projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 053f742)
18676: more tweaks after review comments: clarify logic in checkToken
authorWard Vandewege <ward@curii.com>
Mon, 14 Feb 2022 17:43:15 +0000 (12:43 -0500)
committerWard Vandewege <ward@curii.com>
Mon, 14 Feb 2022 18:59:47 +0000 (13:59 -0500)
       (lib/config/load.go), and make sure that we also check the uuid
       when we match the anonymous user token, when it is supplied as
       a V2 token.

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>

lib/config/load.go patch | blob | history
services/api/app/models/api_client_authorization.rb patch | blob | history

diff --git a/lib/config/load.go b/lib/config/load.go
index 418a400e6267e48abb6194f0975e325fb00db4e6..aa7520ca29e7d6fe2d4040e50ae11f3416b98c77 100644 (file)
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -335,14 +335,18 @@ var acceptableTokenRe = regexp.MustCompile(`^[a-zA-Z0-9]+$`)
 var acceptableTokenLength = 32
 
 func (ldr *Loader) checkToken(label, token string, mandatory bool) error {
-       // when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
-       if mandatory && token == "" {
-               if ldr.Logger != nil {
-                       ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+       if len(token) == 0 {
+               if !mandatory {
+                       // when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
+                       return nil
+               } else {
+                       if ldr.Logger != nil {
+                               ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+                       }
                }
-       } else if (mandatory || len(token) > 0) && !acceptableTokenRe.MatchString(token) {
+       } else if !acceptableTokenRe.MatchString(token) {
                return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
-       } else if (mandatory || len(token) > 0) && len(token) < acceptableTokenLength {
+       } else if len(token) < acceptableTokenLength {
                if ldr.Logger != nil {
                        ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)
                }
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index a6beaa07ab38b6a177e9a466f7cd50f737b0edaa..f8454029d6b8cf2561505080ac5b74b8d57b8c70 100644 (file)
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -115,8 +115,9 @@ class ApiClientAuthorization < ArvadosModel
     case token[0..2]
     when 'v2/'
       _, token_uuid, secret, optional = token.split('/')
-      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0
-        # invalid token
+      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0 &&
+             token_uuid == Rails.configuration.ClusterID+"-gj3su-anonymouspublic"
+        # invalid v2 token, or v2 token for another user
         return nil
       end
     else