Add sign v1.3jdm/sign-v1.3

5 files changed, 17 insertions, 18 deletions

diff --git a/Gemfile b/Gemfile
index 1bc5c79675..5270b14ee0 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,6 +4,7 @@ gemspec :name => "chef"
 gem "activesupport", "< 4.0.0", :group => :compat_testing, :platform => "ruby"
 
 gem 'chef-config', path: "chef-config" if File.exists?(__FILE__ + '../chef-config')
+gem 'mixlib-authentication', git: 'https://github.com/chef/mixlib-authentication', branch: 'jdm/sign-v1.3-x-ops-server-api-version'
 
 group(:docgen) do
   gem "yard"
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index 4e9355192a..755ec85a93 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -446,7 +446,13 @@ module ChefConfig
     #
     # In the future, this configuration option may be replaced with an
     # automatic negotiation scheme.
-    default :authentication_protocol_version, "1.0"
+    default :authentication_protocol_version do
+      if OpenSSL::OPENSSL_FIPS
+        "1.3"
+      else
+        "1.1"
+      end
+    end
 
     # This key will be used to sign requests to the Chef server. This location
     # must be writable by Chef during initial setup when generating a client
diff --git a/lib/chef/client.rb b/lib/chef/client.rb
index b2a00a7d01..3cf92b2a9a 100644
--- a/lib/chef/client.rb
+++ b/lib/chef/client.rb
@@ -567,14 +567,6 @@ class Chef
 
       raise Chef::Exceptions::CannotDetermineNodeName unless name
 
-      # node names > 90 bytes only work with authentication protocol >= 1.1
-      # see discussion in config.rb.
-      # TODO use a computed default in Chef::Config to determine this instead of
-      # setting it.
-      if name.bytesize > 90
-        Chef::Config[:authentication_protocol_version] = "1.1"
-      end
-
       name
     end
 
diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb
index bffa9c4b3a..1bcc5c8619 100644
--- a/lib/chef/http/authenticator.rb
+++ b/lib/chef/http/authenticator.rb
@@ -47,8 +47,8 @@ class Chef
       end
 
       def handle_request(method, url, headers={}, data=false)
-        headers.merge!(authentication_headers(method, url, data)) if sign_requests?
         headers.merge!({'X-Ops-Server-API-Version' => @api_version})
+        headers.merge!(authentication_headers(method, url, data, headers)) if sign_requests?
         [method, url, headers, data]
       end
 
@@ -90,8 +90,14 @@ class Chef
         raise Chef::Exceptions::InvalidPrivateKey, msg
       end
 
-      def authentication_headers(method, url, json_body=nil)
-        request_params = {:http_method => method, :path => url.path, :body => json_body, :host => "#{url.host}:#{url.port}"}
+      def authentication_headers(method, url, json_body=nil, headers=nil)
+        request_params = {
+          :http_method => method,
+          :path => url.path,
+          :body => json_body,
+          :host => "#{url.host}:#{url.port}",
+          :headers => headers
+        }
         request_params[:body] ||= ""
         auth_credentials.signature_headers(request_params)
       end
diff --git a/lib/chef/knife.rb b/lib/chef/knife.rb
index 6fa29bea16..59e15d492b 100644
--- a/lib/chef/knife.rb
+++ b/lib/chef/knife.rb
@@ -385,12 +385,6 @@ class Chef
       Mixlib::Log::Formatter.show_time = false
       Chef::Log.init(Chef::Config[:log_location])
       Chef::Log.level(Chef::Config[:log_level] || :error)
-
-      if Chef::Config[:node_name] && Chef::Config[:node_name].bytesize > 90
-        # node names > 90 bytes only work with authentication protocol >= 1.1
-        # see discussion in config.rb.
-        Chef::Config[:authentication_protocol_version] = "1.1"
-      end
     end
 
     def configure_chef