From b377684bf4c7a6211e39556c744544857ee66493 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tom@tomclegg.ca>
Date: Mon, 16 Nov 2020 20:37:05 -0500
Subject: [PATCH] 17106: Accept v2 token with / replaced by _ as s3
 access/secret key.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
---
 services/keep-web/s3.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index 57c9d7efb3..0170146c09 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -152,7 +152,14 @@ func (h *handler) checks3signature(r *http.Request) (string, error) {
 	} else {
 		// Access key and secret key are both an entire
 		// Arvados token or OIDC access token.
-		ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+key)
+		mungedKey := key
+		if strings.HasPrefix(key, "v2_") {
+			// Entire Arvados token, with "/" replaced by
+			// "_" to avoid colliding with the
+			// Authorization header format.
+			mungedKey = strings.Replace(key, "_", "/", -1)
+		}
+		ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+mungedKey)
 		err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/current", nil, nil)
 		secret = key
 	}
@@ -170,7 +177,7 @@ func (h *handler) checks3signature(r *http.Request) (string, error) {
 	} else if expect != signature {
 		return "", fmt.Errorf("signature does not match (scope %q signedHeaders %q stringToSign %q)", scope, signedHeaders, stringToSign)
 	}
-	return secret, nil
+	return aca.TokenV2(), nil
 }
 
 // serveS3 handles r and returns true if r is a request from an S3
-- 
2.30.2