From 402be7db4c5795a40bbf974cec3d1e31b0c1708f Mon Sep 17 00:00:00 2001
From: Ward Vandewege <ward@curii.com>
Date: Fri, 1 Apr 2022 14:09:36 -0400
Subject: [PATCH] 18887: self.check_anonymous_user_token can now handle a full
 V2 token in        the config file. It can also verify a salted anonymous
 token.

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
---
 .../app/models/api_client_authorization.rb    | 23 +++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 993a49e5b7..3ef4d0e330 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -116,7 +116,7 @@ class ApiClientAuthorization < ArvadosModel
     clnt
   end
 
-  def self.check_anonymous_user_token token
+  def self.check_anonymous_user_token(token:, remote:)
     case token[0..2]
     when 'v2/'
       _, token_uuid, secret, optional = token.split('/')
@@ -130,11 +130,26 @@ class ApiClientAuthorization < ArvadosModel
       secret = token
     end
 
+    # the anonymous token could be specified as a full v2 token in the config
+    case Rails.configuration.Users.AnonymousUserToken[0..2]
+    when 'v2/'
+      _, anon_token_uuid, anon_secret, anon_optional = Rails.configuration.Users.AnonymousUserToken.split('/')
+      unless anon_token_uuid.andand.length == 27 && anon_secret.andand.length.andand > 0
+        # invalid v2 token
+        return nil
+      end
+    else
+      # v1 token
+      anon_secret = Rails.configuration.Users.AnonymousUserToken
+    end
+
+    salted_secret = OpenSSL::HMAC.hexdigest('sha1', anon_secret, remote)
+
     # The anonymous token content and minimum length is verified in lib/config
-    if secret.length >= 0 && secret == Rails.configuration.Users.AnonymousUserToken
+    if secret.length >= 0 && (secret == anon_secret || secret == salted_secret)
       return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
                                         uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
-                                        api_token: token,
+                                        api_token: secret,
                                         api_client: anonymous_user_token_api_client,
                                         scopes: ['GET /'])
     else
@@ -157,7 +172,7 @@ class ApiClientAuthorization < ArvadosModel
     return nil if token.nil? or token.empty?
     remote ||= Rails.configuration.ClusterID
 
-    auth = self.check_anonymous_user_token(token)
+    auth = self.check_anonymous_user_token(token: token, remote: remote)
     if !auth.nil?
       return auth
     end
-- 
2.30.2