From: Ward Vandewege Date: Mon, 4 Apr 2022 19:01:18 +0000 (-0400) Subject: 18887: Fix salted_secret check. Add test. X-Git-Tag: 2.5.0~228^2~1 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/cb807029865aacbc54dc88b524ee55f3c5bfd327 18887: Fix salted_secret check. Add test. Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 442c9a6df3..b71c4afb55 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -418,6 +418,15 @@ func (s *IntegrationSuite) TestForwardAnonymousTokenToLoginCluster(c *check.C) { ) // The local z3333 anonymous token must be allowed to be forwarded to the login cluster c.Check(err, check.IsNil) + + userac1.AuthToken = "v2/z1111-gj3su-asdfasdfasdfasd/this-token-does-not-validate-so-anonymous-token-will-be-used-instead" + err = userac1.RequestAndDecode(&userList, "GET", "/arvados/v1/users", nil, + map[string]interface{}{ + "reader_tokens": []string{anon3Auth.TokenV2()}, + "where": where, + }, + ) + c.Check(err, check.IsNil) } // Get a token from the login cluster (z1111), use it to submit a diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index 726061a4ab..52922d32b1 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -131,7 +131,7 @@ class ApiClientAuthorization < ArvadosModel end # Usually, the secret is salted - salted_secret = OpenSSL::HMAC.hexdigest('sha1', secret, remote) + salted_secret = OpenSSL::HMAC.hexdigest('sha1', Rails.configuration.Users.AnonymousUserToken, remote) # The anonymous token could be specified as a full v2 token in the config, # but the config loader strips it down to the secret part.