summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJay Mundrawala <jdmundrawala@gmail.com>2015-12-11 09:08:27 -0800
committerJay Mundrawala <jdmundrawala@gmail.com>2015-12-11 09:08:27 -0800
commit7bcd87fa3256d5b8a6e669975d632eb60003426c (patch)
tree6811e6dea378086e31c47daae1524aa839fa8e1b
parent0388ad29f61e9816202b8b4ce5629511f48986e5 (diff)
parent8d718172dc3c1ce186f6e48efe514d7d566006cb (diff)
downloadchef-7bcd87fa3256d5b8a6e669975d632eb60003426c.tar.gz
Merge pull request #4273 from chef/jdm/default-auth-1.1
Use signing protocol 1.1 by default
-rw-r--r--chef-config/lib/chef-config/config.rb15
-rw-r--r--lib/chef/client.rb12
-rw-r--r--lib/chef/knife.rb6
-rw-r--r--spec/unit/client_spec.rb22
-rw-r--r--spec/unit/rest/auth_credentials_spec.rb43
5 files changed, 25 insertions, 73 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index 113bf481ff..870dd8273c 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -444,19 +444,8 @@ module ChefConfig
# Sets the version of the signed header authentication protocol to use (see
# the 'mixlib-authorization' project for more detail). Currently, versions
- # 1.0 and 1.1 are available; however, the chef-server must first be
- # upgraded to support version 1.1 before clients can begin using it.
- #
- # Version 1.1 of the protocol is required when using a `node_name` greater
- # than ~90 bytes (~90 ascii characters), so chef-client will automatically
- # switch to using version 1.1 when `node_name` is too large for the 1.0
- # protocol. If you intend to use large node names, ensure that your server
- # supports version 1.1. Automatic detection of large node names means that
- # users will generally not need to manually configure this.
- #
- # In the future, this configuration option may be replaced with an
- # automatic negotiation scheme.
- default :authentication_protocol_version, "1.0"
+ # 1.0 and 1.1 are available.
+ default :authentication_protocol_version, "1.1"
# This key will be used to sign requests to the Chef server. This location
# must be writable by Chef during initial setup when generating a client
diff --git a/lib/chef/client.rb b/lib/chef/client.rb
index b2a00a7d01..6ac5cecbdf 100644
--- a/lib/chef/client.rb
+++ b/lib/chef/client.rb
@@ -550,14 +550,10 @@ class Chef
# - ohai[:machinename]
# - ohai[:hostname]
#
- # If we are running against a server with authentication protocol < 1.0, we
- # *require* authentication protocol version 1.1.
- #
# @raise [Chef::Exceptions::CannotDetermineNodeName] If the node name is not
# set and cannot be determined via ohai.
#
# @see Chef::Config#node_name
- # @see Chef::Config#authentication_protocol_version
#
# @api private
#
@@ -567,14 +563,6 @@ class Chef
raise Chef::Exceptions::CannotDetermineNodeName unless name
- # node names > 90 bytes only work with authentication protocol >= 1.1
- # see discussion in config.rb.
- # TODO use a computed default in Chef::Config to determine this instead of
- # setting it.
- if name.bytesize > 90
- Chef::Config[:authentication_protocol_version] = "1.1"
- end
-
name
end
diff --git a/lib/chef/knife.rb b/lib/chef/knife.rb
index 5df24faa11..2820f58e85 100644
--- a/lib/chef/knife.rb
+++ b/lib/chef/knife.rb
@@ -385,12 +385,6 @@ class Chef
Mixlib::Log::Formatter.show_time = false
Chef::Log.init(Chef::Config[:log_location])
Chef::Log.level(Chef::Config[:log_level] || :error)
-
- if Chef::Config[:node_name] && Chef::Config[:node_name].bytesize > 90
- # node names > 90 bytes only work with authentication protocol >= 1.1
- # see discussion in config.rb.
- Chef::Config[:authentication_protocol_version] = "1.1"
- end
end
def configure_chef
diff --git a/spec/unit/client_spec.rb b/spec/unit/client_spec.rb
index 8fbf56844e..c270ddc092 100644
--- a/spec/unit/client_spec.rb
+++ b/spec/unit/client_spec.rb
@@ -45,26 +45,8 @@ describe Chef::Client do
end
describe "authentication protocol selection" do
- after do
- Chef::Config[:authentication_protocol_version] = "1.0"
- end
-
- context "when the node name is <= 90 bytes" do
- it "does not force the authentication protocol to 1.1" do
- Chef::Config[:node_name] = ("f" * 90)
- # ugly that this happens as a side effect of a getter :(
- client.node_name
- expect(Chef::Config[:authentication_protocol_version]).to eq("1.0")
- end
- end
-
- context "when the node name is > 90 bytes" do
- it "sets the authentication protocol to version 1.1" do
- Chef::Config[:node_name] = ("f" * 91)
- # ugly that this happens as a side effect of a getter :(
- client.node_name
- expect(Chef::Config[:authentication_protocol_version]).to eq("1.1")
- end
+ it "defaults to 1.1" do
+ expect(Chef::Config[:authentication_protocol_version]).to eq("1.1")
end
end
diff --git a/spec/unit/rest/auth_credentials_spec.rb b/spec/unit/rest/auth_credentials_spec.rb
index 3465156b90..dc66d12a19 100644
--- a/spec/unit/rest/auth_credentials_spec.rb
+++ b/spec/unit/rest/auth_credentials_spec.rb
@@ -81,33 +81,32 @@ describe Chef::REST::AuthCredentials do
before do
@request_time = Time.at(1270920860)
@request_params = {:http_method => :POST, :path => "/clients", :body => '{"some":"json"}', :host => "localhost"}
+ allow(Chef::Config).to(
+ receive(:[]).with(:authentication_protocol_version).and_return(protocol_version))
end
- it "generates signature headers for the request" do
- allow(Time).to receive(:now).and_return(@request_time)
- actual = @auth_credentials.signature_headers(@request_params)
- expect(actual["HOST"]).to eq("localhost")
- expect(actual["X-OPS-AUTHORIZATION-1"]).to eq("kBssX1ENEwKtNYFrHElN9vYGWS7OeowepN9EsYc9csWfh8oUovryPKDxytQ/")
- expect(actual["X-OPS-AUTHORIZATION-2"]).to eq("Wc2/nSSyxdWJjjfHzrE+YrqNQTaArOA7JkAf5p75eTUonCWcvNPjFrZVgKGS")
- expect(actual["X-OPS-AUTHORIZATION-3"]).to eq("yhzHJQh+lcVA9wwARg5Hu9q+ddS8xBOdm3Vp5atl5NGHiP0loiigMYvAvzPO")
- expect(actual["X-OPS-AUTHORIZATION-4"]).to eq("r9853eIxwYMhn5hLGhAGFQznJbE8+7F/lLU5Zmk2t2MlPY8q3o1Q61YD8QiJ")
- expect(actual["X-OPS-AUTHORIZATION-5"]).to eq("M8lIt53ckMyUmSU0DDURoiXLVkE9mag/6Yq2tPNzWq2AdFvBqku9h2w+DY5k")
- expect(actual["X-OPS-AUTHORIZATION-6"]).to eq("qA5Rnzw5rPpp3nrWA9jKkPw4Wq3+4ufO2Xs6w7GCjA==")
- expect(actual["X-OPS-CONTENT-HASH"]).to eq("1tuzs5XKztM1ANrkGNPah6rW9GY=")
- expect(actual["X-OPS-SIGN"]).to match(%r{(version=1\.0)|(algorithm=sha1;version=1.0;)})
- expect(actual["X-OPS-TIMESTAMP"]).to eq("2010-04-10T17:34:20Z")
- expect(actual["X-OPS-USERID"]).to eq("client-name")
+ context "when configured for version 1.0 of the authn protocol" do
+ let(:protocol_version) { "1.0" }
- end
-
- describe "when configured for version 1.1 of the authn protocol" do
- before do
- Chef::Config[:authentication_protocol_version] = "1.1"
+ it "generates signature headers for the request" do
+ allow(Time).to receive(:now).and_return(@request_time)
+ actual = @auth_credentials.signature_headers(@request_params)
+ expect(actual["HOST"]).to eq("localhost")
+ expect(actual["X-OPS-AUTHORIZATION-1"]).to eq("kBssX1ENEwKtNYFrHElN9vYGWS7OeowepN9EsYc9csWfh8oUovryPKDxytQ/")
+ expect(actual["X-OPS-AUTHORIZATION-2"]).to eq("Wc2/nSSyxdWJjjfHzrE+YrqNQTaArOA7JkAf5p75eTUonCWcvNPjFrZVgKGS")
+ expect(actual["X-OPS-AUTHORIZATION-3"]).to eq("yhzHJQh+lcVA9wwARg5Hu9q+ddS8xBOdm3Vp5atl5NGHiP0loiigMYvAvzPO")
+ expect(actual["X-OPS-AUTHORIZATION-4"]).to eq("r9853eIxwYMhn5hLGhAGFQznJbE8+7F/lLU5Zmk2t2MlPY8q3o1Q61YD8QiJ")
+ expect(actual["X-OPS-AUTHORIZATION-5"]).to eq("M8lIt53ckMyUmSU0DDURoiXLVkE9mag/6Yq2tPNzWq2AdFvBqku9h2w+DY5k")
+ expect(actual["X-OPS-AUTHORIZATION-6"]).to eq("qA5Rnzw5rPpp3nrWA9jKkPw4Wq3+4ufO2Xs6w7GCjA==")
+ expect(actual["X-OPS-CONTENT-HASH"]).to eq("1tuzs5XKztM1ANrkGNPah6rW9GY=")
+ expect(actual["X-OPS-SIGN"]).to match(%r{(version=1\.0)|(algorithm=sha1;version=1.0;)})
+ expect(actual["X-OPS-TIMESTAMP"]).to eq("2010-04-10T17:34:20Z")
+ expect(actual["X-OPS-USERID"]).to eq("client-name")
end
+ end
- after do
- Chef::Config[:authentication_protocol_version] = "1.0"
- end
+ context "when configured for version 1.1 of the authn protocol" do
+ let(:protocol_version) { "1.1" }
it "generates the correct signature for version 1.1" do
allow(Time).to receive(:now).and_return(@request_time)