From e7b749c937b70f388111d008eca4631787768a30 Mon Sep 17 00:00:00 2001
From: Ward Vandewege <ward@curii.com>
Date: Mon, 28 Mar 2022 16:18:16 -0400
Subject: [PATCH] 18887: undo the warning introduced in 18676 if a v2 anonymous
 token is        supplied in the config file, using a v2 anonymous token is
 now        fine. Also add a config loader check for the minimum secret       
 length if a v2 token is acceptable.

refs #18887, #18676

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
---
 doc/admin/upgrading.html.textile.liquid | 2 +-
 lib/config/load.go                      | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 1ed3b694ce..97f6ce2f89 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -46,7 +46,7 @@ The minimum supported Ruby version is now 2.6.  If you are running Arvados on De
 
 h3. Anonymous token changes
 
-The anonymous token configured in @Users.AnonymousUserToken@ must now be 32 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary. If the anonymous token in @config.yml@ is specified as a full V2 token, that will now generate a warning - it should be updated to list just the secret (i.e. the part after the last forward slash).
+The anonymous token configured in @Users.AnonymousUserToken@ must now be 32 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary.
 
 h3. Preemptible instance support changes
 
diff --git a/lib/config/load.go b/lib/config/load.go
index de43b9d2e2..5afb51c5ad 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -369,10 +369,12 @@ func (ldr *Loader) checkToken(label, token string, mandatory bool, acceptV2 bool
 		if !strings.HasPrefix(token, "v2/") {
 			return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
 		}
-		ldr.Logger.Warnf("%s: token is a full V2 token, should just be a secret (remove everything up to and including the last forward slash)", label)
 		if !acceptableTokenRe.MatchString(tmp[2]) {
 			return fmt.Errorf("%s: unacceptable characters in V2 token secret (only a-z, A-Z, 0-9 are acceptable)", label)
 		}
+		if len(tmp[2]) < acceptableTokenLength {
+			ldr.Logger.Warnf("%s: secret is too short (should be at least %d characters)", label, acceptableTokenLength)
+		}
 	} else if len(token) < acceptableTokenLength {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)
-- 
2.30.2