From 1bba4c5118408eb082664db67a194950a3bd84cb Mon Sep 17 00:00:00 2001
From: Aliaksandr Valialkin <valyala@victoriametrics.com>
Date: Wed, 30 Aug 2023 14:08:47 +0200
Subject: [PATCH] lib/auth: add NewTokenPossibleMultitenant() for parsing auth
 token, which can be multitenant

Disallow parsing multitenant token at auth.NewToken().

Use auth.NewTokenPossibleMultitenant() at vminsert only. All the other callers should call auth.NewToken(),
since they do not support multitenant token.

This is a follow-up for f0c06b428e5c794705fb1f70a7392b3f2920f7e0

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4910
---
 lib/auth/auth.go      | 15 ++++++++++-----
 lib/auth/auth_test.go | 20 ++++++++++++++++++++
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 38e235448..9a7a4346f 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -24,12 +24,7 @@ func (t *Token) String() string {
 }
 
 // NewToken returns new Token for the given authToken.
-//
-// If authToken == "multitenant", then nil Token is returned.
 func NewToken(authToken string) (*Token, error) {
-	if authToken == "multitenant" {
-		return nil, nil
-	}
 	var t Token
 	if err := t.Init(authToken); err != nil {
 		return nil, err
@@ -37,6 +32,16 @@ func NewToken(authToken string) (*Token, error) {
 	return &t, nil
 }
 
+// NewTokenPossibleMultitenant returns new Token for the given authToken.
+//
+// If authToken == "multitenant", then nil Token is returned.
+func NewTokenPossibleMultitenant(authToken string) (*Token, error) {
+	if authToken == "multitenant" {
+		return nil, nil
+	}
+	return NewToken(authToken)
+}
+
 // Init initializes t from authToken.
 func (t *Token) Init(authToken string) error {
 	tmp := strings.Split(authToken, ":")
diff --git a/lib/auth/auth_test.go b/lib/auth/auth_test.go
index eddf1c6fe..49f8ca765 100644
--- a/lib/auth/auth_test.go
+++ b/lib/auth/auth_test.go
@@ -26,6 +26,24 @@ func TestNewTokenSuccess(t *testing.T) {
 	f("1:4294967295", "1:4294967295")
 	// max uint32 accountID and projectID
 	f("4294967295:4294967295", "4294967295:4294967295")
+}
+
+func TestNewTokenPossibleMultitenantSuccess(t *testing.T) {
+	f := func(token string, want string) {
+		t.Helper()
+		newToken, err := NewTokenPossibleMultitenant(token)
+		if err != nil {
+			t.Fatalf("unexpected error: %s", err)
+		}
+		got := newToken.String()
+		if got != want {
+			t.Fatalf("unexpected NewToken() result;got\n%s\nwant\n%s", got, want)
+		}
+	}
+	// token with accountID only
+	f("1", "1")
+	// token with accountID and projecTID
+	f("1:2", "1:2")
 	// multitenant
 	f("multitenant", "multitenant")
 }
@@ -75,4 +93,6 @@ func TestNewTokenFailure(t *testing.T) {
 	f("a:b:c")
 	// many int parts in the token"
 	f("1:2:3")
+	// multitenant
+	f("multitenant")
 }