From 498268d205df3b5898f134d60835ae96daf0c694 Mon Sep 17 00:00:00 2001
From: Chris Walters <cw@opscode.com>
Date: Mon, 1 Feb 2010 23:50:25 +0000
Subject: PL-232: Adding request path to signature

---
 lib/mixlib/authentication/signatureverification.rb |  8 +++++---
 lib/mixlib/authentication/signedheaderauth.rb      | 24 ++++++++++++++++------
 2 files changed, 23 insertions(+), 9 deletions(-)

(limited to 'lib/mixlib')

diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb
index 570a5b9..ee837ee 100644
--- a/lib/mixlib/authentication/signatureverification.rb
+++ b/lib/mixlib/authentication/signatureverification.rb
@@ -1,6 +1,7 @@
 #
 # Author:: Christopher Brown (<cb@opscode.com>)
-# Copyright:: Copyright (c) 2009 Opscode, Inc.
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -27,7 +28,7 @@ module Mixlib
 
       include Mixlib::Authentication::SignedHeaderAuth
       
-      attr_reader :hashed_body, :timestamp, :http_method, :user_id
+      attr_reader :hashed_body, :timestamp, :http_method, :path, :user_id
 
       # Takes the request, boils down the pieces we are interested in,
       # looks up the user, generates a signature, and compares to
@@ -43,11 +44,12 @@ module Mixlib
         Mixlib::Authentication::Log.debug "Initializing header auth : #{request.inspect}"
         
         headers ||= request.env.inject({ }) { |memo, kv| memo[$2.gsub(/\-/,"_").downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
-        digester = Mixlib::Authentication::Digester.new        
+        digester = Mixlib::Authentication::Digester.new
 
         begin
           @allowed_time_skew   = time_skew # in seconds
           @http_method         = request.method.to_s
+          @path                = request.path.to_s
           @signing_description = headers[:x_ops_sign].chomp
           @user_id             = headers[:x_ops_userid].chomp
           @timestamp           = headers[:x_ops_timestamp].chomp
diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb
index 4d72a4a..a92bccc 100644
--- a/lib/mixlib/authentication/signedheaderauth.rb
+++ b/lib/mixlib/authentication/signedheaderauth.rb
@@ -1,5 +1,6 @@
 #
 # Author:: Christopher Brown (<cb@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
 # Copyright:: Copyright (c) 2009 Opscode, Inc.
 # License:: Apache License, Version 2.0
 #
@@ -60,14 +61,15 @@ module Mixlib
 
         # Our multiline hash for authorization will be encoded in multiple header
         # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!)
-        signature = Base64.encode64(private_key.private_encrypt(canonicalize_request)).chomp
+        string_to_sign = canonicalize_request
+        signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp
         signature_lines = signature.split(/\n/)
         signature_lines.each_index do |idx|
           key = "X-Ops-Authorization-#{idx + 1}"
           header_hash[key] = signature_lines[idx]
         end
-          
-        Mixlib::Authentication::Log.debug "Header hash: #{header_hash.inspect}"
+        
+        Mixlib::Authentication::Log.debug "String to sign: '#{string_to_sign}'\nHeader hash: #{header_hash.inspect}"
         
         header_hash
       end
@@ -79,7 +81,17 @@ module Mixlib
       def canonical_time
         Time.parse(timestamp).utc.iso8601      
       end
-
+      
+      # Build the canonicalized path, which collapses multiple slashes (/) and
+      # removes a trailing slash unless the path is only "/"
+      # 
+      # ====Parameters
+      # 
+      def canonical_path
+        p = path.gsub(/\/+/,'/')
+        p.length > 1 ? p.chomp('/') : p
+      end
+      
       # Takes HTTP request method & headers and creates a canonical form
       # to create the signature
       # 
@@ -87,7 +99,7 @@ module Mixlib
       # 
       # 
       def canonicalize_request
-        "Method:#{http_method.to_s.upcase}\nX-Ops-Content-Hash:#{@hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}"
+        "Method:#{http_method.to_s.upcase}\nPath:#{canonical_path}\nX-Ops-Content-Hash:#{@hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}"
       end
       
       # Parses signature version information, algorithm used, etc.
@@ -103,7 +115,7 @@ module Mixlib
         Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}"
       end
       
-      private :canonical_time, :canonicalize_request, :parse_signing_description
+      private :canonical_time, :canonical_path, :canonicalize_request, :parse_signing_description
       
     end
   end
-- 
cgit v1.2.1