[ARVADOS] updated: 2.1.0-1875-g053f74285

Git user git at public.arvados.org
Fri Feb 11 17:46:45 UTC 2022


Summary of changes:
 doc/admin/upgrading.html.textile.liquid             |  2 +-
 doc/install/install-keep-web.html.textile.liquid    |  2 +-
 lib/config/load.go                                  | 16 +++++++++-------
 services/api/app/models/api_client_authorization.rb |  3 ++-
 4 files changed, 13 insertions(+), 10 deletions(-)

       via  053f74285455278bed87cd4b3dc0df2adffb3b9c (commit)
      from  ad2851bce9be401f8feac6570b3958ce93732cfd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 053f74285455278bed87cd4b3dc0df2adffb3b9c
Author: Ward Vandewege <ward at curii.com>
Date:   Fri Feb 11 12:46:00 2022 -0500

    18676: move length check for AnonymousUserToken to lib/config, bring it
           in line with the other tokens, small tweaks from review comments.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 9ad081292..05b932a11 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -41,7 +41,7 @@ h2(#main). development main (as of 2022-02-10)
 
 h3. Anonymous token changes
 
-The anonymous token configured in @Users.AnonymousUserToken@ must now be 50 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary.
+The anonymous token configured in @Users.AnonymousUserToken@ must now be 32 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary.
 
 h3. Preemptible instance types are used automatically, if any are configured
 
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 4942c9607..1ba9fc522 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -107,7 +107,7 @@ h2(#update-config). Configure anonymous user token
 
 If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token.
 
-Generate a random string (>= 50 characters long) and put it in the @config.yml@ file, in the @AnonymousUserToken@ field.
+Generate a random string (>= 32 characters long) and put it in the @config.yml@ file, in the @AnonymousUserToken@ field.
 
 <notextile>
 <pre><code>    Users:
diff --git a/lib/config/load.go b/lib/config/load.go
index c2eb55554..418a400e6 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -299,9 +299,10 @@ func (ldr *Loader) Load() (*arvados.Config, error) {
 		for _, err = range []error{
 			ldr.checkClusterID(fmt.Sprintf("Clusters.%s", id), id, false),
 			ldr.checkClusterID(fmt.Sprintf("Clusters.%s.Login.LoginCluster", id), cc.Login.LoginCluster, true),
-			ldr.checkToken(fmt.Sprintf("Clusters.%s.ManagementToken", id), cc.ManagementToken),
-			ldr.checkToken(fmt.Sprintf("Clusters.%s.SystemRootToken", id), cc.SystemRootToken),
-			ldr.checkToken(fmt.Sprintf("Clusters.%s.Collections.BlobSigningKey", id), cc.Collections.BlobSigningKey),
+			ldr.checkToken(fmt.Sprintf("Clusters.%s.ManagementToken", id), cc.ManagementToken, true),
+			ldr.checkToken(fmt.Sprintf("Clusters.%s.SystemRootToken", id), cc.SystemRootToken, true),
+			ldr.checkToken(fmt.Sprintf("Clusters.%s.Users.AnonymousUserToken", id), cc.Users.AnonymousUserToken, false),
+			ldr.checkToken(fmt.Sprintf("Clusters.%s.Collections.BlobSigningKey", id), cc.Collections.BlobSigningKey, true),
 			checkKeyConflict(fmt.Sprintf("Clusters.%s.PostgreSQL.Connection", id), cc.PostgreSQL.Connection),
 			ldr.checkEnum("Containers.LocalKeepLogsToContainerLog", cc.Containers.LocalKeepLogsToContainerLog, "none", "all", "errors"),
 			ldr.checkEmptyKeepstores(cc),
@@ -333,14 +334,15 @@ func (ldr *Loader) checkClusterID(label, clusterID string, emptyStringOk bool) e
 var acceptableTokenRe = regexp.MustCompile(`^[a-zA-Z0-9]+$`)
 var acceptableTokenLength = 32
 
-func (ldr *Loader) checkToken(label, token string) error {
-	if token == "" {
+func (ldr *Loader) checkToken(label, token string, mandatory bool) error {
+	// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
+	if mandatory && token == "" {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
 		}
-	} else if !acceptableTokenRe.MatchString(token) {
+	} else if (mandatory || len(token) > 0) && !acceptableTokenRe.MatchString(token) {
 		return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
-	} else if len(token) < acceptableTokenLength {
+	} else if (mandatory || len(token) > 0) && len(token) < acceptableTokenLength {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)
 		}
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index f4bf4f069..a6beaa07a 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -124,7 +124,8 @@ class ApiClientAuthorization < ArvadosModel
       secret = token
     end
 
-    if secret.length >= 50 and secret == Rails.configuration.Users.AnonymousUserToken
+    # The anonymous token content and minimum length is verified in lib/config
+    if secret.length >= 0 && secret == Rails.configuration.Users.AnonymousUserToken
       return ApiClientAuthorization.new(user: User.find_by_uuid(anonymous_user_uuid),
                                         uuid: Rails.configuration.ClusterID+"-gj3su-anonymouspublic",
                                         api_token: token,

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list