Fully opt-in organization token support

[mcg1969]

This addition allows anaconda_anon_usage to be used to help disaggregate usage from an organization while still preserving per-user anonymity. This is a 100% opt-in option that requires explicit action by someone with system administrator privileges.

To use it, an administrator would deposit a short token in a system location, presumably with MDM software.

• Unix: /etc/conda/org_token or /var/lib/conda/org_token
• Windows: C:\ProgramData\conda\org_token

If this token is present, it overrides the anaconda_anon_usage: disable option, and it adds as an additional token to the user agent, prefixed by "o/"; e.g.

conda/24.9.2 requests/2.31.0 CPython/3.12.3 Darwin/23.6.0 OSX/14.7.1 solver/libmamba conda-libmamba-solver/24.1.0 libmambapy/1.5.8 aau/0.4.4 c/ajvwtgobUyzBuGWQufY00B s/1ZgH7Vyy_1AR3ph8AH2CIg e/BbZF49u-mQBZmbIG9jiRBA o/V3X8_3UEWQhu1t4ZUD8IDg

Placing this token in a system location accomplishes multiple goals.

• First, this is something that requires administrator privileges to install. Normal users will not write there; in particular, this package will not write the token there.
• Similarly, it cannot be deliberately or accidentally removed by a non-admin user, which is something that could happen if it is installed in a user directory.
• It can be installed without having conda installed, where it remains unused unless Anaconda is installed. This should simplify the integration of the token into a laptop provisioning program.

I'm going to run this by my co-author

[mcg1969]

@jezdez this is a new capability for anaconda-anon-usage that does not alter the functionality for our community users, but enables a system administrator to add an organization token by including it in a standard system location.

[jezdez]

@mcg1969 I'll be able to take a look Monday

[mcg1969]

oh of course! it's definitely not more urgent than that

[mcg1969]

Here is an example script that organizations might use to install an organization token onto their Mac / Linux boxes using an asset management system.

https://gist.github.com/mcg1969/3ec99570b7ba5d4d263499f1756ed4fd

Example run:

$ sudo bash save_conda_id.sh test_token
-------------------------
Anaconda Token Installer
-------------------------
File: /etc/conda/org_token
Reading...Updating...Verifying...done.
-------------------------
$ cat /etc/conda/org_token 
test_token

[jezdez]

Left a few clarifying comments, nothing jumps at me except for the change of activation procedure of the plugin (the system org-token exemption).

[mcg1969]

@jezdez I realized that there would be a simpler way to manage this if I had had the foresight—and that would be to change the anaconda_anon_usage config parameter to be a bool or str, similar to verify_ssl. So its values would be:

• true (no org token, but all others)
• false or empty string (no tokens at all)
• a non-empty string (the string is an org token)

If I do that, then I can just leverage the standard configuration priority mechanism; e.g., by putting anaconda_anon_usage: TOKEN in /etc/conda/.condarc

This would work great except it would break existing installations of anaconda_anon_usage, unfortunately. I tried it, and putting a non-bool string in that config value breaks conda.