diff options
author | Christopher Brown <cb@opscode.com> | 2012-05-09 07:59:23 -0700 |
---|---|---|
committer | Christopher Brown <cb@opscode.com> | 2012-05-09 07:59:23 -0700 |
commit | 3ed48e0e8b5ff5c7e52fc0bdeb7c5548145aaba1 (patch) | |
tree | adf9ea7d2924bbdbfae0bf54a853007cb479ddab /lib | |
parent | f3cd8b31e04aac87f82bb4ae1de6a2bf0ab49401 (diff) | |
download | mixlib-authentication-3ed48e0e8b5ff5c7e52fc0bdeb7c5548145aaba1.tar.gz |
fixes for long user id
Diffstat (limited to 'lib')
-rw-r--r-- | lib/mixlib/authentication/signatureverification.rb | 20 | ||||
-rw-r--r-- | lib/mixlib/authentication/signedheaderauth.rb | 26 |
2 files changed, 26 insertions, 20 deletions
diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb index 65e8374..6da23e2 100644 --- a/lib/mixlib/authentication/signatureverification.rb +++ b/lib/mixlib/authentication/signatureverification.rb @@ -34,7 +34,7 @@ module Mixlib def_delegator :@auth_request, :path - def_delegator :auth_request, :signing_description + def_delegator :@auth_request, :signing_description def_delegator :@auth_request, :user_id @@ -50,8 +50,6 @@ module Mixlib include Mixlib::Authentication::SignedHeaderAuth - attr_reader :auth_request - def initialize(request=nil) @auth_request = HTTPAuthenticationRequest.new(request) if request @@ -65,12 +63,13 @@ module Mixlib @auth_request = HTTPAuthenticationRequest.new(request) authenticate_request(user_lookup, time_skew) end + # Takes the request, boils down the pieces we are interested in, # looks up the user, generates a signature, and compares to # the signature in the request # ====Headers # - # X-Ops-Sign: algorithm=sha256;version=1.0; + # X-Ops-Sign: algorithm=sha1;version=1.0; # X-Ops-UserId: <user_id> # X-Ops-Timestamp: # X-Ops-Content-Hash: @@ -82,15 +81,10 @@ module Mixlib @allowed_time_skew = time_skew # in seconds begin - @auth_request - - #BUGBUG Not doing anything with the signing description yet [cb] - parse_signing_description - - verify_signature + parts = parse_signing_description + verify_signature(parts[:algorithm], parts[:version]) verify_timestamp verify_content_hash - rescue StandardError=>se raise AuthenticationError,"Failed to authenticate user request. Check your client key and clock: #{se.message}", se.backtrace end @@ -136,8 +130,8 @@ module Mixlib end end - def verify_signature - candidate_block = canonicalize_request + def verify_signature(algorithm, version) + candidate_block = canonicalize_request(algorithm, version) request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(request_signature)) @valid_signature = (request_decrypted_block == candidate_block) diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb index 63febb1..39c9ac8 100644 --- a/lib/mixlib/authentication/signedheaderauth.rb +++ b/lib/mixlib/authentication/signedheaderauth.rb @@ -27,8 +27,9 @@ module Mixlib module Authentication module SignedHeaderAuth - - SIGNING_DESCRIPTION = 'version=1.0' + + SUPPORTED_ALGORITHMS = ['sha1'] + SUPPORTED_VERSIONS = ['1.0', '1.1'] # This is a module meant to be mixed in but can be used standalone # with the simple OpenStruct extended with the auth functions @@ -42,17 +43,17 @@ module Mixlib # compute the signature from the request, using the looked-up user secret # ====Parameters # private_key<OpenSSL::PKey::RSA>:: user's RSA private key. - def sign(private_key) + def sign(private_key, algorithm='sha1', version='1.1') # Our multiline hash for authorization will be encoded in multiple header # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!) header_hash = { - "X-Ops-Sign" => SIGNING_DESCRIPTION, + "X-Ops-Sign" => "algorithm=#{algorithm};version=#{version};", "X-Ops-Userid" => user_id, "X-Ops-Timestamp" => canonical_time, "X-Ops-Content-Hash" => hashed_body, } - string_to_sign = canonicalize_request + string_to_sign = canonicalize_request(algorithm, version) signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp signature_lines = signature.split(/\n/) signature_lines.each_index do |idx| @@ -98,8 +99,18 @@ module Mixlib # ====Parameters # # - def canonicalize_request - "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}" + def canonicalize_request(algorithm='sha1', version='1.1') + raise AuthenticationError, "Bad algorithm '#{algorithm}' or version '#{version}'" unless SUPPORTED_ALGORITHMS.include?(algorithm) && SUPPORTED_VERSIONS.include?(version) + + canonical_x_ops_user_id = case + when version == "1.1" + digester.hash_string(user_id) + when version == "1.0" + user_id + else + user_id + end + "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{canonical_x_ops_user_id}" end # Parses signature version information, algorithm used, etc. @@ -113,6 +124,7 @@ module Mixlib memo end Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}" + parts end def digester |