diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-08 14:10:53 +0200 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-08 14:10:58 +0200 |
commit | 65b38e5bc1b575c104a4209501b48dda60a3ca89 (patch) | |
tree | 39637eb2d7d1bcfdd5eba343166135c4c48fe739 /app/helpers | |
parent | 52cc9a572484a87cea542448e6d439b7c6032e04 (diff) | |
download | gitlab-ci-65b38e5bc1b575c104a4209501b48dda60a3ca89.tar.gz |
Added random salt and hashing to oauth state parameter
This ensures that content of state is generated by CI, but doesn't prevent replay attacks on state parameter.
Diffstat (limited to 'app/helpers')
-rw-r--r-- | app/helpers/user_sessions_helper.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb index 2018402..e5853b5 100644 --- a/app/helpers/user_sessions_helper.rb +++ b/app/helpers/user_sessions_helper.rb @@ -1,2 +1,29 @@ module UserSessionsHelper + def generate_oauth_salt + SecureRandom.hex(16) + end + + def generate_oauth_secret(salt, return_to) + return unless return_to + message = GitlabCi::Application.config.secret_key_base + salt + return_to + Digest::SHA256.hexdigest message + end + + def generate_oauth_state(return_to) + return unless return_to + salt = generate_oauth_salt + secret = generate_oauth_secret(salt, return_to) + "#{salt}:#{secret}:#{return_to}" + end + + def get_ouath_state_return_to(state) + state.split(':', 3)[2] if state + end + + def is_oauth_state_valid?(state) + return true unless state + salt, secret, return_to = state.split(':', 3) + return false unless return_to + secret == generate_oauth_secret(salt, return_to) + end end |