X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5b7b8beb6b02f913f1881065ab5a856f7f8ebfb6..b29897f6c80db4a2b98f84fe6c2fcab98117efd2:/lib/controller/fed_containers.go?ds=sidebyside

diff --git a/lib/controller/fed_containers.go b/lib/controller/fed_containers.go
index 1ca27bf6f5..a923f757f2 100644
--- a/lib/controller/fed_containers.go
+++ b/lib/controller/fed_containers.go
@@ -12,8 +12,8 @@ import (
 	"net/http"
 	"strings"
 
-	"git.curoverse.com/arvados.git/sdk/go/auth"
-	"git.curoverse.com/arvados.git/sdk/go/httpserver"
+	"git.arvados.org/arvados.git/sdk/go/auth"
+	"git.arvados.org/arvados.git/sdk/go/httpserver"
 )
 
 func remoteContainerRequestCreate(
@@ -33,9 +33,12 @@ func remoteContainerRequestCreate(
 	creds := auth.NewCredentials()
 	creds.LoadTokensFromHTTPRequest(req)
 
-	currentUser, err := h.handler.validateAPItoken(req, creds.Tokens[0])
+	currentUser, ok, err := h.handler.validateAPItoken(req, creds.Tokens[0])
 	if err != nil {
-		httpserver.Error(w, err.Error(), http.StatusForbidden)
+		httpserver.Error(w, err.Error(), http.StatusInternalServerError)
+		return true
+	} else if !ok {
+		httpserver.Error(w, "invalid API token", http.StatusForbidden)
 		return true
 	}
 
@@ -57,7 +60,7 @@ func remoteContainerRequestCreate(
 	originalBody := req.Body
 	defer originalBody.Close()
 	var request map[string]interface{}
-	err := json.NewDecoder(req.Body).Decode(&request)
+	err = json.NewDecoder(req.Body).Decode(&request)
 	if err != nil {
 		httpserver.Error(w, err.Error(), http.StatusBadRequest)
 		return true
@@ -89,27 +92,24 @@ func remoteContainerRequestCreate(
 		}
 
 		if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
-			// Local user, so create a new token
+			// Local user, submitting to a remote cluster.
+			// Create a new time-limited token.
 			newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
 			if err != nil {
 				httpserver.Error(w, err.Error(), http.StatusForbidden)
 				return true
 			}
 			containerRequest["runtime_token"] = newtok.TokenV2()
-		} else if strings.HasPrefix(currentUser.Authorization.UUID, *cluster_id) {
-			// Remote user from the cluster that we want
-			// to send work to.  Submit container to run
-			// using current token.
-			containerRequest["runtime_token"] = creds.Tokens[0]
 		} else {
-			// Remote user.  Submit container to run with current token,
-			// salted for the target cluster.
-			saltedToken, err := auth.SaltToken(creds.Tokens[0], *clusterId)
-			if err != nil {
-				httpserver.Error(w, err.Error(), http.StatusForbidden)
-				return true
+			// Remote user. Container request will use the
+			// current token, minus the trailing portion
+			// (optional container uuid).
+			sp := strings.Split(creds.Tokens[0], "/")
+			if len(sp) >= 3 {
+				containerRequest["runtime_token"] = strings.Join(sp[0:3], "/")
+			} else {
+				containerRequest["runtime_token"] = creds.Tokens[0]
 			}
-			containerRequest["runtime_token"] = saltedToken
 		}
 	}