the config file. It can also verify a salted anonymous token.
Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
- def self.check_anonymous_user_token token
+ def self.check_anonymous_user_token(token:, remote:)
case token[0..2]
when 'v2/'
_, token_uuid, secret, optional = token.split('/')
case token[0..2]
when 'v2/'
_, token_uuid, secret, optional = token.split('/')
+ # the anonymous token could be specified as a full v2 token in the config
+ case Rails.configuration.Users.AnonymousUserToken[0..2]
+ when 'v2/'
+ _, anon_token_uuid, anon_secret, anon_optional = Rails.configuration.Users.AnonymousUserToken.split('/')
+ unless anon_token_uuid.andand.length == 27 && anon_secret.andand.length.andand > 0
+ # invalid v2 token
+ return nil
+ end
+ else
+ # v1 token
+ anon_secret = Rails.configuration.Users.AnonymousUserToken
+ end
+
+ salted_secret = OpenSSL::HMAC.hexdigest('sha1', anon_secret, remote)
+
# The anonymous token content and minimum length is verified in lib/config
# The anonymous token content and minimum length is verified in lib/config
- if secret.length >= 0 && secret == Rails.configuration.Users.AnonymousUserToken
+ if secret.length >= 0 && (secret == anon_secret || secret == salted_secret)
return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
api_client: anonymous_user_token_api_client,
scopes: ['GET /'])
else
api_client: anonymous_user_token_api_client,
scopes: ['GET /'])
else
return nil if token.nil? or token.empty?
remote ||= Rails.configuration.ClusterID
return nil if token.nil? or token.empty?
remote ||= Rails.configuration.ClusterID
- auth = self.check_anonymous_user_token(token)
+ auth = self.check_anonymous_user_token(token: token, remote: remote)
if !auth.nil?
return auth
end
if !auth.nil?
return auth
end