[ARVADOS] updated: 2.1.0-2169-g03a058154

Mon Apr 4 15:00:35 UTC 2022

Summary of changes:
 lib/controller/federation/conn.go                   |  8 +++++---
 services/api/app/models/api_client_authorization.rb | 20 +++++---------------
 2 files changed, 10 insertions(+), 18 deletions(-)

       via  03a058154008f9c0bd8cfca0ab5ba891252a48d3 (commit)
      from  402be7db4c5795a40bbf974cec3d1e31b0c1708f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 03a058154008f9c0bd8cfca0ab5ba891252a48d3
Author: Ward Vandewege <ward at curii.com>
Date:   Mon Apr 4 11:00:25 2022 -0400

    18887: address review comments.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index 2eabf4464..1b8ec9e64 100644
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -75,9 +75,11 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin
 				// If we did this, the login cluster would call back to us and then
 				// reject our response because the user UUID prefix (i.e., the
 				// LoginCluster prefix) won't match the token UUID prefix (i.e., our
-				// prefix). The anonymous token is OK to forward, because it gets
-				// mapped to the local anonymous token automatically on the login
-				// cluster.
+				// prefix). The anonymous token is OK to forward, because (unlike other
+				// local tokens for real users) the validation callback will return the
+				// locally issued anonymous user ID instead of a login-cluster user ID.
+				// That anonymous user ID gets mapped to the local anonymous user
+				// automatically on the login cluster.
 				return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID)
 			}
 			salted, err := auth.SaltToken(token, remoteID)
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 3ef4d0e33..726061a4a 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -130,23 +130,13 @@ class ApiClientAuthorization < ArvadosModel
       secret = token
     end
 
-    # the anonymous token could be specified as a full v2 token in the config
-    case Rails.configuration.Users.AnonymousUserToken[0..2]
-    when 'v2/'
-      _, anon_token_uuid, anon_secret, anon_optional = Rails.configuration.Users.AnonymousUserToken.split('/')
-      unless anon_token_uuid.andand.length == 27 && anon_secret.andand.length.andand > 0
-        # invalid v2 token
-        return nil
-      end
-    else
-      # v1 token
-      anon_secret = Rails.configuration.Users.AnonymousUserToken
-    end
-
-    salted_secret = OpenSSL::HMAC.hexdigest('sha1', anon_secret, remote)
+    # Usually, the secret is salted
+    salted_secret = OpenSSL::HMAC.hexdigest('sha1', secret, remote)
 
+    # The anonymous token could be specified as a full v2 token in the config,
+    # but the config loader strips it down to the secret part.
     # The anonymous token content and minimum length is verified in lib/config
-    if secret.length >= 0 && (secret == anon_secret || secret == salted_secret)
+    if secret.length >= 0 && (secret == Rails.configuration.Users.AnonymousUserToken || secret == salted_secret)
       return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
                                         uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
                                         api_token: secret,

-----------------------------------------------------------------------


hooks/post-receive
-- 


