gitlab/lfs_token.rb +3 -12

No files found.
--- a/lib/gitlab/lfs_token.rb
+++ b/lib/gitlab/lfs_token.rb
@@ -96,24 +96,15 @@ module Gitlab
      attr_reader :actor

      def secret
-        salt + key
-      end
-
-      def salt
        case actor
        when DeployKey, Key
-          actor.fingerprint.delete(':').first(16)
+          # Since fingerprint is based on the public key, let's take more bytes from attr_encrypted_db_key_base
+          actor.fingerprint.delete(':').first(16) + Settings.attr_encrypted_db_key_base_32
        when User
          # Take the last 16 characters as they're more unique than the first 16
-          actor.id.to_s + actor.encrypted_password.last(16)
+          actor.id.to_s + actor.encrypted_password.last(16) + Settings.attr_encrypted_db_key_base.first(16)
        end
      end
-
-      def key
-        # Take 16 characters of attr_encrypted_db_key_base, as that's what the
-        # cipher needs exactly
-        Settings.attr_encrypted_db_key_base.first(16)
-      end
    end
  end
 end