From 91a7c32b6a2e00dc27ee885e3beb666ea6b390a7 Mon Sep 17 00:00:00 2001
From: Bogdan Denkovych <bdenkovych@gitlab.com>
Date: Wed, 19 Jan 2022 12:19:02 +0200
Subject: [PATCH] Remove `net-ssh`, `ed25519`, and `bcrypt_pbkdf` gems from
 dependencies

Follow up https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77424#note_812526274

In https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77424 we started
using `ssh_data` gem instead of `net-ssh` and `sshkey`
where possible to facilitate implementation of
https://gitlab.com/gitlab-org/gitlab/-/issues/213259.

This MR eliminates the last usage of `net-ssh` from the codebase
and removes `net-ssh` and its sub dependencies - `ed25519` and `bcrypt_pbkdf`.

Fewer dependencies facilitate development and maintenance,
especially during upgrading libraries/gems.

Changelog: other
---
 Gemfile                                                  | 9 +--------
 Gemfile.lock                                             | 5 -----
 app/validators/x509_certificate_credentials_validator.rb | 2 +-
 3 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/Gemfile b/Gemfile
index c142265a402dc..e388121df9b3f 100644
--- a/Gemfile
+++ b/Gemfile
@@ -466,16 +466,9 @@ gem 'sys-filesystem', '~> 1.4.3'
 # NTP client
 gem 'net-ntp'
 
-# SSH host key support
-gem 'net-ssh', '~> 6.0'
+# SSH keys support
 gem 'ssh_data', '~> 1.2'
 
-# Required for ED25519 SSH host key support
-group :ed25519 do
-  gem 'ed25519', '~> 1.2'
-  gem 'bcrypt_pbkdf', '~> 1.1'
-end
-
 # Spamcheck GRPC protocol definitions
 gem 'spamcheck', '~> 0.1.0'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 00efcd0ba66d5..ca223bb428d38 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -137,7 +137,6 @@ GEM
     base32 (0.3.2)
     batch-loader (2.0.1)
     bcrypt (3.1.16)
-    bcrypt_pbkdf (1.1.0)
     benchmark (0.1.1)
     benchmark-ips (2.3.0)
     benchmark-memory (0.1.2)
@@ -308,7 +307,6 @@ GEM
     e2mmap (0.1.0)
     ecma-re-validator (0.3.0)
       regexp_parser (~> 2.0)
-    ed25519 (1.2.4)
     elasticsearch (6.8.2)
       elasticsearch-api (= 6.8.2)
       elasticsearch-transport (= 6.8.2)
@@ -1408,7 +1406,6 @@ DEPENDENCIES
   base32 (~> 0.3.0)
   batch-loader (~> 2.0.1)
   bcrypt (~> 3.1, >= 3.1.14)
-  bcrypt_pbkdf (~> 1.1)
   benchmark-ips (~> 2.3.0)
   benchmark-memory (~> 0.1)
   better_errors (~> 2.9.0)
@@ -1441,7 +1438,6 @@ DEPENDENCIES
   discordrb-webhooks (~> 3.4)
   doorkeeper (~> 5.5.0.rc2)
   doorkeeper-openid_connect (~> 1.7.5)
-  ed25519 (~> 1.2)
   elasticsearch-api (~> 6.8.2)
   elasticsearch-model (~> 6.1)
   elasticsearch-rails (~> 6.1)
@@ -1542,7 +1538,6 @@ DEPENDENCIES
   multi_json (~> 1.14.1)
   net-ldap (~> 0.16.3)
   net-ntp
-  net-ssh (~> 6.0)
   nokogiri (~> 1.12)
   oauth2 (~> 1.4)
   octokit (~> 4.15)
diff --git a/app/validators/x509_certificate_credentials_validator.rb b/app/validators/x509_certificate_credentials_validator.rb
index d2f18e956c333..11b53d59c7d13 100644
--- a/app/validators/x509_certificate_credentials_validator.rb
+++ b/app/validators/x509_certificate_credentials_validator.rb
@@ -41,7 +41,7 @@ def validate(record)
 
     return if private_key.nil? || certificate.nil?
 
-    unless certificate.public_key.fingerprint == private_key.public_key.fingerprint
+    unless certificate.check_private_key(private_key)
       record.errors.add(options[:pkey], _('private key does not match certificate.'))
     end
   end
-- 
GitLab