[ARVADOS] updated: 2.1.0-1876-g629cd91ff

Mon Feb 14 18:59:57 UTC 2022

Summary of changes:
 services/api/app/models/api_client_authorization.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

  discards  ed819c31e008c296d9780747d54ba716708d451c (commit)
       via  629cd91ffca67d6de5ad4dbe9854a064f9e26820 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (ed819c31e008c296d9780747d54ba716708d451c)
            \
             N -- N -- N (629cd91ffca67d6de5ad4dbe9854a064f9e26820)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 629cd91ffca67d6de5ad4dbe9854a064f9e26820
Author: Ward Vandewege <ward at curii.com>
Date:   Mon Feb 14 12:43:15 2022 -0500

    18676: more tweaks after review comments: clarify logic in checkToken
           (lib/config/load.go), and make sure that we also check the uuid
           when we match the anonymous user token, when it is supplied as
           a V2 token.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/lib/config/load.go b/lib/config/load.go
index 418a400e6..aa7520ca2 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -335,14 +335,18 @@ var acceptableTokenRe = regexp.MustCompile(`^[a-zA-Z0-9]+$`)
 var acceptableTokenLength = 32
 
 func (ldr *Loader) checkToken(label, token string, mandatory bool) error {
-	// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
-	if mandatory && token == "" {
-		if ldr.Logger != nil {
-			ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+	if len(token) == 0 {
+		if !mandatory {
+			// when a token is not mandatory, the acceptable length and content is only checked if its length is non-zero
+			return nil
+		} else {
+			if ldr.Logger != nil {
+				ldr.Logger.Warnf("%s: secret token is not set (use %d+ random characters from a-z, A-Z, 0-9)", label, acceptableTokenLength)
+			}
 		}
-	} else if (mandatory || len(token) > 0) && !acceptableTokenRe.MatchString(token) {
+	} else if !acceptableTokenRe.MatchString(token) {
 		return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
-	} else if (mandatory || len(token) > 0) && len(token) < acceptableTokenLength {
+	} else if len(token) < acceptableTokenLength {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)
 		}
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index a6beaa07a..f8454029d 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -115,8 +115,9 @@ class ApiClientAuthorization < ArvadosModel
     case token[0..2]
     when 'v2/'
       _, token_uuid, secret, optional = token.split('/')
-      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0
-        # invalid token
+      unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0 &&
+             token_uuid == Rails.configuration.ClusterID+"-gj3su-anonymouspublic"
+        # invalid v2 token, or v2 token for another user
         return nil
       end
     else

-----------------------------------------------------------------------


hooks/post-receive
-- 


