[ARVADOS] updated: 2.1.0-2168-g402be7db4

Git user git at public.arvados.org
Fri Apr 1 18:10:30 UTC 2022 

Summary of changes:
 .../api/app/models/api_client_authorization.rb     | 23 ++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

       via  402be7db4c5795a40bbf974cec3d1e31b0c1708f (commit)
      from  b8fbe615b87f04fe7cd1e1ad277a11b62aed0db0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 402be7db4c5795a40bbf974cec3d1e31b0c1708f
Author: Ward Vandewege <ward at curii.com>
Date:   Fri Apr 1 14:09:36 2022 -0400

    18887: self.check_anonymous_user_token can now handle a full V2 token in
           the config file. It can also verify a salted anonymous token.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 993a49e5b..3ef4d0e33 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -116,7 +116,7 @@ class ApiClientAuthorization < ArvadosModel
     clnt
   end
 
-  def self.check_anonymous_user_token token
+  def self.check_anonymous_user_token(token:, remote:)
     case token[0..2]
     when 'v2/'
       _, token_uuid, secret, optional = token.split('/')
@@ -130,11 +130,26 @@ class ApiClientAuthorization < ArvadosModel
       secret = token
     end
 
+    # the anonymous token could be specified as a full v2 token in the config
+    case Rails.configuration.Users.AnonymousUserToken[0..2]
+    when 'v2/'
+      _, anon_token_uuid, anon_secret, anon_optional = Rails.configuration.Users.AnonymousUserToken.split('/')
+      unless anon_token_uuid.andand.length == 27 && anon_secret.andand.length.andand > 0
+        # invalid v2 token
+        return nil
+      end
+    else
+      # v1 token
+      anon_secret = Rails.configuration.Users.AnonymousUserToken
+    end
+
+    salted_secret = OpenSSL::HMAC.hexdigest('sha1', anon_secret, remote)
+
     # The anonymous token content and minimum length is verified in lib/config
-    if secret.length >= 0 && secret == Rails.configuration.Users.AnonymousUserToken
+    if secret.length >= 0 && (secret == anon_secret || secret == salted_secret)
       return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
                                         uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
-                                        api_token: token,
+                                        api_token: secret,
                                         api_client: anonymous_user_token_api_client,
                                         scopes: ['GET /'])
     else
@@ -157,7 +172,7 @@ class ApiClientAuthorization < ArvadosModel
     return nil if token.nil? or token.empty?
     remote ||= Rails.configuration.ClusterID
 
-    auth = self.check_anonymous_user_token(token)
+    auth = self.check_anonymous_user_token(token: token, remote: remote)
     if !auth.nil?
       return auth
     end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list