From cb807029865aacbc54dc88b524ee55f3c5bfd327 Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Mon, 4 Apr 2022 15:01:18 -0400 Subject: [PATCH] 18887: Fix salted_secret check. Add test. Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- lib/controller/integration_test.go | 9 +++++++++ services/api/app/models/api_client_authorization.rb | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 442c9a6df3..b71c4afb55 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -418,6 +418,15 @@ func (s *IntegrationSuite) TestForwardAnonymousTokenToLoginCluster(c *check.C) { ) // The local z3333 anonymous token must be allowed to be forwarded to the login cluster c.Check(err, check.IsNil) + + userac1.AuthToken = "v2/z1111-gj3su-asdfasdfasdfasd/this-token-does-not-validate-so-anonymous-token-will-be-used-instead" + err = userac1.RequestAndDecode(&userList, "GET", "/arvados/v1/users", nil, + map[string]interface{}{ + "reader_tokens": []string{anon3Auth.TokenV2()}, + "where": where, + }, + ) + c.Check(err, check.IsNil) } // Get a token from the login cluster (z1111), use it to submit a diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index 726061a4ab..52922d32b1 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -131,7 +131,7 @@ class ApiClientAuthorization < ArvadosModel end # Usually, the secret is salted - salted_secret = OpenSSL::HMAC.hexdigest('sha1', secret, remote) + salted_secret = OpenSSL::HMAC.hexdigest('sha1', Rails.configuration.Users.AnonymousUserToken, remote) # The anonymous token could be specified as a full v2 token in the config, # but the config loader strips it down to the secret part. -- 2.30.2