diff options
-rw-r--r-- | lib/mixlib/authentication/signatureverification.rb | 17 | ||||
-rw-r--r-- | lib/mixlib/authentication/signedheaderauth.rb | 7 |
2 files changed, 19 insertions, 5 deletions
diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb index d067a2e..2528923 100644 --- a/lib/mixlib/authentication/signatureverification.rb +++ b/lib/mixlib/authentication/signatureverification.rb @@ -66,17 +66,26 @@ module Mixlib @request_signature = headers.find_all { |h| h[0].to_s =~ /^x_ops_authorization_/ }.sort { |x,y| x.to_s <=> y.to_s}.map { |i| i[1] }.join("\n") Mixlib::Authentication::Log.debug "Reconstituted request signature: #{@request_signature}" + # The request signature is based on any file attached, if any. Otherwise + # it's based on the body of the request. + # TODO: tim: 2009-12-28: It'd be nice to remove this special case, and + # always hash the entire request body. In the file case it would just be + # expanded multipart text - the entire body of the POST. + # # Pull out any file that was attached to this request, using multipart # form uploads. # Depending on the server we're running in, multipart form uploads are # handed to us differently. # - In Passenger (Cookbooks Community Site), the File is handed to us # directly in the params hash. The name is whatever the client used, - # its value is therefore a File or Tempfile. + # its value is therefore a File or Tempfile. + # e.g. request['file_param'] = File + # # - In Merb (Chef server), the File is wrapped. The original parameter - # name used for the file is passed in with a Hash value. Within the hash - # is a name/value pair named 'file' which actually contains the Tempfile - # instance. + # name used for the file is used, but its value is a Hash. Within + # the hash is a name/value pair named 'file' which actually + # contains the Tempfile instance. + # e.g. request['file_param'] = { :file => Tempfile } file_param = request.params.values.find { |value| value.respond_to?(:read) } # No file_param; we're running in Merb, or it's just not there.. diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb index 7e9aaa4..63fd352 100644 --- a/lib/mixlib/authentication/signedheaderauth.rb +++ b/lib/mixlib/authentication/signedheaderauth.rb @@ -84,7 +84,12 @@ module Mixlib end def hashed_body - @hashed_body ||= self.file ? digester.hash_file(self.file) : digester.hash_string(self.body) + # Hash the file object if it was passed in, otherwise hash based on + # the body. + # TODO: tim 2009-12-28: It'd be nice to just remove this special case, + # always sign the entire request body, using the expanded multipart + # body in the case of a file being include. + @hashed_body ||= (self.file && self.file.respond_to?(:read)) ? digester.hash_file(self.file) : digester.hash_string(self.body) end # Takes HTTP request method & headers and creates a canonical form |