From 629cd91ffca67d6de5ad4dbe9854a064f9e26820 Mon Sep 17 00:00:00 2001
From: Ward Vandewege <ward@curii.com>
Date: Mon, 14 Feb 2022 12:43:15 -0500
Subject: [PATCH] 18676: more tweaks after review comments: clarify logic in
 checkToken        (lib/config/load.go), and make sure that we also check the
 uuid        when we match the anonymous user token, when it is supplied as   
     a V2 token.

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
---
 lib/config/load.go                               | 16 ++++++++++------
 .../api/app/models/api_client_authorization.rb   |  5 +++--
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/lib/config/load.go b/lib/config/load.go
index 418a400e62..aa7520ca29 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -335,14 +335,18 @@ var acceptableTokenRe = regexp.MustCompile(`^[a-zA-Z0-9]+$`)
 var acceptableTokenLength = 32
 
 func (ldr *Loader) checkToken(label, token string, mandatory bool) error {
-	// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
-	if mandatory && token == "" {
-		if ldr.Logger != nil {
-			ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+	if len(token) == 0 {
+		if !mandatory {
+			// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
+			return nil
+		} else {
+			if ldr.Logger != nil {
+				ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+			}
 		}
-	} else if (mandatory || len(token) > 0) && !acceptableTokenRe.MatchString(token) {
+	} else if !acceptableTokenRe.MatchString(token) {
 		return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
-	} else if (mandatory || len(token) > 0) && len(token) < acceptableTokenLength {
+	} else if len(token) < acceptableTokenLength {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)
 		}
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index a6beaa07ab..f8454029d6 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -115,8 +115,9 @@ class ApiClientAuthorization < ArvadosModel
     case token[0..2]
     when 'v2/'
       _, token_uuid, secret, optional = token.split('/')
-      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0
-        # invalid token
+      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0 &&
+             token_uuid == Rails.configuration.ClusterID+"-gj3su-anonymouspublic"
+        # invalid v2 token, or v2 token for another user
         return nil
       end
     else
-- 
2.30.2