diff options
author | Tim Hinderliter <tim@opscode.com> | 2012-05-14 11:21:36 -0700 |
---|---|---|
committer | Tim Hinderliter <tim@opscode.com> | 2012-05-14 11:21:36 -0700 |
commit | 4ada4dbc9b4ef70c697eb105eb29a95fe2ca7f92 (patch) | |
tree | 7b36b1109ed67f897fc93cd049ddf39ba87ff9a5 | |
parent | f3cd8b31e04aac87f82bb4ae1de6a2bf0ab49401 (diff) | |
parent | 5c3a4ca2556140931f54eea4bd067e6f94f28ab1 (diff) | |
download | mixlib-authentication-4ada4dbc9b4ef70c697eb105eb29a95fe2ca7f92.tar.gz |
Merge branch 'CHEF-3095'
-rw-r--r-- | Rakefile | 2 | ||||
-rw-r--r-- | lib/mixlib/authentication/signatureverification.rb | 20 | ||||
-rw-r--r-- | lib/mixlib/authentication/signedheaderauth.rb | 26 | ||||
-rw-r--r-- | mixlib-authentication.gemspec | 2 | ||||
-rw-r--r-- | spec/mixlib/authentication/mixlib_authentication_spec.rb | 173 |
5 files changed, 148 insertions, 75 deletions
@@ -5,7 +5,7 @@ require 'date' require 'rspec/core/rake_task' GEM = "mixlib-authentication" -GEM_VERSION = "1.1.5" +GEM_VERSION = "1.2" AUTHOR = "Opscode, Inc." EMAIL = "info@opscode.com" HOMEPAGE = "http://www.opscode.com" diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb index 65e8374..6da23e2 100644 --- a/lib/mixlib/authentication/signatureverification.rb +++ b/lib/mixlib/authentication/signatureverification.rb @@ -34,7 +34,7 @@ module Mixlib def_delegator :@auth_request, :path - def_delegator :auth_request, :signing_description + def_delegator :@auth_request, :signing_description def_delegator :@auth_request, :user_id @@ -50,8 +50,6 @@ module Mixlib include Mixlib::Authentication::SignedHeaderAuth - attr_reader :auth_request - def initialize(request=nil) @auth_request = HTTPAuthenticationRequest.new(request) if request @@ -65,12 +63,13 @@ module Mixlib @auth_request = HTTPAuthenticationRequest.new(request) authenticate_request(user_lookup, time_skew) end + # Takes the request, boils down the pieces we are interested in, # looks up the user, generates a signature, and compares to # the signature in the request # ====Headers # - # X-Ops-Sign: algorithm=sha256;version=1.0; + # X-Ops-Sign: algorithm=sha1;version=1.0; # X-Ops-UserId: <user_id> # X-Ops-Timestamp: # X-Ops-Content-Hash: @@ -82,15 +81,10 @@ module Mixlib @allowed_time_skew = time_skew # in seconds begin - @auth_request - - #BUGBUG Not doing anything with the signing description yet [cb] - parse_signing_description - - verify_signature + parts = parse_signing_description + verify_signature(parts[:algorithm], parts[:version]) verify_timestamp verify_content_hash - rescue StandardError=>se raise AuthenticationError,"Failed to authenticate user request. Check your client key and clock: #{se.message}", se.backtrace end @@ -136,8 +130,8 @@ module Mixlib end end - def verify_signature - candidate_block = canonicalize_request + def verify_signature(algorithm, version) + candidate_block = canonicalize_request(algorithm, version) request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(request_signature)) @valid_signature = (request_decrypted_block == candidate_block) diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb index 63febb1..39c9ac8 100644 --- a/lib/mixlib/authentication/signedheaderauth.rb +++ b/lib/mixlib/authentication/signedheaderauth.rb @@ -27,8 +27,9 @@ module Mixlib module Authentication module SignedHeaderAuth - - SIGNING_DESCRIPTION = 'version=1.0' + + SUPPORTED_ALGORITHMS = ['sha1'] + SUPPORTED_VERSIONS = ['1.0', '1.1'] # This is a module meant to be mixed in but can be used standalone # with the simple OpenStruct extended with the auth functions @@ -42,17 +43,17 @@ module Mixlib # compute the signature from the request, using the looked-up user secret # ====Parameters # private_key<OpenSSL::PKey::RSA>:: user's RSA private key. - def sign(private_key) + def sign(private_key, algorithm='sha1', version='1.1') # Our multiline hash for authorization will be encoded in multiple header # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!) header_hash = { - "X-Ops-Sign" => SIGNING_DESCRIPTION, + "X-Ops-Sign" => "algorithm=#{algorithm};version=#{version};", "X-Ops-Userid" => user_id, "X-Ops-Timestamp" => canonical_time, "X-Ops-Content-Hash" => hashed_body, } - string_to_sign = canonicalize_request + string_to_sign = canonicalize_request(algorithm, version) signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp signature_lines = signature.split(/\n/) signature_lines.each_index do |idx| @@ -98,8 +99,18 @@ module Mixlib # ====Parameters # # - def canonicalize_request - "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}" + def canonicalize_request(algorithm='sha1', version='1.1') + raise AuthenticationError, "Bad algorithm '#{algorithm}' or version '#{version}'" unless SUPPORTED_ALGORITHMS.include?(algorithm) && SUPPORTED_VERSIONS.include?(version) + + canonical_x_ops_user_id = case + when version == "1.1" + digester.hash_string(user_id) + when version == "1.0" + user_id + else + user_id + end + "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{canonical_x_ops_user_id}" end # Parses signature version information, algorithm used, etc. @@ -113,6 +124,7 @@ module Mixlib memo end Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}" + parts end def digester diff --git a/mixlib-authentication.gemspec b/mixlib-authentication.gemspec index 178fc18..0ddf6fb 100644 --- a/mixlib-authentication.gemspec +++ b/mixlib-authentication.gemspec @@ -1,4 +1,4 @@ -MIXLIB_AUTHN_VERSION = '1.1.5' +MIXLIB_AUTHN_VERSION = '1.2' Gem::Specification.new do |s| s.name = "mixlib-authentication" diff --git a/spec/mixlib/authentication/mixlib_authentication_spec.rb b/spec/mixlib/authentication/mixlib_authentication_spec.rb index 94e8b3d..2722950 100644 --- a/spec/mixlib/authentication/mixlib_authentication_spec.rb +++ b/spec/mixlib/authentication/mixlib_authentication_spec.rb @@ -1,6 +1,7 @@ # # Author:: Tim Hinderliter (<tim@opscode.com>) # Author:: Christopher Walters (<cw@opscode.com>) +# Author:: Christopher Brown (<cb@opscode.com>) # Copyright:: Copyright (c) 2009, 2010 Opscode, Inc. # License:: Apache License, Version 2.0 # @@ -66,60 +67,51 @@ end #Mixlib::Authentication::Log.level :debug describe "Mixlib::Authentication::SignedHeaderAuth" do - it "should generate the correct string to sign and signature" do - # fix the timestamp, private key and body so we get the same answer back - # every time. - args = { - :body => BODY, - :user_id => USER_ID, - :http_method => :post, - :timestamp => TIMESTAMP_ISO8601, # fixed timestamp so we get back the same answer each time. - :file => MockFile.new, - :path => PATH, - } - - private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY) + + it "should generate the correct string to sign and signature, version 1.0" do - signing_obj = Mixlib::Authentication::SignedHeaderAuth.signing_object(args) - - expected_string_to_sign = <<EOS -Method:POST -Hashed Path:#{HASHED_CANONICAL_PATH} -X-Ops-Content-Hash:#{HASHED_BODY} -X-Ops-Timestamp:#{TIMESTAMP_ISO8601} -X-Ops-UserId:#{USER_ID} -EOS - signing_obj.canonicalize_request.should == expected_string_to_sign.chomp + algorithm = 'sha1' + version = '1.0' + V1_0_SIGNING_OBJECT.canonicalize_request(algorithm, version).should == V1_0_CANONICAL_REQUEST # If you need to regenerate the constants in this test spec, print out # the results of res.inspect and copy them as appropriate into the # the constants in this file. - res = signing_obj.sign(private_key) - #$stderr.puts "res.inspect = #{res.inspect}" - res.should == EXPECTED_SIGN_RESULT + V1_0_SIGNING_OBJECT.sign(PRIVATE_KEY, algorithm, version).should == EXPECTED_SIGN_RESULT_V1_0 end - it "should not choke when signing a request for a resource with a long name" do - args = { - :body => BODY, - :user_id => USER_ID, - :http_method => :put, - :timestamp => TIMESTAMP_ISO8601, # fixed timestamp so we get back the same answer each time. - :file => MockFile.new, - :path => PATH + "/nodes/#{"A" * 100}"} + it "should generate the correct string to sign and signature, version 1.1" do - private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY) - - signing_obj = Mixlib::Authentication::SignedHeaderAuth.signing_object(args) - - lambda { signing_obj.sign(private_key) }.should_not raise_error + V1_1_SIGNING_OBJECT.canonicalize_request.should == V1_1_CANONICAL_REQUEST + + # If you need to regenerate the constants in this test spec, print out + # the results of res.inspect and copy them as appropriate into the + # the constants in this file. + V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY).should == EXPECTED_SIGN_RESULT_V1_1 end + + it "should not choke when signing a request for a long user id with version 1.1" do + lambda { LONG_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', '1.1') }.should_not raise_error + end + + it "should choke when signing a request for a long user id with version 1.0" do + lambda { LONG_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', '1.0') }.should raise_error + end + + it "should choke when signing a request with a bad version" do + lambda { V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', 'poo') }.should raise_error + end + + it "should choke when signing a request with a bad algorithm" do + lambda { V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha_poo', '1.1') }.should raise_error + end + end describe "Mixlib::Authentication::SignatureVerification" do before(:each) do - @user_private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY) + @user_private_key = PRIVATE_KEY end it "should authenticate a File-containing request - Merb" do @@ -221,6 +213,7 @@ describe "Mixlib::Authentication::SignatureVerification" do end USER_ID = "spec-user" +DIGESTED_USER_ID = Base64.encode64(Digest::SHA1.new.digest(USER_ID)).chomp BODY = "Spec Body" HASHED_BODY = "DFteJZPVv6WKdQmMqZUQUumUyRs=" # Base64.encode64(Digest::SHA1.digest("Spec Body")).chomp TIMESTAMP_ISO8601 = "2009-01-01T12:00:00Z" @@ -228,25 +221,75 @@ TIMESTAMP_OBJ = Time.parse("Thu Jan 01 12:00:00 -0000 2009") PATH = "/organizations/clownco" HASHED_CANONICAL_PATH = "YtBWDn1blGGuFIuKksdwXzHU9oE=" # Base64.encode64(Digest::SHA1.digest("/organizations/clownco")).chomp +V1_0_ARGS = { + :body => BODY, + :user_id => USER_ID, + :http_method => :post, + :timestamp => TIMESTAMP_ISO8601, # fixed timestamp so we get back the same answer each time. + :file => MockFile.new, + :path => PATH +} + +V1_1_ARGS = { + :body => BODY, + :user_id => USER_ID, + :http_method => :post, + :timestamp => TIMESTAMP_ISO8601, # fixed timestamp so we get back the same answer each time. + :file => MockFile.new, + :path => PATH +} + +LONG_PATH_LONG_USER_ARGS = { + :body => BODY, + :user_id => "A" * 200, + :http_method => :put, + :timestamp => TIMESTAMP_ISO8601, # fixed timestamp so we get back the same answer each time. + :file => MockFile.new, + :path => PATH + "/nodes/#{"A" * 250}" +} + REQUESTING_ACTOR_ID = "c0f8a68c52bffa1020222a56b23cccfa" # Content hash is ???TODO X_OPS_CONTENT_HASH = "DFteJZPVv6WKdQmMqZUQUumUyRs=" +X_OPS_AUTHORIZATION_LINES_V1_0 = [ +"jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4", +"NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc", +"3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O", +"IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy", +"9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0", +"utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w==" +] + X_OPS_AUTHORIZATION_LINES = [ - "jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4", - "NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc", - "3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O", - "IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy", - "9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0", - "utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w==" +"UfZD9dRz6rFu6LbP5Mo1oNHcWYxpNIcUfFCffJS1FQa0GtfU/vkt3/O5HuCM", +"1wIFl/U0f5faH9EWpXWY5NwKR031Myxcabw4t4ZLO69CIh/3qx1XnjcZvt2w", +"c2R9bx/43IWA/r8w8Q6decuu0f6ZlNheJeJhaYPI8piX/aH+uHBH8zTACZu8", +"vMnl5MF3/OIlsZc8cemq6eKYstp8a8KYq9OmkB5IXIX6qVMJHA6fRvQEB/7j", +"281Q7oI/O+lE8AmVyBbwruPb7Mp6s4839eYiOdjbDwFjYtbS3XgAjrHlaD7W", +"FDlbAG7H8Dmvo+wBxmtNkszhzbBnEYtuwQqT8nM/8A==" ] # We expect Mixlib::Authentication::SignedHeaderAuth#sign to return this -# if passed the BODY above. -EXPECTED_SIGN_RESULT = { +# if passed the BODY above, based on version + +EXPECTED_SIGN_RESULT_V1_0 = { "X-Ops-Content-Hash"=>X_OPS_CONTENT_HASH, "X-Ops-Userid"=>USER_ID, - "X-Ops-Sign"=>"version=1.0", + "X-Ops-Sign"=>"algorithm=sha1;version=1.0;", + "X-Ops-Authorization-1"=>X_OPS_AUTHORIZATION_LINES_V1_0[0], + "X-Ops-Authorization-2"=>X_OPS_AUTHORIZATION_LINES_V1_0[1], + "X-Ops-Authorization-3"=>X_OPS_AUTHORIZATION_LINES_V1_0[2], + "X-Ops-Authorization-4"=>X_OPS_AUTHORIZATION_LINES_V1_0[3], + "X-Ops-Authorization-5"=>X_OPS_AUTHORIZATION_LINES_V1_0[4], + "X-Ops-Authorization-6"=>X_OPS_AUTHORIZATION_LINES_V1_0[5], + "X-Ops-Timestamp"=>TIMESTAMP_ISO8601 +} + +EXPECTED_SIGN_RESULT_V1_1 = { + "X-Ops-Content-Hash"=>X_OPS_CONTENT_HASH, + "X-Ops-Userid"=>USER_ID, + "X-Ops-Sign"=>"algorithm=sha1;version=1.1;", "X-Ops-Authorization-1"=>X_OPS_AUTHORIZATION_LINES[0], "X-Ops-Authorization-2"=>X_OPS_AUTHORIZATION_LINES[1], "X-Ops-Authorization-3"=>X_OPS_AUTHORIZATION_LINES[2], @@ -267,7 +310,7 @@ MERB_HEADERS = { # These are used by signatureverification. An arbitrary sampling of non-HTTP_* # headers are in here to exercise that code path. "HTTP_HOST"=>"127.0.0.1", - "HTTP_X_OPS_SIGN"=>"version=1.0", + "HTTP_X_OPS_SIGN"=>"algorithm=sha1;version=1.1;", "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601, "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH, @@ -298,7 +341,7 @@ PASSENGER_HEADERS = { # These are used by signatureverification. An arbitrary sampling of non-HTTP_* # headers are in here to exercise that code path. "HTTP_HOST"=>"127.0.0.1", - "HTTP_X_OPS_SIGN"=>"version=1.0", + "HTTP_X_OPS_SIGN"=>"algorithm=sha1;version=1.1;", "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601, "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH, @@ -323,7 +366,7 @@ PASSENGER_HEADERS = { # generated with # openssl genrsa -out private.pem 2048 # openssl rsa -in private.pem -out public.pem -pubout -PUBLIC_KEY = <<EOS +PUBLIC_KEY_DATA = <<EOS -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ueqo76MXuP6XqZBILFz iH/9AI7C6PaN5W0dSvkr9yInyGHSz/IR1+4tqvP2qlfKVKI4CP6BFH251Ft9qMUB @@ -335,7 +378,7 @@ YQIDAQAB -----END PUBLIC KEY----- EOS -PRIVATE_KEY = <<EOS +PRIVATE_KEY_DATA = <<EOS -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA0ueqo76MXuP6XqZBILFziH/9AI7C6PaN5W0dSvkr9yInyGHS z/IR1+4tqvP2qlfKVKI4CP6BFH251Ft9qMUBuAsnlAVQ1z0exDtIFFOyQCdR7iXm @@ -364,3 +407,27 @@ YlkUQYXhy9JixmUUKtH+NXkKX7Lyc8XYw5ETr7JBT3ifs+G7HruDjVG78EJVojbd 8uLA+DdQm5mg4vd1GTiSK65q/3EeoBlUaVor3HhLFki+i9qpT8CBsg== -----END RSA PRIVATE KEY----- EOS + +PRIVATE_KEY = OpenSSL::PKey::RSA.new(PRIVATE_KEY_DATA) + +V1_0_CANONICAL_REQUEST_DATA = <<EOS +Method:POST +Hashed Path:#{HASHED_CANONICAL_PATH} +X-Ops-Content-Hash:#{HASHED_BODY} +X-Ops-Timestamp:#{TIMESTAMP_ISO8601} +X-Ops-UserId:#{USER_ID} +EOS +V1_0_CANONICAL_REQUEST = V1_0_CANONICAL_REQUEST_DATA.chomp + +V1_1_CANONICAL_REQUEST_DATA = <<EOS +Method:POST +Hashed Path:#{HASHED_CANONICAL_PATH} +X-Ops-Content-Hash:#{HASHED_BODY} +X-Ops-Timestamp:#{TIMESTAMP_ISO8601} +X-Ops-UserId:#{DIGESTED_USER_ID} +EOS +V1_1_CANONICAL_REQUEST = V1_1_CANONICAL_REQUEST_DATA.chomp + +V1_1_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(V1_1_ARGS) +V1_0_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(V1_0_ARGS) +LONG_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(LONG_PATH_LONG_USER_ARGS) |