mixlib-authentication 1.3.0 → 1.4.0.rc.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4af0553c29d4d0ee53f281ab38ef8ed7097ba8f9
+  data.tar.gz: 198e0ae73d73b4d5c3f39e61dd30bab6822c1031
+SHA512:
+  metadata.gz: 5613f35e48e2142c25614b39c114b9ed7412a5039eea64141bed4087408c51f4242a11b954a9d0393a85b1ecdd850dc505d2267c21eb8c3737af6a795873d4c8
+  data.tar.gz: 071de33850bcf8120424ef0ee26e4d6013fd96fabff92c10dd69caf2da521b890d8433809080b8e86a0022f111c83edb6e47c334ed44517bb3811db856c6e8a0

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+gemspec
+
+group(:development) do
+  gem 'pry'
+end

data/Rakefile

@@ -1,5 +1,5 @@
 require 'rubygems'
-require 'rake/gempackagetask'
+require 'rubygems/package_task'
 require 'rubygems/specification'
 require 'date'
 require 'rspec/core/rake_task'
@@ -16,12 +16,12 @@ task :default => :spec
 desc "Run specs"
 RSpec::Core::RakeTask.new do |t|
   t.pattern = 'spec/**/*_spec.rb'
-  t.rspec_opts = %w(-fs --color)
+  t.rspec_opts = %w(--format documentation --color)
 end
 
 gem_spec = eval(File.read("mixlib-authentication.gemspec"))
 
-Rake::GemPackageTask.new(gem_spec) do |pkg|
+Gem::PackageTask.new(gem_spec) do |pkg|
   pkg.gem_spec = gem_spec
 end
 

data/lib/mixlib/authentication.rb

@@ -20,6 +20,8 @@ require 'mixlib/log'
 
 module Mixlib
   module Authentication
+    DEFAULT_SERVER_API_VERSION = '0'
+
     class AuthenticationError < StandardError
     end
 

data/lib/mixlib/authentication/digester.rb

@@ -21,11 +21,10 @@ require 'mixlib/authentication'
 module Mixlib
   module Authentication
     class Digester
-      
       class << self
-        
-        def hash_file(f)
-          digester = Digest::SHA1.new
+
+        def hash_file(digest, f)
+          digester = digest.new
           buf = ""
           while f.read(16384, buf)
             digester.update buf
@@ -34,15 +33,15 @@ module Mixlib
         end
 
         # Digests a string, base64's and chomps the end
-        # 
+        #
         # ====Parameters
-        # 
-        def hash_string(str)
-          ::Base64.encode64(Digest::SHA1.digest(str)).chomp
+        #
+        def hash_string(digest, str)
+          ::Base64.encode64(digest.digest(str)).chomp
         end
-        
+
       end
-      
+
     end
   end
 end

data/lib/mixlib/authentication/http_authentication_request.rb

@@ -64,6 +64,10 @@ module Mixlib
         headers[:x_ops_content_hash].chomp
       end
 
+      def server_api_version
+        (headers[:x_ops_server_api_version] || DEFAULT_SERVER_API_VERSION).chomp
+      end
+
       def request_signature
         unless @request_signature
           @request_signature = headers.find_all { |h| h[0].to_s =~ /^x_ops_authorization_/ }.sort { |x,y| x.to_s <=> y.to_s}.map { |i| i[1] }.join("\n")
@@ -80,8 +84,6 @@ module Mixlib
           raise MissingAuthenticationHeader, "missing required authentication header(s) '#{missing_headers.join("', '")}'"
         end
       end
-
-
     end
   end
 end

data/lib/mixlib/authentication/signatureverification.rb

@@ -48,6 +48,8 @@ module Mixlib
 
       def_delegator :@auth_request, :request
 
+      def_delegator :@auth_request, :server_api_version
+
       include Mixlib::Authentication::SignedHeaderAuth
 
       def initialize(request=nil)
@@ -138,8 +140,15 @@ module Mixlib
 
       def verify_signature(algorithm, version)
         candidate_block = canonicalize_request(algorithm, version)
-        request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(request_signature))
-        @valid_signature = (request_decrypted_block == candidate_block)
+        signature = Base64.decode64(request_signature)
+        @valid_signature = case version
+                           when '1.3'
+                             digest = validate_sign_version_digest!(algorithm, version)
+                             @user_secret.verify(digest.new, signature, candidate_block)
+                           else
+                             request_decrypted_block = @user_secret.public_decrypt(signature)
+                             (request_decrypted_block == candidate_block)
+                           end
 
         # Keep the debug messages lined up so it's easy to scan them
         Mixlib::Authentication::Log.debug("Verifying request signature:")
@@ -171,7 +180,7 @@ module Mixlib
 
       # The request signature is based on any file attached, if any. Otherwise
       # it's based on the body of the request.
-      def hashed_body
+      def hashed_body(digest=Digest::SHA1)
         unless @hashed_body
           # TODO: tim: 2009-112-28: It'd be nice to remove this special case, and
           # always hash the entire request body. In the file case it would just be
@@ -205,11 +214,11 @@ module Mixlib
           # we hash the body.
           if file_param
             Mixlib::Authentication::Log.debug "Digesting file_param: '#{file_param.inspect}'"
-            @hashed_body = digester.hash_file(file_param)
+            @hashed_body = digester.hash_file(digest, file_param)
           else
             body = request.raw_post
             Mixlib::Authentication::Log.debug "Digesting body: '#{body}'"
-            @hashed_body = digester.hash_string(body)
+            @hashed_body = digester.hash_string(digest, body)
           end
         end
         @hashed_body

data/lib/mixlib/authentication/signedheaderauth.rb

@@ -19,7 +19,7 @@
 
 require 'time'
 require 'base64'
-require 'digest/sha1'
+require 'openssl/digest'
 require 'mixlib/authentication'
 require 'mixlib/authentication/digester'
 
@@ -29,13 +29,21 @@ module Mixlib
     module SignedHeaderAuth
 
       NULL_ARG = Object.new
+
+      ALGORITHM_FOR_VERSION = {
+        '1.0' => 'sha1',
+        '1.1' => 'sha1',
+        '1.3' => 'sha256',
+      }.freeze()
+
+      # Use of SUPPORTED_ALGORITHMS and SUPPORTED_VERSIONS is deprecated. Use
+      # ALGORITHM_FOR_VERSION instead
       SUPPORTED_ALGORITHMS = ['sha1'].freeze
       SUPPORTED_VERSIONS = ['1.0', '1.1'].freeze
 
       DEFAULT_SIGN_ALGORITHM = 'sha1'.freeze
       DEFAULT_PROTO_VERSION = '1.0'.freeze
 
-
       # === signing_object
       # This is the intended interface for signing requests with the
       # Opscode/Chef signed header protocol. This wraps the constructor for a
@@ -65,11 +73,20 @@ module Mixlib
       # These parameters are accepted but not used in the computation of the signature.
       # * `:host`: The host part of the URI
       def self.signing_object(args={ })
-        SigningObject.new(args[:http_method], args[:path], args[:body], args[:host], args[:timestamp], args[:user_id], args[:file], args[:proto_version])
+        SigningObject.new(args[:http_method],
+                          args[:path],
+                          args[:body],
+                          args[:host],
+                          args[:timestamp],
+                          args[:user_id],
+                          args[:file],
+                          args[:proto_version],
+                          args[:headers]
+                         )
       end
 
       def algorithm
-        DEFAULT_SIGN_ALGORITHM
+        ALGORITHM_FOR_VERSION[proto_version] || DEFAULT_SIGN_ALGORITHM
       end
 
       def proto_version
@@ -81,28 +98,50 @@ module Mixlib
       # ====Parameters
       # private_key<OpenSSL::PKey::RSA>:: user's RSA private key.
       def sign(private_key, sign_algorithm=algorithm, sign_version=proto_version)
+        digest = validate_sign_version_digest!(sign_algorithm, sign_version)
         # Our multiline hash for authorization will be encoded in multiple header
         # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!)
         header_hash = {
           "X-Ops-Sign" => "algorithm=#{sign_algorithm};version=#{sign_version};",
           "X-Ops-Userid" => user_id,
           "X-Ops-Timestamp" => canonical_time,
-          "X-Ops-Content-Hash" => hashed_body,
+          "X-Ops-Content-Hash" => hashed_body(digest),
         }
 
-        string_to_sign = canonicalize_request(sign_algorithm, sign_version)
-        signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp
+        signature = Base64.encode64(do_sign(private_key, digest, sign_algorithm, sign_version)).chomp
         signature_lines = signature.split(/\n/)
         signature_lines.each_index do |idx|
           key = "X-Ops-Authorization-#{idx + 1}"
           header_hash[key] = signature_lines[idx]
         end
 
-        Mixlib::Authentication::Log.debug "String to sign: '#{string_to_sign}'\nHeader hash: #{header_hash.inspect}"
+        Mixlib::Authentication::Log.debug "Header hash: #{header_hash.inspect}"
 
         header_hash
       end
 
+      def validate_sign_version_digest!(sign_algorithm, sign_version)
+        if ALGORITHM_FOR_VERSION[sign_version].nil?
+          raise AuthenticationError,
+            "Unsupported version '#{sign_version}'"
+        end
+
+        if ALGORITHM_FOR_VERSION[sign_version] != sign_algorithm
+          raise AuthenticationError,
+            "Unsupported algorithm #{sign_algorithm} for version '#{sign_version}'"
+        end
+
+        case sign_algorithm
+        when 'sha1'
+          OpenSSL::Digest::SHA1
+        when 'sha256'
+          OpenSSL::Digest::SHA256
+        else
+          # This case should never happen
+          raise "Unknown algorithm #{sign_algorithm}"
+        end
+      end
+
       # Build the canonicalized time based on utc & iso8601
       #
       # ====Parameters
@@ -121,13 +160,27 @@ module Mixlib
         p.length > 1 ? p.chomp('/') : p
       end
 
-      def hashed_body
+      def hashed_body(digest=OpenSSL::Digest::SHA1)
+        # This is weird. sign() is called with the digest type and signing
+        # version. These are also expected to be properties of the object.
+        # Hence, we're going to assume the one that is passed to sign is
+        # the correct one and needs to passed through all the functions
+        # that do any sort of digest.
+        if @hashed_body_digest != nil && @hashed_body_digest != digest
+          raise "hashed_body must always be called with the same digest"
+        else
+          @hashed_body_digest = digest
+        end
         # Hash the file object if it was passed in, otherwise hash based on
         # the body.
         # TODO: tim 2009-12-28: It'd be nice to just remove this special case,
         # always sign the entire request body, using the expanded multipart
         # body in the case of a file being include.
-        @hashed_body ||= (self.file && self.file.respond_to?(:read)) ? digester.hash_file(self.file) : digester.hash_string(self.body)
+        @hashed_body ||= if self.file && self.file.respond_to?(:read)
+                           digester.hash_file(digest, self.file)
+                         else
+                           digester.hash_string(digest, self.body)
+                         end
       end
 
       # Takes HTTP request method & headers and creates a canonical form
@@ -137,21 +190,37 @@ module Mixlib
       #
       #
       def canonicalize_request(sign_algorithm=algorithm, sign_version=proto_version)
-        unless SUPPORTED_ALGORITHMS.include?(sign_algorithm) && SUPPORTED_VERSIONS.include?(sign_version)
-          raise AuthenticationError, "Bad algorithm '#{sign_algorithm}' (allowed: #{SUPPORTED_ALGORITHMS.inspect}) or version '#{sign_version}' (allowed: #{SUPPORTED_VERSIONS.inspect})"
+        digest = validate_sign_version_digest!(sign_algorithm, sign_version)
+        canonical_x_ops_user_id = canonicalize_user_id(user_id, sign_version, digest)
+        case sign_version
+        when "1.3"
+          [
+            "Method:#{http_method.to_s.upcase}",
+            "Path:#{canonical_path}",
+            "X-Ops-Content-Hash:#{hashed_body(digest)}",
+            "X-Ops-Sign:version=#{sign_version}",
+            "X-Ops-Timestamp:#{canonical_time}",
+            "X-Ops-UserId:#{canonical_x_ops_user_id}",
+            "X-Ops-Server-API-Version:#{server_api_version}",
+          ].join("\n")
+        else
+          [
+            "Method:#{http_method.to_s.upcase}",
+            "Hashed Path:#{digester.hash_string(digest, canonical_path)}",
+            "X-Ops-Content-Hash:#{hashed_body(digest)}",
+            "X-Ops-Timestamp:#{canonical_time}",
+            "X-Ops-UserId:#{canonical_x_ops_user_id}"
+          ].join("\n")
         end
-
-        canonical_x_ops_user_id = canonicalize_user_id(user_id, sign_version)
-        "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{canonical_x_ops_user_id}"
       end
 
-      def canonicalize_user_id(user_id, proto_version)
+      def canonicalize_user_id(user_id, proto_version, digest=OpenSSL::Digest::SHA1)
         case proto_version
         when "1.1"
-          digester.hash_string(user_id)
-        when "1.0"
-          user_id
+          # and 1.2 if that ever gets implemented
+          digester.hash_string(digest, user_id)
         else
+          # versions 1.0 and 1.3
           user_id
         end
       end
@@ -174,6 +243,18 @@ module Mixlib
         Mixlib::Authentication::Digester
       end
 
+      # private
+      def do_sign(private_key, digest, sign_algorithm, sign_version)
+        string_to_sign = canonicalize_request(sign_algorithm, sign_version)
+        Mixlib::Authentication::Log.debug "String to sign: '#{string_to_sign}'"
+        case sign_version
+        when '1.3'
+          private_key.sign(digest.new, string_to_sign)
+        else
+          private_key.private_encrypt(string_to_sign)
+        end
+      end
+
       private :canonical_time, :canonical_path, :parse_signing_description, :digester, :canonicalize_user_id
 
     end
@@ -182,13 +263,25 @@ module Mixlib
     # A Struct-based value object that contains the necessary information to
     # generate a request signature. `SignedHeaderAuth.signing_object()`
     # provides a more convenient interface to the constructor.
-    class SigningObject < Struct.new(:http_method, :path, :body, :host, :timestamp, :user_id, :file, :proto_version)
+    class SigningObject < Struct.new(:http_method, :path, :body, :host,
+                                     :timestamp, :user_id, :file, :proto_version,
+                                     :headers)
       include SignedHeaderAuth
 
       def proto_version
         (self[:proto_version] or DEFAULT_PROTO_VERSION).to_s
       end
-    end
 
+      def server_api_version
+        key = (self[:headers] || {}).keys.select do |k|
+          k.downcase == 'x-ops-server-api-version'
+        end.first
+        if key
+          self[:headers][key]
+        else
+          DEFAULT_SERVER_API_VERSION
+        end
+      end
+    end
   end
 end

data/lib/mixlib/authentication/version.rb

@@ -0,0 +1,21 @@
+# Copyright:: Copyright (c) 2010-2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+module Mixlib
+  module Authentication
+    VERSION = '1.4.0.rc.0'
+  end
+end

data/mixlib-authentication.gemspec

@@ -0,0 +1,25 @@
+$:.unshift(File.dirname(__FILE__) + '/lib')
+require 'mixlib/authentication/version'
+
+Gem::Specification.new do |s|
+  s.name = "mixlib-authentication"
+  s.version = Mixlib::Authentication::VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README.rdoc", "LICENSE", 'NOTICE']
+  s.summary = "Mixes in simple per-request authentication"
+  s.description = s.summary
+  s.author = "Opscode, Inc."
+  s.email = "info@opscode.com"
+  s.homepage = "http://www.opscode.com"
+
+  # Uncomment this to add a dependency
+  s.add_dependency "mixlib-log"
+
+  s.require_path = 'lib'
+  s.files = %w(LICENSE README.rdoc Gemfile Rakefile NOTICE) + Dir.glob("*.gemspec") +
+      Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject {|f| File.directory?(f) }
+
+  %w(rspec-core rspec-expectations rspec-mocks).each { |gem| s.add_dependency gem, "~> 3.2" }
+  s.add_development_dependency "rake", "~> 10.4"
+end

data/spec/mixlib/authentication/http_authentication_request_spec.rb

@@ -76,41 +76,41 @@ describe Mixlib::Authentication::HTTPAuthenticationRequest do
                 :x_ops_authorization_4=>"IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy",
                 :x_ops_authorization_5=>"9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0",
                 :x_ops_authorization_6=>"utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w=="}
-    @http_authentication_request.headers.should == expected
+    expect(@http_authentication_request.headers).to eq(expected)
   end
 
   it "raises an error when not all required headers are given" do
     @merb_headers.delete("HTTP_X_OPS_SIGN")
     exception = Mixlib::Authentication::MissingAuthenticationHeader
-    lambda{ Mixlib::Authentication::HTTPAuthenticationRequest.new(@request) }.should raise_error(exception)
+    expect{ Mixlib::Authentication::HTTPAuthenticationRequest.new(@request) }.to raise_error(exception)
   end
 
   it "extracts the path from the request" do
-    @http_authentication_request.path.should == '/nodes'
+    expect(@http_authentication_request.path).to eq('/nodes')
   end
 
   it "extracts the request method from the request" do
-    @http_authentication_request.http_method.should == 'POST'
+    expect(@http_authentication_request.http_method).to eq('POST')
   end
 
   it "extracts the signing description from the request headers" do
-    @http_authentication_request.signing_description.should == 'version=1.0'
+    expect(@http_authentication_request.signing_description).to eq('version=1.0')
   end
 
   it "extracts the user_id from the request headers" do
-    @http_authentication_request.user_id.should == 'spec-user'
+    expect(@http_authentication_request.user_id).to eq('spec-user')
   end
 
   it "extracts the timestamp from the request headers" do
-    @http_authentication_request.timestamp.should == "2009-01-01T12:00:00Z"
+    expect(@http_authentication_request.timestamp).to eq("2009-01-01T12:00:00Z")
   end
 
   it "extracts the host from the request headers" do
-    @http_authentication_request.host.should == "127.0.0.1"
+    expect(@http_authentication_request.host).to eq("127.0.0.1")
   end
 
   it "extracts the content hash from the request headers" do
-    @http_authentication_request.content_hash.should == "DFteJZPVv6WKdQmMqZUQUumUyRs="
+    expect(@http_authentication_request.content_hash).to eq("DFteJZPVv6WKdQmMqZUQUumUyRs=")
   end
 
   it "rebuilds the request signature from the headers" do
@@ -122,7 +122,11 @@ IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy
 9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0
 utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w==
 SIG
-    @http_authentication_request.request_signature.should == expected.chomp
+    expect(@http_authentication_request.request_signature).to eq(expected.chomp)
+  end
+
+  it "defaults to server api version 0" do
+    expect(@http_authentication_request.server_api_version).to eq('0')
   end
 
 end

data/spec/mixlib/authentication/mixlib_authentication_spec.rb

@@ -72,52 +72,65 @@ describe "Mixlib::Authentication::SignedHeaderAuth" do
 
   it "should generate the correct string to sign and signature, version 1.0 (default)" do
 
-    V1_0_SIGNING_OBJECT.canonicalize_request.should == V1_0_CANONICAL_REQUEST
+    expect(V1_0_SIGNING_OBJECT.canonicalize_request).to eq(V1_0_CANONICAL_REQUEST)
 
     # If you need to regenerate the constants in this test spec, print out
     # the results of res.inspect and copy them as appropriate into the
     # the constants in this file.
-    V1_0_SIGNING_OBJECT.sign(PRIVATE_KEY).should == EXPECTED_SIGN_RESULT_V1_0
+    expect(V1_0_SIGNING_OBJECT.sign(PRIVATE_KEY)).to eq(EXPECTED_SIGN_RESULT_V1_0)
   end
 
   it "should generate the correct string to sign and signature, version 1.1" do
-    V1_1_SIGNING_OBJECT.proto_version.should == "1.1"
-    V1_1_SIGNING_OBJECT.canonicalize_request.should == V1_1_CANONICAL_REQUEST
+    expect(V1_1_SIGNING_OBJECT.proto_version).to eq("1.1")
+    expect(V1_1_SIGNING_OBJECT.canonicalize_request).to eq(V1_1_CANONICAL_REQUEST)
 
     # If you need to regenerate the constants in this test spec, print out
     # the results of res.inspect and copy them as appropriate into the
     # the constants in this file.
-    V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY).should == EXPECTED_SIGN_RESULT_V1_1
+    expect(V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY)).to eq(EXPECTED_SIGN_RESULT_V1_1)
   end
 
+  it "should generate the correct string to sign and signature for version 1.3 with SHA256" do
+    expect(V1_3_SHA256_SIGNING_OBJECT.proto_version).to eq("1.3")
+    expect(V1_3_SHA256_SIGNING_OBJECT.algorithm).to eq("sha256")
+    expect(V1_3_SHA256_SIGNING_OBJECT.server_api_version).to eq("1")
+    expect(V1_3_SHA256_SIGNING_OBJECT.canonicalize_request).to eq(V1_3_SHA256_CANONICAL_REQUEST)
+
+    # If you need to regenerate the constants in this test spec, print out
+    # the results of res.inspect and copy them as appropriate into the
+    # the constants in this file.
+    expect(V1_3_SHA256_SIGNING_OBJECT.sign(PRIVATE_KEY)).to eq(EXPECTED_SIGN_RESULT_V1_3_SHA256)
+  end
+
+
   it "should generate the correct string to sign and signature for non-default proto version when used as a mixin" do
     algorithm = 'sha1'
     version = '1.1'
 
     V1_1_SIGNING_OBJECT.proto_version = "1.0"
-    V1_1_SIGNING_OBJECT.proto_version.should == "1.0"
-    V1_1_SIGNING_OBJECT.canonicalize_request(algorithm, version).should == V1_1_CANONICAL_REQUEST
+    expect(V1_1_SIGNING_OBJECT.proto_version).to eq("1.0")
+    expect(V1_1_SIGNING_OBJECT.canonicalize_request(algorithm, version)).to eq(V1_1_CANONICAL_REQUEST)
 
     # If you need to regenerate the constants in this test spec, print out
     # the results of res.inspect and copy them as appropriate into the
     # the constants in this file.
-    V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, algorithm, version).should == EXPECTED_SIGN_RESULT_V1_1
+    expect(V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, algorithm, version)).to eq(EXPECTED_SIGN_RESULT_V1_1)
   end
 
   it "should not choke when signing a request for a long user id with version 1.1" do
-    lambda { LONG_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', '1.1') }.should_not raise_error
+    expect { LONG_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', '1.1') }.not_to raise_error
   end
 
   it "should choke when signing a request for a long user id with version 1.0" do
-    lambda { LONG_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', '1.0') }.should raise_error
+    expect { LONG_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', '1.0') }.to raise_error(OpenSSL::PKey::RSAError)
   end
 
   it "should choke when signing a request with a bad version" do
-    lambda { V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', 'poo') }.should raise_error
+    expect { V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha1', 'poo') }.to raise_error(Mixlib::Authentication::AuthenticationError)
   end
 
   it "should choke when signing a request with a bad algorithm" do
-    lambda { V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha_poo', '1.1') }.should raise_error
+    expect { V1_1_SIGNING_OBJECT.sign(PRIVATE_KEY, 'sha_poo', '1.1') }.to raise_error(Mixlib::Authentication::AuthenticationError)
   end
 
 end
@@ -128,17 +141,30 @@ describe "Mixlib::Authentication::SignatureVerification" do
     @user_private_key = PRIVATE_KEY
   end
 
-  it "should authenticate a File-containing request - Merb" do
+  it "should authenticate a File-containing request V1.1 - Merb" do
     request_params = MERB_REQUEST_PARAMS.clone
     request_params["file"] =
       { "size"=>MockFile.length, "content_type"=>"application/octet-stream", "filename"=>"zsh.tar.gz", "tempfile"=>MockFile.new }
 
     mock_request = MockRequest.new(PATH, request_params, MERB_HEADERS_V1_1, "")
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
     service = Mixlib::Authentication::SignatureVerification.new
     res = service.authenticate_user_request(mock_request, @user_private_key)
-    res.should_not be_nil
+    expect(res).not_to be_nil
+  end
+
+  it "should authenticate a File-containing request V1.3 SHA256 - Merb" do
+    request_params = MERB_REQUEST_PARAMS.clone
+    request_params["file"] =
+      { "size"=>MockFile.length, "content_type"=>"application/octet-stream", "filename"=>"zsh.tar.gz", "tempfile"=>MockFile.new }
+
+    mock_request = MockRequest.new(PATH, request_params, MERB_HEADERS_V1_3_SHA256, "")
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    service = Mixlib::Authentication::SignatureVerification.new
+    res = service.authenticate_user_request(mock_request, @user_private_key)
+    expect(res).not_to be_nil
   end
 
   it "should authenticate a File-containing request from a v1.0 client - Passenger" do
@@ -146,29 +172,38 @@ describe "Mixlib::Authentication::SignatureVerification" do
     request_params["tarball"] = MockFile.new
 
     mock_request = MockRequest.new(PATH, request_params, PASSENGER_HEADERS_V1_0, "")
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
     auth_req = Mixlib::Authentication::SignatureVerification.new
     res = auth_req.authenticate_user_request(mock_request, @user_private_key)
-    res.should_not be_nil
+    expect(res).not_to be_nil
+  end
+
+  it "should authenticate a normal (post body) request v1.3 SHA256 - Merb" do
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS_V1_3_SHA256, BODY)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    service = Mixlib::Authentication::SignatureVerification.new
+    res = service.authenticate_user_request(mock_request, @user_private_key)
+    expect(res).not_to be_nil
   end
 
-  it "should authenticate a normal (post body) request - Merb" do
+  it "should authenticate a normal (post body) request v1.1 - Merb" do
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS_V1_1, BODY)
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
     service = Mixlib::Authentication::SignatureVerification.new
     res = service.authenticate_user_request(mock_request, @user_private_key)
-    res.should_not be_nil
+    expect(res).not_to be_nil
   end
 
   it "should authenticate a normal (post body) request from a v1.0 client - Merb" do
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS_V1_0, BODY)
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
     service = Mixlib::Authentication::SignatureVerification.new
     res = service.authenticate_user_request(mock_request, @user_private_key)
-    res.should_not be_nil
+    expect(res).not_to be_nil
   end
 
   it "shouldn't authenticate if an Authorization header is missing" do
@@ -176,15 +211,16 @@ describe "Mixlib::Authentication::SignatureVerification" do
     headers.delete("HTTP_X_OPS_SIGN")
 
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
-    Time.stub!(:now).and_return(TIMESTAMP_OBJ)
+    allow(Time).to receive(:now).and_return(TIMESTAMP_OBJ)
+    #Time.stub!(:now).and_return(TIMESTAMP_OBJ)
 
     auth_req = Mixlib::Authentication::SignatureVerification.new
-    lambda {auth_req.authenticate_user_request(mock_request, @user_private_key)}.should raise_error(Mixlib::Authentication::AuthenticationError)
+    expect {auth_req.authenticate_user_request(mock_request, @user_private_key)}.to raise_error(Mixlib::Authentication::AuthenticationError)
 
-    auth_req.should_not be_a_valid_request
-    auth_req.should_not be_a_valid_timestamp
-    auth_req.should_not be_a_valid_signature
-    auth_req.should_not be_a_valid_content_hash
+    expect(auth_req).not_to be_a_valid_request
+    expect(auth_req).not_to be_a_valid_timestamp
+    expect(auth_req).not_to be_a_valid_signature
+    expect(auth_req).not_to be_a_valid_content_hash
   end
 
 
@@ -193,52 +229,67 @@ describe "Mixlib::Authentication::SignatureVerification" do
     headers["HTTP_X_OPS_CONTENT_HASH"] += "_"
 
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
     auth_req = Mixlib::Authentication::SignatureVerification.new
     res = auth_req.authenticate_user_request(mock_request, @user_private_key)
-    res.should be_nil
+    expect(res).to be_nil
 
-    auth_req.should_not be_a_valid_request
-    auth_req.should be_a_valid_timestamp
-    auth_req.should be_a_valid_signature
-    auth_req.should_not be_a_valid_content_hash
+    expect(auth_req).not_to be_a_valid_request
+    expect(auth_req).to be_a_valid_timestamp
+    expect(auth_req).to be_a_valid_signature
+    expect(auth_req).not_to be_a_valid_content_hash
   end
 
   it "shouldn't authenticate if the timestamp is not within bounds" do
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS_V1_1, BODY)
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ - 1000)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ - 1000)
 
     auth_req = Mixlib::Authentication::SignatureVerification.new
     res = auth_req.authenticate_user_request(mock_request, @user_private_key)
-    res.should be_nil
-    auth_req.should_not be_a_valid_request
-    auth_req.should_not be_a_valid_timestamp
-    auth_req.should be_a_valid_signature
-    auth_req.should be_a_valid_content_hash
+    expect(res).to be_nil
+    expect(auth_req).not_to be_a_valid_request
+    expect(auth_req).not_to be_a_valid_timestamp
+    expect(auth_req).to be_a_valid_signature
+    expect(auth_req).to be_a_valid_content_hash
   end
 
   it "shouldn't authenticate if the signature is wrong" do
     headers =  MERB_HEADERS_V1_1.dup
     headers["HTTP_X_OPS_AUTHORIZATION_1"] = "epicfail"
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
-    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
     auth_req = Mixlib::Authentication::SignatureVerification.new
     res = auth_req.authenticate_user_request(mock_request, @user_private_key)
-    res.should be_nil
-    auth_req.should_not be_a_valid_request
-    auth_req.should_not be_a_valid_signature
-    auth_req.should be_a_valid_timestamp
-    auth_req.should be_a_valid_content_hash
+    expect(res).to be_nil
+    expect(auth_req).not_to be_a_valid_request
+    expect(auth_req).not_to be_a_valid_signature
+    expect(auth_req).to be_a_valid_timestamp
+    expect(auth_req).to be_a_valid_content_hash
   end
 
+  it "shouldn't authenticate if the signature is wrong for v1.3 SHA256" do
+    headers =  MERB_HEADERS_V1_3_SHA256.dup
+    headers["HTTP_X_OPS_AUTHORIZATION_1"] = "epicfail"
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
+    expect(Time).to receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    auth_req = Mixlib::Authentication::SignatureVerification.new
+    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
+    expect(res).to be_nil
+    expect(auth_req).not_to be_a_valid_request
+    expect(auth_req).not_to be_a_valid_signature
+    expect(auth_req).to be_a_valid_timestamp
+    expect(auth_req).to be_a_valid_content_hash
+  end
 end
 
 USER_ID = "spec-user"
 DIGESTED_USER_ID = Base64.encode64(Digest::SHA1.new.digest(USER_ID)).chomp
 BODY = "Spec Body"
 HASHED_BODY = "DFteJZPVv6WKdQmMqZUQUumUyRs=" # Base64.encode64(Digest::SHA1.digest("Spec Body")).chomp
+HASHED_BODY_SHA256 = "hDlKNZhIhgso3Fs0S0pZwJ0xyBWtR1RBaeHs1DrzOho="
 TIMESTAMP_ISO8601 = "2009-01-01T12:00:00Z"
 TIMESTAMP_OBJ = Time.parse("Thu Jan 01 12:00:00 -0000 2009")
 PATH = "/organizations/clownco"
@@ -263,6 +314,20 @@ V1_1_ARGS = {
   :proto_version => 1.1
 }
 
+V1_3_ARGS_SHA256 = {
+  :body => BODY,
+  :user_id => USER_ID,
+  :http_method => :post,
+  :timestamp => TIMESTAMP_ISO8601,    # fixed timestamp so we get back the same answer each time.
+  :file => MockFile.new,
+  :path => PATH,
+  :proto_version => '1.3',
+  :headers => {
+    'X-OpS-SeRvEr-ApI-VerSiOn' => '1'
+  }
+  # This defaults to sha256
+}
+
 LONG_PATH_LONG_USER_ARGS = {
   :body => BODY,
   :user_id => "A" * 200,
@@ -276,6 +341,8 @@ REQUESTING_ACTOR_ID = "c0f8a68c52bffa1020222a56b23cccfa"
 
 # Content hash is ???TODO
 X_OPS_CONTENT_HASH = "DFteJZPVv6WKdQmMqZUQUumUyRs="
+X_OPS_CONTENT_HASH_SHA256 = "hDlKNZhIhgso3Fs0S0pZwJ0xyBWtR1RBaeHs1DrzOho="
+
 X_OPS_AUTHORIZATION_LINES_V1_0 = [
 "jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4",
 "NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc",
@@ -294,6 +361,14 @@ X_OPS_AUTHORIZATION_LINES = [
 "FDlbAG7H8Dmvo+wBxmtNkszhzbBnEYtuwQqT8nM/8A=="
 ]
 
+X_OPS_AUTHORIZATION_LINES_V1_3_SHA256 = [
+  "FZOmXAyOBAZQV/uw188iBljBJXOm+m8xQ/8KTGLkgGwZNcRFxk1m953XjE3W",
+  "VGy1dFT76KeaNWmPCNtDmprfH2na5UZFtfLIKrPv7xm80V+lzEzTd9WBwsfP",
+  "42dZ9N+V9I5SVfcL/lWrrlpdybfceJC5jOcP5tzfJXWUITwb6Z3Erg3DU3Uh",
+  "H9h9E0qWlYGqmiNCVrBnpe6Si1gU/Jl+rXlRSNbLJ4GlArAPuL976iTYJTzE",
+  "MmbLUIm3JRYi00Yb01IUCCKdI90vUq1HHNtlTEu93YZfQaJwRxXlGkCNwIJe",
+  "fy49QzaCIEu1XiOx5Jn+4GmkrZch/RrK9VzQWXgs+w=="
+]
 # We expect Mixlib::Authentication::SignedHeaderAuth#sign to return this
 # if passed the BODY above, based on version
 
@@ -323,6 +398,19 @@ EXPECTED_SIGN_RESULT_V1_1 = {
   "X-Ops-Timestamp"=>TIMESTAMP_ISO8601
 }
 
+EXPECTED_SIGN_RESULT_V1_3_SHA256 = {
+  "X-Ops-Content-Hash"=>X_OPS_CONTENT_HASH_SHA256,
+  "X-Ops-Userid"=>USER_ID,
+  "X-Ops-Sign"=>"algorithm=sha256;version=1.3;",
+  "X-Ops-Authorization-1"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[0],
+  "X-Ops-Authorization-2"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[1],
+  "X-Ops-Authorization-3"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[2],
+  "X-Ops-Authorization-4"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[3],
+  "X-Ops-Authorization-5"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[4],
+  "X-Ops-Authorization-6"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[5],
+  "X-Ops-Timestamp"=>TIMESTAMP_ISO8601
+}
+
 OTHER_HEADERS = {
   # An arbitrary sampling of non-HTTP_* headers are in here to
   # exercise that code path.
@@ -339,6 +427,23 @@ MERB_REQUEST_PARAMS = {
   "organization_id"=>"local-test-org", "requesting_actor_id"=>REQUESTING_ACTOR_ID,
 }
 
+MERB_HEADERS_V1_3_SHA256 = {
+  # These are used by signatureverification.
+  "HTTP_HOST"=>"127.0.0.1",
+  "HTTP_X_OPS_SIGN"=>"algorithm=sha256;version=1.3;",
+  "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386",
+  "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601,
+  "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH_SHA256,
+  "HTTP_X_OPS_USERID"=>USER_ID,
+  "HTTP_X_OPS_SERVER_API_VERSION"=>"1",
+  "HTTP_X_OPS_AUTHORIZATION_1"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[0],
+  "HTTP_X_OPS_AUTHORIZATION_2"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[1],
+  "HTTP_X_OPS_AUTHORIZATION_3"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[2],
+  "HTTP_X_OPS_AUTHORIZATION_4"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[3],
+  "HTTP_X_OPS_AUTHORIZATION_5"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[4],
+  "HTTP_X_OPS_AUTHORIZATION_6"=>X_OPS_AUTHORIZATION_LINES_V1_3_SHA256[5],
+}.merge(OTHER_HEADERS)
+
 # Tis is what will be in request.env for the Merb case.
 MERB_HEADERS_V1_1 = {
   # These are used by signatureverification.
@@ -477,6 +582,18 @@ X-Ops-UserId:#{DIGESTED_USER_ID}
 EOS
 V1_1_CANONICAL_REQUEST = V1_1_CANONICAL_REQUEST_DATA.chomp
 
+V1_3_SHA256_CANONICAL_REQUEST_DATA = <<EOS
+Method:POST
+Path:#{PATH}
+X-Ops-Content-Hash:#{HASHED_BODY_SHA256}
+X-Ops-Sign:version=1.3
+X-Ops-Timestamp:#{TIMESTAMP_ISO8601}
+X-Ops-UserId:#{USER_ID}
+X-Ops-Server-API-Version:1
+EOS
+V1_3_SHA256_CANONICAL_REQUEST = V1_3_SHA256_CANONICAL_REQUEST_DATA.chomp
+
+V1_3_SHA256_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(V1_3_ARGS_SHA256)
 V1_1_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(V1_1_ARGS)
 V1_0_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(V1_0_ARGS)
 LONG_SIGNING_OBJECT = Mixlib::Authentication::SignedHeaderAuth.signing_object(LONG_PATH_LONG_USER_ARGS)

metadata

@@ -1,91 +1,131 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: mixlib-authentication
-version: !ruby/object:Gem::Version 
-  hash: 27
-  prerelease: 
-  segments: 
-  - 1
-  - 3
-  - 0
-  version: 1.3.0
+version: !ruby/object:Gem::Version
+  version: 1.4.0.rc.0
 platform: ruby
-authors: 
+authors:
 - Opscode, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-08-06 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2015-12-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: mixlib-log
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
   prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
   type: :runtime
-  version_requirements: *id001
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.4'
 description: Mixes in simple per-request authentication
 email: info@opscode.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - README.rdoc
 - LICENSE
 - NOTICE
-files: 
+files:
+- Gemfile
 - LICENSE
+- NOTICE
 - README.rdoc
 - Rakefile
-- NOTICE
-- lib/mixlib/authentication/signedheaderauth.rb
+- lib/mixlib/authentication.rb
 - lib/mixlib/authentication/digester.rb
 - lib/mixlib/authentication/http_authentication_request.rb
 - lib/mixlib/authentication/signatureverification.rb
-- lib/mixlib/authentication.rb
-- spec/spec_helper.rb
-- spec/mixlib/authentication/mixlib_authentication_spec.rb
+- lib/mixlib/authentication/signedheaderauth.rb
+- lib/mixlib/authentication/version.rb
+- mixlib-authentication.gemspec
 - spec/mixlib/authentication/http_authentication_request_spec.rb
+- spec/mixlib/authentication/mixlib_authentication_spec.rb
+- spec/spec_helper.rb
 homepage: http://www.opscode.com
 licenses: []
-
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.15
+rubygems_version: 2.5.0
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Mixes in simple per-request authentication
 test_files: []
-
+has_rdoc: true