initial commit for new repository

4 files changed, 238 insertions, 0 deletions

diff --git a/lib/mixlib/authentication.rb b/lib/mixlib/authentication.rb
new file mode 100644
index 0000000..320ee49
--- /dev/null
+++ b/lib/mixlib/authentication.rb
@@ -0,0 +1,12 @@
+require 'couchrest'
+require 'mixlib/log'
+
+module Mixlib
+  module Authentication
+    class Log
+      extend  Mixlib::Log      
+    end
+  end
+end
+
+
diff --git a/lib/mixlib/authentication/digester.rb b/lib/mixlib/authentication/digester.rb
new file mode 100644
index 0000000..185532f
--- /dev/null
+++ b/lib/mixlib/authentication/digester.rb
@@ -0,0 +1,38 @@
+require 'mixlib/authentication'
+
+module Mixlib
+  module Authentication
+    class Digester
+      attr_reader :hashed_body
+      
+      def initialize()
+        @hashed_body = nil
+      end
+
+      # Compare the request timestamp with boundary time
+      # 
+      # 
+      # ====Parameters
+      # time1<Time>:: minuend
+      # time2<Time>:: subtrahend
+      #
+      def hash_file(f)
+        digester = Digest::SHA1.new
+        buf = ""
+        while f.read(16384, buf)
+          digester.update buf
+        end        
+        @hashed_body ||= ::Base64.encode64(digester.digest).chomp
+      end
+      
+      # Digests the body, base64's and chomps the end
+      # 
+      # 
+      # ====Parameters
+      # 
+      def hash_body(body)
+        @hashed_body ||= ::Base64.encode64(Digest::SHA1.digest(body)).chomp
+      end      
+    end
+  end
+end
diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb
new file mode 100644
index 0000000..60a1517
--- /dev/null
+++ b/lib/mixlib/authentication/signatureverification.rb
@@ -0,0 +1,101 @@
+require 'ostruct'
+require 'net/http'
+
+require 'mixlib/authentication/signedheaderauth'
+require 'mixlib/authentication/digester'
+
+module Mixlib
+  module Authentication
+    class SignatureVerification
+
+      include Mixlib::Authentication::SignedHeaderAuth
+      
+      attr_reader :hashed_body, :timestamp, :http_method, :user_id
+
+      # Takes the request, boils down the pieces we are interested in,
+      # looks up the user, generates a signature, and compares to
+      # the signature in the request
+      # ====Headers
+      #
+      # X-Ops-Sign: algorithm=sha256;version=1.0;
+      # X-Ops-UserId: <user_id>
+      # X-Ops-Timestamp:
+      # X-Ops-Content-Hash: 
+      def authenticate_user_request(request, user_lookup, time_skew=(15*60))
+        Mixlib::Authentication::Log.debug "Initializing header auth : #{request.inspect}"
+        
+        headers ||= request.env.inject({ }) { |memo, kv| memo[$2.downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
+        digester = Mixlib::Authentication::Digester.new        
+
+        begin
+          @allowed_time_skew   = time_skew # in seconds
+          @http_method         = request.method.to_s
+          @signing_description = headers[:x_ops_sign].chomp
+          @user_id             = headers[:x_ops_userid].chomp
+          @timestamp           = headers[:x_ops_timestamp].chomp
+          @request_signature   = headers[:authorization].chomp.gsub!(/\n\t/,"\n")
+          @host                = headers[:host].chomp
+          @content_hash        = headers[:x_ops_content_hash].chomp
+          @user_secret         = user_lookup
+
+
+          file_param = request.params["file"]
+
+          @hashed_body = if file_param
+                           Mixlib::Authentication::Log.debug "Digesting file_param: '#{file_param.inspect}'"
+                           if file_param.respond_to?(:has_key?)
+                             tempfile = file_param[:tempfile]
+                             digester.hash_file(tempfile)
+                           else
+                             digester.hash_body(file_param)
+                           end
+                         else
+                           body = request.raw_post
+                           Mixlib::Authentication::Log.debug "Digesting body: '#{body}'"
+                           digester.hash_body(body)
+                         end
+
+          Mixlib::Authentication::Log.debug "Authenticating user : #{user_id}, User secret is: #{@user_secret}, Request signature is :\n#{@request_signature}, Hashed Body is #{@hashed_body}"
+          
+          #BUGBUG Not doing anything with the signing description yet [cb]          
+          parse_signing_description
+          candidate_block = canonicalize_request
+          request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(@request_signature))
+          signatures_match = (request_decrypted_block == candidate_block)
+          timeskew_is_acceptable = timestamp_within_bounds?(Time.parse(timestamp), Time.now)
+          hashes_match = @content_hash == hashed_body
+        rescue StandardError=>se
+          raise StandardError,"Failed to authenticate user request.  Most likely missing a necessary header: #{se.message}"
+        end
+        
+        Mixlib::Authentication::Log.debug "Candidate Block is: '#{candidate_block}'\nRequest decrypted block is: '#{request_decrypted_block}'\nCandidate content hash is: #{hashed_body}\nRequest Content Hash is: '#{@content_hash}'\nSignatures match: #{signatures_match}, Allowed Time Skew: #{timeskew_is_acceptable}, Hashes match?: #{hashes_match}\n"
+        
+        if signatures_match and timeskew_is_acceptable and hashes_match
+          OpenStruct.new(:name=>user_id)
+        else
+          nil
+        end
+      end
+      
+      private
+      
+      # Compare the request timestamp with boundary time
+      # 
+      # 
+      # ====Parameters
+      # time1<Time>:: minuend
+      # time2<Time>:: subtrahend
+      #
+      def timestamp_within_bounds?(time1, time2)
+        time_diff = (time2-time1).abs
+        is_allowed = (time_diff < @allowed_time_skew)
+        Mixlib::Authentication::Log.debug "Request time difference: #{time_diff}, within #{@allowed_time_skew} seconds? : #{!!is_allowed}"
+        is_allowed      
+      end
+    end
+
+
+  end
+end
+
+
diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb
new file mode 100644
index 0000000..21ff2ed
--- /dev/null
+++ b/lib/mixlib/authentication/signedheaderauth.rb
@@ -0,0 +1,87 @@
+require 'time'
+require 'base64'
+require 'ostruct'
+require 'digest/sha2'
+require 'hmac'
+require 'hmac-sha2'
+require 'mixlib/authentication'
+require 'mixlib/authentication/digester'
+
+module Mixlib
+  module Authentication
+    module SignedHeaderAuth
+      
+      SIGNING_DESCRIPTION = 'version=1.0'
+
+      # This is a module meant to be mixed in but can be used standalone
+      # with the simple OpenStruct extended with the auth functions
+      class << self
+        def signing_object(args={ })
+          OpenStruct.new(args).extend SignedHeaderAuth
+        end
+      end
+	  
+	  # Build the canonicalized request based on the method, other headers, etc.
+      # compute the signature from the request, using the looked-up user secret
+      # ====Parameters
+      # private_key<String>:: user's RSA private key.
+	  def sign(private_key)
+        digester = Mixlib::Authentication::Digester.new
+        @hashed_body = if self.file
+                         digester.hash_file(self.file)
+                       else
+                         digester.hash_body(self.body)
+                       end
+        
+		signature = Base64.encode64(private_key.private_encrypt(canonicalize_request)).chomp.gsub!(/\n/,"\n\t")
+		header_hash = {
+          :x_ops_sign=>SIGNING_DESCRIPTION,
+          :x_ops_userid=>user_id,
+          :x_ops_timestamp=> canonical_time,
+          :x_ops_content_hash=>@hashed_body,
+          :authorization=>signature,
+        }
+        Mixlib::Authentication::Log.debug "Header hash: #{header_hash.inspect}"
+        
+        header_hash
+	  end
+      
+      # Build the canonicalized time based on utc & iso8601
+      # 
+      # ====Parameters
+      # 
+      def canonical_time
+        Time.parse(timestamp).utc.iso8601      
+      end
+
+      # Takes HTTP request method & headers and creates a canonical form
+      # to create the signature
+      # 
+      # ====Parameters
+      # 
+      # 
+      def canonicalize_request
+        Mixlib::Authentication::Log.debug "canonicalize_request:"
+        canon_request = "Method:#{http_method.to_s.upcase}\nX-Ops-Content-Hash:#{@hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}"
+        Mixlib::Authentication::Log.debug "canonicalize_request: #{canon_request}"
+        canon_request
+      end
+      
+      # Parses signature version information, algorithm used, etc.
+      #
+      # ====Parameters
+      #
+      def parse_signing_description
+        parts = @signing_description.strip.split(";").inject({ }) do |memo, part|
+          field_name, field_value = part.split("=")
+          memo[field_name.to_sym] = field_value.strip
+          memo
+        end
+        Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}"
+      end
+      
+      private :canonical_time, :canonicalize_request, :parse_signing_description
+      
+    end
+  end
+end