From 608e8f79c3fb5cb7077fce4a0b497c5c93d6d6d0 Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Fri, 18 Feb 2022 08:34:02 -0500 Subject: [PATCH] 18676: make v2 token check more strict, and add the ["GET /"] scope to the new anonymous token code path. Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- lib/config/load.go | 2 +- services/api/app/models/api_client_authorization.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/config/load.go b/lib/config/load.go index 7136c60e46..8d498af170 100644 --- a/lib/config/load.go +++ b/lib/config/load.go @@ -358,7 +358,7 @@ func (ldr *Loader) checkToken(label, token string, mandatory bool, acceptV2 bool if len(tmp) != 3 { return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label) } - if strings.Index(token, "v2/") == -1 { + if !strings.HasPrefix(token, "v2/") { return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label) } ldr.Logger.Warnf("%s: token is a full V2 token, should just be a secret (remove everything up to and including the last forward slash)", label) diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index f8454029d6..c74c1ce5bf 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -130,7 +130,8 @@ class ApiClientAuthorization < ArvadosModel return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid), uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic", api_token: token, - api_client: anonymous_user_token_api_client) + api_client: anonymous_user_token_api_client, + scopes: ['GET /']) else return nil end -- 2.30.2