[ARVADOS] updated: 2.1.0-1876-ged819c31e

Git user git at public.arvados.org
Mon Feb 14 17:43:24 UTC 2022 

Summary of changes:
 lib/config/load.go                                  | 16 ++++++++++------
 services/api/app/models/api_client_authorization.rb |  4 ++--
 2 files changed, 12 insertions(+), 8 deletions(-)

       via  ed819c31e008c296d9780747d54ba716708d451c (commit)
      from  053f74285455278bed87cd4b3dc0df2adffb3b9c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit ed819c31e008c296d9780747d54ba716708d451c
Author: Ward Vandewege <ward at curii.com>
Date:   Mon Feb 14 12:43:15 2022 -0500

    18676: more tweaks after review comments: clarify logic in checkToken
           (lib/config/load.go), and make sure that we also check the uuid
           when we match the anonymous user token, when it is supplied as
           a V2 token.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/lib/config/load.go b/lib/config/load.go
index 418a400e6..aa7520ca2 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -335,14 +335,18 @@ var acceptableTokenRe = regexp.MustCompile(`^[a-zA-Z0-9]+$`)
 var acceptableTokenLength = 32
 
 func (ldr *Loader) checkToken(label, token string, mandatory bool) error {
-	// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
-	if mandatory && token == "" {
-		if ldr.Logger != nil {
-			ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+	if len(token) == 0 {
+		if !mandatory {
+			// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
+			return nil
+		} else {
+			if ldr.Logger != nil {
+				ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+			}
 		}
-	} else if (mandatory || len(token) > 0) && !acceptableTokenRe.MatchString(token) {
+	} else if !acceptableTokenRe.MatchString(token) {
 		return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
-	} else if (mandatory || len(token) > 0) && len(token) < acceptableTokenLength {
+	} else if len(token) < acceptableTokenLength {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)
 		}
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index a6beaa07a..3faa05fa7 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -115,8 +115,8 @@ class ApiClientAuthorization < ArvadosModel
     case token[0..2]
     when 'v2/'
       _, token_uuid, secret, optional = token.split('/')
-      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0
-        # invalid token
+      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0 && token_uuid == anonymous_user_uuid
+        # not the anonymous user v2 token, or invalid token
         return nil
       end
     else

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list