1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
#
# Author:: Christopher Brown (<cb@opscode.com>)
# Author:: Christopher Walters (<cw@opscode.com>)
# Copyright:: Copyright (c) 2009 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'time'
require 'base64'
require 'ostruct'
require 'digest/sha1'
require 'mixlib/authentication'
require 'mixlib/authentication/digester'
module Mixlib
module Authentication
module SignedHeaderAuth
SIGNING_DESCRIPTION = 'version=1.0'
# This is a module meant to be mixed in but can be used standalone
# with the simple OpenStruct extended with the auth functions
class << self
def signing_object(args={ })
OpenStruct.new(args).extend SignedHeaderAuth
end
end
# Build the canonicalized request based on the method, other headers, etc.
# compute the signature from the request, using the looked-up user secret
# ====Parameters
# private_key<OpenSSL::PKey::RSA>:: user's RSA private key.
def sign(private_key)
digester = Mixlib::Authentication::Digester.new
@hashed_body = if self.file
digester.hash_file(self.file)
else
digester.hash_body(self.body)
end
header_hash = {
"X-Ops-Sign" => SIGNING_DESCRIPTION,
"X-Ops-Userid" => user_id,
"X-Ops-Timestamp" => canonical_time,
"X-Ops-Content-Hash" =>@hashed_body,
}
# Our multiline hash for authorization will be encoded in multiple header
# lines - X-Ops-Authorization-1, ... (starts at 1, not 0!)
string_to_sign = canonicalize_request
signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp
signature_lines = signature.split(/\n/)
signature_lines.each_index do |idx|
key = "X-Ops-Authorization-#{idx + 1}"
header_hash[key] = signature_lines[idx]
end
Mixlib::Authentication::Log.debug "String to sign: '#{string_to_sign}'\nHeader hash: #{header_hash.inspect}"
header_hash
end
# Build the canonicalized time based on utc & iso8601
#
# ====Parameters
#
def canonical_time
Time.parse(timestamp).utc.iso8601
end
# Build the canonicalized path, which collapses multiple slashes (/) and
# removes a trailing slash unless the path is only "/"
#
# ====Parameters
#
def canonical_path
p = path.gsub(/\/+/,'/')
p.length > 1 ? p.chomp('/') : p
end
# Takes HTTP request method & headers and creates a canonical form
# to create the signature
#
# ====Parameters
#
#
def canonicalize_request
"Method:#{http_method.to_s.upcase}\nPath:#{canonical_path}\nX-Ops-Content-Hash:#{@hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}"
end
# Parses signature version information, algorithm used, etc.
#
# ====Parameters
#
def parse_signing_description
parts = @signing_description.strip.split(";").inject({ }) do |memo, part|
field_name, field_value = part.split("=")
memo[field_name.to_sym] = field_value.strip
memo
end
Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}"
end
private :canonical_time, :canonical_path, :canonicalize_request, :parse_signing_description
end
end
end
|
