fixes for long user id

2 files changed, 26 insertions, 20 deletions

diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb
index 65e8374..6da23e2 100644
--- a/lib/mixlib/authentication/signatureverification.rb
+++ b/lib/mixlib/authentication/signatureverification.rb
@@ -34,7 +34,7 @@ module Mixlib
 
       def_delegator :@auth_request, :path
 
-      def_delegator :auth_request, :signing_description
+      def_delegator :@auth_request, :signing_description
 
       def_delegator :@auth_request, :user_id
 
@@ -50,8 +50,6 @@ module Mixlib
 
       include Mixlib::Authentication::SignedHeaderAuth
 
-      attr_reader :auth_request
-
       def initialize(request=nil)
         @auth_request = HTTPAuthenticationRequest.new(request) if request
 
@@ -65,12 +63,13 @@ module Mixlib
         @auth_request = HTTPAuthenticationRequest.new(request)
         authenticate_request(user_lookup, time_skew)
       end
+
       # Takes the request, boils down the pieces we are interested in,
       # looks up the user, generates a signature, and compares to
       # the signature in the request
       # ====Headers
       #
-      # X-Ops-Sign: algorithm=sha256;version=1.0;
+      # X-Ops-Sign: algorithm=sha1;version=1.0;
       # X-Ops-UserId: <user_id>
       # X-Ops-Timestamp:
       # X-Ops-Content-Hash: 
@@ -82,15 +81,10 @@ module Mixlib
         @allowed_time_skew = time_skew # in seconds
 
         begin
-          @auth_request
-          
-          #BUGBUG Not doing anything with the signing description yet [cb]          
-          parse_signing_description
-
-          verify_signature
+          parts = parse_signing_description
+          verify_signature(parts[:algorithm], parts[:version])
           verify_timestamp
           verify_content_hash
-
         rescue StandardError=>se
           raise AuthenticationError,"Failed to authenticate user request. Check your client key and clock: #{se.message}", se.backtrace
         end
@@ -136,8 +130,8 @@ module Mixlib
         end
       end
 
-      def verify_signature
-        candidate_block = canonicalize_request
+      def verify_signature(algorithm, version)
+        candidate_block = canonicalize_request(algorithm, version)
         request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(request_signature))
         @valid_signature = (request_decrypted_block == candidate_block)
 
diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb
index 63febb1..39c9ac8 100644
--- a/lib/mixlib/authentication/signedheaderauth.rb
+++ b/lib/mixlib/authentication/signedheaderauth.rb
@@ -27,8 +27,9 @@ module Mixlib
   module Authentication
 
     module SignedHeaderAuth
-      
-      SIGNING_DESCRIPTION = 'version=1.0'
+
+      SUPPORTED_ALGORITHMS = ['sha1']
+      SUPPORTED_VERSIONS = ['1.0', '1.1']
 
       # This is a module meant to be mixed in but can be used standalone
       # with the simple OpenStruct extended with the auth functions
@@ -42,17 +43,17 @@ module Mixlib
       # compute the signature from the request, using the looked-up user secret
       # ====Parameters
       # private_key<OpenSSL::PKey::RSA>:: user's RSA private key.
-      def sign(private_key)
+      def sign(private_key, algorithm='sha1', version='1.1')
         # Our multiline hash for authorization will be encoded in multiple header
         # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!)
         header_hash = {
-          "X-Ops-Sign" => SIGNING_DESCRIPTION,
+          "X-Ops-Sign" => "algorithm=#{algorithm};version=#{version};",
           "X-Ops-Userid" => user_id,
           "X-Ops-Timestamp" => canonical_time,
           "X-Ops-Content-Hash" => hashed_body,
         }
 
-        string_to_sign = canonicalize_request
+        string_to_sign = canonicalize_request(algorithm, version)
         signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp
         signature_lines = signature.split(/\n/)
         signature_lines.each_index do |idx|
@@ -98,8 +99,18 @@ module Mixlib
       # ====Parameters
       # 
       # 
-      def canonicalize_request
-        "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}"
+      def canonicalize_request(algorithm='sha1', version='1.1')
+        raise AuthenticationError, "Bad algorithm '#{algorithm}' or version '#{version}'" unless SUPPORTED_ALGORITHMS.include?(algorithm) && SUPPORTED_VERSIONS.include?(version)
+
+        canonical_x_ops_user_id = case 
+                                  when version == "1.1"
+                                    digester.hash_string(user_id)
+                                  when version == "1.0"
+                                    user_id
+                                  else
+                                    user_id
+                                  end
+        "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{canonical_x_ops_user_id}"
       end
       
       # Parses signature version information, algorithm used, etc.
@@ -113,6 +124,7 @@ module Mixlib
           memo
         end
         Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}"
+        parts
       end
       
       def digester