mixlib-authentication 2.0.0 → 3.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30042f8e3ac0f6ca2d793fa73556e19d41146554c6673788e2c0d7225e9f3584
-  data.tar.gz: bed096ad15f32dca36dddfe79deb4f7b9f54a8656849b68393ce900944f3cc5b
+  metadata.gz: ffd7c02d4d9d20fdf32da899c6409fc59caffea1183d4c0806b0c02a20054538
+  data.tar.gz: 5f30cd2c44cc6b8375d9a950f596e2b89031654d315a822088baca00c1300b49
 SHA512:
-  metadata.gz: f2bc4eff96e238290c9d3ec9cfc490b62372b9f4b0668dae56055f88844c8b8b971183000e4189d5ecfd8a4cc8b902aee753f103fecb839ad1bf9b33716d1840
-  data.tar.gz: 0a03fd4b0a2016b93b681ba5a174dcc49089bd2aab2c2601bad114970a0680fe091bd562a6de4a0918f24e52b3eb512159287a239fb0cf1654ca91c452e34a4f
+  metadata.gz: 288e2b5de5735c93ebfe885ec24ae267dc056bbdff205b8ff0a4ad94f7691598965db5051ffd853811574ada1aeb10775685b4a4a864a870aa08377def77a801
+  data.tar.gz: 1c49b5589da86a7fe73d0d0c9914a148f0c95a0ff4762a711224bfc7d1a47fb20f98c7a9c6ad2a3a0d45bb6c42a90e295f7d6b98a5a8af80a99c96aafe9ecdf5

data/lib/mixlib/authentication.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Christopher Brown (<cb@opscode.com>)
-# Copyright:: Copyright (c) 2009 Opscode, Inc.
+# Author:: Christopher Brown (<cb@chef.io>)
+# Copyright:: Copyright (c) 2009-2018 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,7 +18,7 @@
 
 module Mixlib
   module Authentication
-    DEFAULT_SERVER_API_VERSION = "0"
+    DEFAULT_SERVER_API_VERSION = "0".freeze
 
     attr_accessor :logger
     module_function :logger, :logger=
@@ -36,7 +36,7 @@ module Mixlib
       require "mixlib/log"
       Mixlib::Authentication::Log.extend(Mixlib::Log)
     rescue LoadError
-      require "mixlib/authentication/null_logger"
+      require_relative "authentication/null_logger"
       Mixlib::Authentication::Log.extend(Mixlib::Authentication::NullLogger)
     end
 

data/lib/mixlib/authentication/digester.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Christopher Brown (<cb@opscode.com>)
-# Copyright:: Copyright (c) 2009 Opscode, Inc.
+# Author:: Christopher Brown (<cb@chef.io>)
+# Copyright:: Copyright (c) 2009-2018 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +16,7 @@
 # limitations under the License.
 #
 
-require "mixlib/authentication"
+require_relative "../authentication"
 require "openssl"
 
 module Mixlib

data/lib/mixlib/authentication/http_authentication_request.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Daniel DeLeo (<dan@opscode.com>)
-# Copyright:: Copyright (c) 2010 Opscode, Inc.
+# Author:: Daniel DeLeo (<dan@chef.io>)
+# Copyright:: Copyright (c) 2010-2018 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,13 +16,13 @@
 # limitations under the License.
 #
 
-require "mixlib/authentication"
+require_relative "../authentication"
 
 module Mixlib
   module Authentication
     class HTTPAuthenticationRequest
 
-      MANDATORY_HEADERS = [:x_ops_sign, :x_ops_userid, :x_ops_timestamp, :host, :x_ops_content_hash]
+      MANDATORY_HEADERS = %i{x_ops_sign x_ops_userid x_ops_timestamp host x_ops_content_hash}.freeze
 
       attr_reader :request
 

data/lib/mixlib/authentication/signatureverification.rb

@@ -1,7 +1,7 @@
 #
-# Author:: Christopher Brown (<cb@opscode.com>)
-# Author:: Christopher Walters (<cw@opscode.com>)
-# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
+# Author:: Christopher Brown (<cb@chef.io>)
+# Author:: Christopher Walters (<cw@chef.io>)
+# Copyright:: Copyright (c) 2009-2018 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,9 +19,9 @@
 
 require "net/http"
 require "forwardable"
-require "mixlib/authentication"
-require "mixlib/authentication/http_authentication_request"
-require "mixlib/authentication/signedheaderauth"
+require_relative "../authentication"
+require_relative "http_authentication_request"
+require_relative "signedheaderauth"
 
 module Mixlib
   module Authentication
@@ -203,7 +203,7 @@ module Mixlib
           # No file_param; we're running in Merb, or it's just not there..
           if file_param.nil?
             hash_param = request.params.values.find { |value| value.respond_to?(:has_key?) } # Hash responds to :has_key? .
-            if !hash_param.nil?
+            unless hash_param.nil?
               file_param = hash_param.values.find { |value| value.respond_to?(:read) } # File/Tempfile responds to :read.
             end
           end

data/lib/mixlib/authentication/signedheaderauth.rb

@@ -1,7 +1,7 @@
 #
-# Author:: Christopher Brown (<cb@opscode.com>)
-# Author:: Christopher Walters (<cw@opscode.com>)
-# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
+# Author:: Christopher Brown (<cb@chef.io>)
+# Author:: Christopher Walters (<cw@chef.io>)
+# Copyright:: Copyright (c) 2009-2018 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -20,8 +20,8 @@
 require "time"
 require "base64"
 require "openssl/digest"
-require "mixlib/authentication"
-require "mixlib/authentication/digester"
+require_relative "../authentication"
+require_relative "digester"
 
 module Mixlib
   module Authentication
@@ -34,7 +34,7 @@ module Mixlib
         "1.0" => "sha1",
         "1.1" => "sha1",
         "1.3" => "sha256",
-      }.freeze()
+      }.freeze
 
       # Use of SUPPORTED_ALGORITHMS and SUPPORTED_VERSIONS is deprecated. Use
       # ALGORITHM_FOR_VERSION instead
@@ -74,15 +74,14 @@ module Mixlib
       # * `:host`: The host part of the URI
       def self.signing_object(args = {})
         SigningObject.new(args[:http_method],
-                          args[:path],
-                          args[:body],
-                          args[:host],
-                          args[:timestamp],
-                          args[:user_id],
-                          args[:file],
-                          args[:proto_version],
-                          args[:headers]
-                         )
+          args[:path],
+          args[:body],
+          args[:host],
+          args[:timestamp],
+          args[:user_id],
+          args[:file],
+          args[:proto_version],
+          args[:headers])
       end
 
       def algorithm
@@ -95,9 +94,28 @@ module Mixlib
 
       # Build the canonicalized request based on the method, other headers, etc.
       # compute the signature from the request, using the looked-up user secret
-      # ====Parameters
-      # private_key<OpenSSL::PKey::RSA>:: user's RSA private key.
-      def sign(private_key, sign_algorithm = algorithm, sign_version = proto_version)
+      #
+      # @param rsa_key [OpenSSL::PKey::RSA] User's RSA key. If `use_ssh_agent` is
+      #   true, this must have the public key portion populated. If `use_ssh_agent`
+      #   is false, this must have the private key portion populated.
+      # @param use_ssh_agent [Boolean] If true, use ssh-agent for request signing.
+      def sign(rsa_key, sign_algorithm = algorithm, sign_version = proto_version, **opts)
+        # Backwards compat stuff.
+        if sign_algorithm.is_a?(Hash)
+          # Was called like sign(key, sign_algorithm: 'foo', other: 'bar')
+          opts.update(sign_algorithm)
+          opts[:sign_algorithm] ||= algorithm
+          opts[:sign_version] ||= sign_version
+        else
+          # Was called like sign(key, 'foo', '1.3', other: 'bar')
+          Mixlib::Authentication.logger.warn("Using deprecated positional arguments for sign(), please update to keyword arguments (from #{caller[1][/^(.*:\d+):in /, 1]})") unless sign_algorithm == algorithm
+          opts[:sign_algorithm] ||= sign_algorithm
+          opts[:sign_version] ||= sign_version
+        end
+        sign_algorithm = opts[:sign_algorithm]
+        sign_version = opts[:sign_version]
+        use_ssh_agent = opts[:use_ssh_agent]
+
         digest = validate_sign_version_digest!(sign_algorithm, sign_version)
         # Our multiline hash for authorization will be encoded in multiple header
         # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!)
@@ -108,7 +126,7 @@ module Mixlib
           "X-Ops-Content-Hash" => hashed_body(digest),
         }
 
-        signature = Base64.encode64(do_sign(private_key, digest, sign_algorithm, sign_version)).chomp
+        signature = Base64.encode64(do_sign(rsa_key, digest, sign_algorithm, sign_version, use_ssh_agent)).chomp
         signature_lines = signature.split(/\n/)
         signature_lines.each_index do |idx|
           key = "X-Ops-Authorization-#{idx + 1}"
@@ -156,7 +174,7 @@ module Mixlib
       # ====Parameters
       #
       def canonical_path
-        p = path.gsub(/\/+/, "/")
+        p = path.gsub(%r{/+}, "/")
         p.length > 1 ? p.chomp("/") : p
       end
 
@@ -172,6 +190,7 @@ module Mixlib
         else
           @hashed_body_digest = digest
         end
+
         # Hash the file object if it was passed in, otherwise hash based on
         # the body.
         # TODO: tim 2009-12-28: It'd be nice to just remove this special case,
@@ -244,18 +263,75 @@ module Mixlib
         Mixlib::Authentication::Digester
       end
 
-      # private
-      def do_sign(private_key, digest, sign_algorithm, sign_version)
+      # Low-level RSA signature implementation used in {#sign}.
+      #
+      # @api private
+      # @param rsa_key [OpenSSL::PKey::RSA] User's RSA key. If `use_ssh_agent` is
+      #   true, this must have the public key portion populated. If `use_ssh_agent`
+      #   is false, this must have the private key portion populated.
+      # @param digest [Class] Sublcass of OpenSSL::Digest to use while signing.
+      # @param sign_algorithm [String] Hash algorithm to use while signing.
+      # @param sign_version [String] Version number of the signing protocol to use.
+      # @param use_ssh_agent [Boolean] If true, use ssh-agent for request signing.
+      # @return [String]
+      def do_sign(rsa_key, digest, sign_algorithm, sign_version, use_ssh_agent)
         string_to_sign = canonicalize_request(sign_algorithm, sign_version)
         Mixlib::Authentication.logger.trace "String to sign: '#{string_to_sign}'"
         case sign_version
         when "1.3"
-          private_key.sign(digest.new, string_to_sign)
+          if use_ssh_agent
+            do_sign_ssh_agent(rsa_key, string_to_sign)
+          else
+            raise AuthenticationError, "RSA private key is required to sign requests, but a public key was provided" unless rsa_key.private?
+
+            rsa_key.sign(digest.new, string_to_sign)
+          end
         else
-          private_key.private_encrypt(string_to_sign)
+          raise AuthenticationError, "Agent signing mode requires signing protocol version 1.3 or newer" if use_ssh_agent
+          raise AuthenticationError, "RSA private key is required to sign requests, but a public key was provided" unless rsa_key.private?
+
+          rsa_key.private_encrypt(string_to_sign)
         end
       end
 
+      # Low-level signing logic for using ssh-agent. This requires the user has
+      # already set up ssh-agent and used ssh-add to load in a (possibly encrypted)
+      # RSA private key. ssh-agent supports keys other than RSA, however they
+      # are not supported as Chef's protocol explicitly requires RSA keys/sigs.
+      #
+      # @api private
+      # @param rsa_key [OpenSSL::PKey::RSA] User's RSA public key.
+      # @param string_to_sign [String] String data to sign with the requested key.
+      # @return [String]
+      def do_sign_ssh_agent(rsa_key, string_to_sign)
+        # First try loading net-ssh as it is an optional dependency.
+        begin
+          require "net/ssh"
+        rescue LoadError => e
+          # ???: Since agent mode is explicitly enabled, should we even catch
+          # this in the first place? Might be cleaner to let the LoadError bubble.
+          raise AuthenticationError, "net-ssh gem is not available, unable to use ssh-agent signing: #{e.message}"
+        end
+
+        # Try to connect to ssh-agent.
+        begin
+          agent = Net::SSH::Authentication::Agent.connect
+        rescue Net::SSH::Authentication::AgentNotAvailable => e
+          raise AuthenticationError, "Could not connect to ssh-agent. Make sure the SSH_AUTH_SOCK environment variable is set and ssh-agent is running: #{e.message}"
+        end
+
+        begin
+          ssh2_signature = agent.sign(rsa_key.public_key, string_to_sign, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_256)
+        rescue Net::SSH::Authentication::AgentError => e
+          raise AuthenticationError, "Unable to sign request with ssh-agent. Make sure your key is loaded with ssh-add: #{e.class.name} #{e.message})"
+        end
+
+        # extract signature from SSH Agent response => skip first 20 bytes for RSA keys
+        # "\x00\x00\x00\frsa-sha2-256\x00\x00\x01\x00"
+        # (see http://api.libssh.org/rfc/PROTOCOL.agent for details)
+        ssh2_signature[20..-1]
+      end
+
       private :canonical_time, :canonical_path, :parse_signing_description, :digester, :canonicalize_user_id
 
     end
@@ -265,25 +341,25 @@ module Mixlib
     # generate a request signature. `SignedHeaderAuth.signing_object()`
     # provides a more convenient interface to the constructor.
     SigningObject = Struct.new(:http_method, :path, :body, :host,
-                                     :timestamp, :user_id, :file, :proto_version,
-                                     :headers) do
+      :timestamp, :user_id, :file, :proto_version,
+      :headers) do
 
-      include SignedHeaderAuth
+        include SignedHeaderAuth
 
-      def proto_version
-        (self[:proto_version] || SignedHeaderAuth::DEFAULT_PROTO_VERSION).to_s
-      end
+        def proto_version
+          (self[:proto_version] || SignedHeaderAuth::DEFAULT_PROTO_VERSION).to_s
+        end
 
-      def server_api_version
-        key = (self[:headers] || {}).keys.select do |k|
-          k.casecmp("x-ops-server-api-version") == 0
-        end.first
-        if key
-          self[:headers][key]
-        else
-          DEFAULT_SERVER_API_VERSION
+        def server_api_version
+          key = (self[:headers] || {}).keys.select do |k|
+            k.casecmp("x-ops-server-api-version") == 0
+          end.first
+          if key
+            self[:headers][key]
+          else
+            DEFAULT_SERVER_API_VERSION
+          end
         end
       end
-    end
   end
 end

data/lib/mixlib/authentication/version.rb

@@ -1,4 +1,5 @@
-# Copyright:: Copyright (c) 2010-2015 Chef Software, Inc.
+#
+# Copyright:: Copyright (c) 2010-2019, Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,6 +16,6 @@
 
 module Mixlib
   module Authentication
-    VERSION = "2.0.0"
+    VERSION = "3.0.6".freeze
   end
 end

metadata

@@ -1,96 +1,22 @@
 --- !ruby/object:Gem::Specification
 name: mixlib-authentication
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.6
 platform: ruby
 authors:
 - Chef Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-12 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  name: rspec-core
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: rspec-expectations
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: rspec-mocks
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: chefstyle
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '11'
+date: 2019-12-30 00:00:00.000000000 Z
+dependencies: []
 description: Mixes in simple per-request authentication
 email: info@chef.io
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- Gemfile
 - LICENSE
-- NOTICE
-- README.md
-- Rakefile
 - lib/mixlib/authentication.rb
 - lib/mixlib/authentication/digester.rb
 - lib/mixlib/authentication/http_authentication_request.rb
@@ -98,13 +24,7 @@ files:
 - lib/mixlib/authentication/signatureverification.rb
 - lib/mixlib/authentication/signedheaderauth.rb
 - lib/mixlib/authentication/version.rb
-- mixlib-authentication.gemspec
-- spec/mixlib/authentication/digester_spec.rb
-- spec/mixlib/authentication/http_authentication_request_spec.rb
-- spec/mixlib/authentication/mixlib_authentication_spec.rb
-- spec/mixlib/authentication/mixlib_log_missing_spec.rb
-- spec/spec_helper.rb
-homepage: https://www.chef.io
+homepage: https://github.com/chef/mixlib-authentication
 licenses:
 - Apache-2.0
 metadata: {}
@@ -116,15 +36,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Mixes in simple per-request authentication