From: Ward Vandewege <ward@curii.com>
Date: Mon, 4 Apr 2022 15:00:25 +0000 (-0400)
Subject: 18887: address review comments.
X-Git-Tag: 2.5.0~228^2~2
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/03a058154008f9c0bd8cfca0ab5ba891252a48d3

18887: address review comments.

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
---

diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index 2eabf44647..1b8ec9e64a 100644
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -75,9 +75,11 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin
 				// If we did this, the login cluster would call back to us and then
 				// reject our response because the user UUID prefix (i.e., the
 				// LoginCluster prefix) won't match the token UUID prefix (i.e., our
-				// prefix). The anonymous token is OK to forward, because it gets
-				// mapped to the local anonymous token automatically on the login
-				// cluster.
+				// prefix). The anonymous token is OK to forward, because (unlike other
+				// local tokens for real users) the validation callback will return the
+				// locally issued anonymous user ID instead of a login-cluster user ID.
+				// That anonymous user ID gets mapped to the local anonymous user
+				// automatically on the login cluster.
 				return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID)
 			}
 			salted, err := auth.SaltToken(token, remoteID)
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 3ef4d0e330..726061a4ab 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -130,23 +130,13 @@ class ApiClientAuthorization < ArvadosModel
       secret = token
     end
 
-    # the anonymous token could be specified as a full v2 token in the config
-    case Rails.configuration.Users.AnonymousUserToken[0..2]
-    when 'v2/'
-      _, anon_token_uuid, anon_secret, anon_optional = Rails.configuration.Users.AnonymousUserToken.split('/')
-      unless anon_token_uuid.andand.length == 27 && anon_secret.andand.length.andand > 0
-        # invalid v2 token
-        return nil
-      end
-    else
-      # v1 token
-      anon_secret = Rails.configuration.Users.AnonymousUserToken
-    end
-
-    salted_secret = OpenSSL::HMAC.hexdigest('sha1', anon_secret, remote)
+    # Usually, the secret is salted
+    salted_secret = OpenSSL::HMAC.hexdigest('sha1', secret, remote)
 
+    # The anonymous token could be specified as a full v2 token in the config,
+    # but the config loader strips it down to the secret part.
     # The anonymous token content and minimum length is verified in lib/config
-    if secret.length >= 0 && (secret == anon_secret || secret == salted_secret)
+    if secret.length >= 0 && (secret == Rails.configuration.Users.AnonymousUserToken || secret == salted_secret)
       return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
                                         uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
                                         api_token: secret,