mixlib-authentication 1.1.0

data/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE

@@ -0,0 +1,7 @@
+Mixlib::Authentication NOTICE
+=================
+
+Developed at Opscode (http://www.opscode.com).
+
+ * Copyright 2009, Opscode, Inc. <legal@opscode.com>
+

data/README.rdoc

@@ -0,0 +1,23 @@
+== Mixlib::Authentication
+
+Mixlib::Authentication provides a class-based header signing authentication object, like the one used in Chef. 
+
+== License
+
+Author:: Christopher Brown (<cb@opscode.com>)
+Copyright:: Copyright (c) 2009 Opscode, Inc.
+License:: Apache License, Version 2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+

data/Rakefile

@@ -0,0 +1,64 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+require 'rubygems/specification'
+require 'date'
+require 'spec/rake/spectask'
+
+GEM = "mixlib-authentication"
+GEM_VERSION = "1.1.0"
+AUTHOR = "Opscode, Inc."
+EMAIL = "info@opscode.com"
+HOMEPAGE = "http://www.opscode.com"
+SUMMARY = "Mixes in simple per-request authentication"
+
+spec = Gem::Specification.new do |s|
+  s.name = GEM
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README.rdoc", "LICENSE", 'NOTICE']
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+  
+  # Uncomment this to add a dependency
+  s.add_dependency "mixlib-log"
+  
+  s.require_path = 'lib'
+  s.autorequire = GEM
+  s.files = %w(LICENSE README.rdoc Rakefile NOTICE) + Dir.glob("{lib,spec,features}/**/*")
+end
+
+task :default => :spec
+
+desc "Run specs"
+Spec::Rake::SpecTask.new do |t|
+  t.spec_files = FileList['spec/**/*_spec.rb']
+  t.spec_opts = %w(-fs --color)
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+desc "install the gem locally"
+task :install => [:package] do
+  sh %{gem install pkg/#{GEM}-#{GEM_VERSION}}
+end
+
+desc "create a gemspec file"
+task :make_spec do
+  File.open("#{GEM}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end
+
+desc "remove build files"
+task :clean do
+  sh %Q{ rm -f pkg/*.gem }
+end
+
+desc "Run the spec and features"
+task :test => [ :features, :spec ]

data/lib/mixlib/authentication.rb

@@ -0,0 +1,32 @@
+#
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2009 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/log'
+
+module Mixlib
+  module Authentication
+    class Log
+      extend  Mixlib::Log      
+    end
+    
+    Log.level = :error
+    
+  end
+end
+
+

data/lib/mixlib/authentication/digester.rb

@@ -0,0 +1,48 @@
+#
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2009 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/authentication'
+
+module Mixlib
+  module Authentication
+    class Digester
+      
+      class << self
+        
+        def hash_file(f)
+          digester = Digest::SHA1.new
+          buf = ""
+          while f.read(16384, buf)
+            digester.update buf
+          end
+          ::Base64.encode64(digester.digest).chomp
+        end
+
+        # Digests a string, base64's and chomps the end
+        # 
+        # ====Parameters
+        # 
+        def hash_string(str)
+          ::Base64.encode64(Digest::SHA1.digest(str)).chomp
+        end
+        
+      end
+      
+    end
+  end
+end

data/lib/mixlib/authentication/signatureverification.rb

@@ -0,0 +1,144 @@
+#
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'ostruct'
+require 'net/http'
+require 'mixlib/authentication'
+require 'mixlib/authentication/signedheaderauth'
+
+module Mixlib
+  module Authentication
+    class SignatureVerification
+
+      include Mixlib::Authentication::SignedHeaderAuth
+      
+      attr_reader :hashed_body, :timestamp, :http_method, :path, :user_id
+
+      # Takes the request, boils down the pieces we are interested in,
+      # looks up the user, generates a signature, and compares to
+      # the signature in the request
+      # ====Headers
+      #
+      # X-Ops-Sign: algorithm=sha256;version=1.0;
+      # X-Ops-UserId: <user_id>
+      # X-Ops-Timestamp:
+      # X-Ops-Content-Hash: 
+      # X-Ops-Authorization-#{line_number}
+      def authenticate_user_request(request, user_lookup, time_skew=(15*60))
+        Mixlib::Authentication::Log.debug "Initializing header auth : #{request.inspect}"
+        
+        headers ||= request.env.inject({ }) { |memo, kv| memo[$2.gsub(/\-/,"_").downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
+        digester = Mixlib::Authentication::Digester
+
+        begin
+          @allowed_time_skew   = time_skew # in seconds
+          @http_method         = request.method.to_s
+          @path                = request.path.to_s
+          @signing_description = headers[:x_ops_sign].chomp
+          @user_id             = headers[:x_ops_userid].chomp
+          @timestamp           = headers[:x_ops_timestamp].chomp
+          @host                = headers[:host].chomp
+          @content_hash        = headers[:x_ops_content_hash].chomp
+          @user_secret         = user_lookup
+
+          # The authorization header is a Base64-encoded version of an RSA signature.
+          # The client sent it on multiple header lines, starting at index 1 - 
+          # X-Ops-Authorization-1, X-Ops-Authorization-2, etc. Pull them out and
+          # concatenate.
+
+          # if there are 11 headers, the sort breaks - it becomes lexicographic sort rather than numeric [cb]
+          @request_signature = headers.find_all { |h| h[0].to_s =~ /^x_ops_authorization_/ }.sort { |x,y| x.to_s <=> y.to_s}.map { |i| i[1] }.join("\n")
+          Mixlib::Authentication::Log.debug "Reconstituted request signature: #{@request_signature}"
+          
+          # Pull out any file that was attached to this request, using multipart
+          # form uploads.
+          # Depending on the server we're running in, multipart form uploads are
+          # handed to us differently. 
+          # - In Passenger (Cookbooks Community Site), the File is handed to us 
+          #   directly in the params hash. The name is whatever the client used, 
+          #   its value is therefore a File or Tempfile.
+          # - In Merb (Chef server), the File is wrapped. The original parameter 
+          #   name used for the file is passed in with a Hash value. Within the hash
+          #   is a name/value pair named 'file' which actually contains the Tempfile
+          #   instance.
+          file_param = request.params.values.find { |value| value.respond_to?(:read) }
+
+          # No file_param; we're running in Merb, or it's just not there..
+          if file_param.nil?
+            hash_param = request.params.values.find { |value| value.respond_to?(:has_key?) }  # Hash responds to :has_key? .
+            if !hash_param.nil?
+              file_param = hash_param.values.find { |value| value.respond_to?(:read) } # File/Tempfile responds to :read.
+            end
+          end
+
+          # Any file that's included in the request is hashed if it's there. Otherwise,
+          # we hash the body.
+          if file_param
+            Mixlib::Authentication::Log.debug "Digesting file_param: '#{file_param.inspect}'"
+            @hashed_body = digester.hash_file(file_param)
+          else
+            body = request.raw_post
+            Mixlib::Authentication::Log.debug "Digesting body: '#{body}'"
+            @hashed_body = digester.hash_string(body)
+          end
+          
+          Mixlib::Authentication::Log.debug "Authenticating user : #{user_id}, User secret is : #{@user_secret}, Request signature is :\n#{@request_signature}, Hashed Body is : #{@hashed_body}"
+          
+          #BUGBUG Not doing anything with the signing description yet [cb]          
+          parse_signing_description
+          candidate_block = canonicalize_request
+          request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(@request_signature))
+          signatures_match = (request_decrypted_block == candidate_block)
+          timeskew_is_acceptable = timestamp_within_bounds?(Time.parse(timestamp), Time.now)
+          hashes_match = @content_hash == hashed_body
+        rescue StandardError=>se
+          raise StandardError,"Failed to authenticate user request.  Most likely missing a necessary header: #{se.message}", se.backtrace
+        end
+        
+        Mixlib::Authentication::Log.debug "Candidate Block is: '#{candidate_block}'\nRequest decrypted block is: '#{request_decrypted_block}'\nCandidate content hash is: #{hashed_body}\nRequest Content Hash is: '#{@content_hash}'\nSignatures match: #{signatures_match}, Allowed Time Skew: #{timeskew_is_acceptable}, Hashes match?: #{hashes_match}\n"
+        
+        if signatures_match and timeskew_is_acceptable and hashes_match
+          OpenStruct.new(:name=>user_id)
+        else
+          nil
+        end
+      end
+      
+      private
+      
+      # Compare the request timestamp with boundary time
+      # 
+      # 
+      # ====Parameters
+      # time1<Time>:: minuend
+      # time2<Time>:: subtrahend
+      #
+      def timestamp_within_bounds?(time1, time2)
+        time_diff = (time2-time1).abs
+        is_allowed = (time_diff < @allowed_time_skew)
+        Mixlib::Authentication::Log.debug "Request time difference: #{time_diff}, within #{@allowed_time_skew} seconds? : #{!!is_allowed}"
+        is_allowed      
+      end
+    end
+
+
+  end
+end
+
+

data/lib/mixlib/authentication/signedheaderauth.rb

@@ -0,0 +1,121 @@
+#
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'time'
+require 'base64'
+require 'ostruct'
+require 'digest/sha1'
+require 'mixlib/authentication'
+require 'mixlib/authentication/digester'
+
+module Mixlib
+  module Authentication
+    module SignedHeaderAuth
+      
+      SIGNING_DESCRIPTION = 'version=1.0'
+
+      # This is a module meant to be mixed in but can be used standalone
+      # with the simple OpenStruct extended with the auth functions
+      class << self
+        def signing_object(args={ })
+          OpenStruct.new(args).extend SignedHeaderAuth
+        end
+      end
+
+      # Build the canonicalized request based on the method, other headers, etc.
+      # compute the signature from the request, using the looked-up user secret
+      # ====Parameters
+      # private_key<OpenSSL::PKey::RSA>:: user's RSA private key.
+      def sign(private_key)
+        # Our multiline hash for authorization will be encoded in multiple header
+        # lines - X-Ops-Authorization-1, ... (starts at 1, not 0!)
+        header_hash = {
+          "X-Ops-Sign" => SIGNING_DESCRIPTION,
+          "X-Ops-Userid" => user_id,
+          "X-Ops-Timestamp" => canonical_time,
+          "X-Ops-Content-Hash" => hashed_body,
+        }
+
+        string_to_sign = canonicalize_request
+        signature = Base64.encode64(private_key.private_encrypt(string_to_sign)).chomp
+        signature_lines = signature.split(/\n/)
+        signature_lines.each_index do |idx|
+          key = "X-Ops-Authorization-#{idx + 1}"
+          header_hash[key] = signature_lines[idx]
+        end
+        
+        Mixlib::Authentication::Log.debug "String to sign: '#{string_to_sign}'\nHeader hash: #{header_hash.inspect}"
+        
+        header_hash
+      end
+      
+      # Build the canonicalized time based on utc & iso8601
+      # 
+      # ====Parameters
+      # 
+      def canonical_time
+        Time.parse(timestamp).utc.iso8601
+      end
+      
+      # Build the canonicalized path, which collapses multiple slashes (/) and
+      # removes a trailing slash unless the path is only "/"
+      # 
+      # ====Parameters
+      # 
+      def canonical_path
+        p = path.gsub(/\/+/,'/')
+        p.length > 1 ? p.chomp('/') : p
+      end
+      
+      def hashed_body
+        @hashed_body ||= self.file ? digester.hash_file(self.file) : digester.hash_string(self.body)
+      end
+      
+      # Takes HTTP request method & headers and creates a canonical form
+      # to create the signature
+      # 
+      # ====Parameters
+      # 
+      # 
+      def canonicalize_request
+        "Method:#{http_method.to_s.upcase}\nHashed Path:#{digester.hash_string(canonical_path)}\nX-Ops-Content-Hash:#{hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}"
+      end
+      
+      # Parses signature version information, algorithm used, etc.
+      #
+      # ====Parameters
+      #
+      def parse_signing_description
+        parts = @signing_description.strip.split(";").inject({ }) do |memo, part|
+          field_name, field_value = part.split("=")
+          memo[field_name.to_sym] = field_value.strip
+          memo
+        end
+        Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}"
+      end
+      
+      def digester
+        Mixlib::Authentication::Digester
+      end
+      
+      private :canonical_time, :canonical_path, :parse_signing_description, :digester
+      
+    end
+  end
+end

data/spec/mixlib/authentication/mixlib_authentication_spec.rb

@@ -0,0 +1,317 @@
+#
+# Author:: Tim Hinderliter (<tim@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "..", "lib")) # lib in mixlib-authentication
+$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "..", "..", "mixlib-log", "lib")) # mixlib-log/log
+
+require 'rubygems'
+
+require 'ostruct'
+require 'openssl'
+require 'mixlib/authentication/signatureverification'
+require 'time'
+
+# TODO: should make these regular spec-based mock objects.
+class MockRequest
+  attr_accessor :env, :params, :path, :raw_post
+
+  def initialize(path, params, headers, raw_post)
+    @path = path
+    @params = params
+    @env = headers
+    @raw_post = raw_post
+  end
+
+  def method
+    "POST"
+  end
+end
+
+class MockFile
+  def initialize
+    @have_read = nil
+  end
+
+  def self.length
+    BODY.length
+  end
+
+  def read(len, out_str)
+    if @have_read.nil?
+      @have_read = 1
+      out_str[0..-1] = BODY
+      BODY
+    else
+      nil
+    end
+  end
+end
+
+# Uncomment this to get some more info from the methods we're testing.
+#Mixlib::Authentication::Log.level :debug
+
+describe "Mixlib::Authentication::SignedHeaderAuth" do
+  it "should generate the correct string to sign and signature" do
+    # fix the timestamp, private key and body so we get the same answer back
+    # every time.
+    args = {
+      :body => BODY, 
+      :user_id => USER_ID,
+      :http_method => :post,
+      :timestamp => TIMESTAMP_ISO8601,    # fixed timestamp so we get back the same answer each time.
+      :file => MockFile.new,
+      :path => PATH,
+    }
+
+    private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+      
+    signing_obj = Mixlib::Authentication::SignedHeaderAuth.signing_object(args)
+    
+    expected_string_to_sign = <<EOS
+Method:POST
+Hashed Path:#{HASHED_CANONICAL_PATH}
+X-Ops-Content-Hash:#{HASHED_BODY}
+X-Ops-Timestamp:#{TIMESTAMP_ISO8601}
+X-Ops-UserId:#{USER_ID}
+EOS
+    signing_obj.canonicalize_request.should == expected_string_to_sign.chomp
+
+    # If you need to regenerate the constants in this test spec, print out
+    # the results of res.inspect and copy them as appropriate into the 
+    # the constants in this file.
+    res = signing_obj.sign(private_key)
+    #$stderr.puts "res.inspect = #{res.inspect}"
+    res.should == EXPECTED_SIGN_RESULT
+  end
+
+  it "should not choke when signing a request for a resource with a long name" do
+    args = {
+      :body => BODY, 
+      :user_id => USER_ID,
+      :http_method => :put,
+      :timestamp => TIMESTAMP_ISO8601,    # fixed timestamp so we get back the same answer each time.
+      :file => MockFile.new,
+      :path => PATH + "/nodes/#{"A" * 100}"}
+
+    private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+      
+    signing_obj = Mixlib::Authentication::SignedHeaderAuth.signing_object(args)
+    
+    lambda { signing_obj.sign(private_key) }.should_not raise_error
+  end
+end
+
+describe "Mixlib::Authentication::SignatureVerification" do
+  
+  before(:each) do
+    @user_private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+  end
+
+  it "should authenticate a File-containing request - Merb" do
+    request_params = MERB_REQUEST_PARAMS.clone
+    request_params["file"] =
+      { "size"=>MockFile.length, "content_type"=>"application/octet-stream", "filename"=>"zsh.tar.gz", "tempfile"=>MockFile.new }
+
+    mock_request = MockRequest.new(PATH, request_params, MERB_HEADERS, "")
+    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    service = Mixlib::Authentication::SignatureVerification.new
+    res = service.authenticate_user_request(mock_request, @user_private_key)
+    res.should_not be_nil
+  end
+
+  it "should authenticate a normal (post body) request - Merb" do
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS, BODY)
+    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    service = Mixlib::Authentication::SignatureVerification.new
+    res = service.authenticate_user_request(mock_request, @user_private_key)
+    res.should_not be_nil
+  end
+
+  it "should authenticate a File-containing request - Passenger" do
+    request_params = PASSENGER_REQUEST_PARAMS.clone
+    request_params["tarball"] = MockFile.new
+
+    mock_request = MockRequest.new(PATH, request_params, PASSENGER_HEADERS, "")
+    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    service = Mixlib::Authentication::SignatureVerification.new
+    res = service.authenticate_user_request(mock_request, @user_private_key)
+    res.should_not be_nil
+  end
+
+  it "shouldn't authenticate if Authorization header is wrong" do
+    headers = MERB_HEADERS.clone
+    headers["HTTP_X_OPS_CONTENT_HASH"] += "_"
+
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
+    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    service = Mixlib::Authentication::SignatureVerification.new
+    res = service.authenticate_user_request(mock_request, @user_private_key)
+    res.should be_nil
+  end
+
+end
+
+USER_ID = "spec-user"
+BODY = "Spec Body"
+HASHED_BODY = "DFteJZPVv6WKdQmMqZUQUumUyRs=" # Base64.encode64(Digest::SHA1.digest("Spec Body")).chomp
+TIMESTAMP_ISO8601 = "2009-01-01T12:00:00Z"
+TIMESTAMP_OBJ = Time.parse("Thu Jan 01 12:00:00 -0000 2009")
+PATH = "/organizations/clownco"
+HASHED_CANONICAL_PATH = "YtBWDn1blGGuFIuKksdwXzHU9oE=" # Base64.encode64(Digest::SHA1.digest("/organizations/clownco")).chomp
+
+REQUESTING_ACTOR_ID = "c0f8a68c52bffa1020222a56b23cccfa"
+
+# Content hash is ???TODO
+X_OPS_CONTENT_HASH = "DFteJZPVv6WKdQmMqZUQUumUyRs="
+X_OPS_AUTHORIZATION_LINES = [
+  "jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4",
+  "NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc",
+  "3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O",
+  "IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy",
+  "9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0",
+  "utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w=="
+]
+
+# We expect Mixlib::Authentication::SignedHeaderAuth#sign to return this
+# if passed the BODY above.
+EXPECTED_SIGN_RESULT = {
+  "X-Ops-Content-Hash"=>X_OPS_CONTENT_HASH,
+  "X-Ops-Userid"=>USER_ID,
+  "X-Ops-Sign"=>"version=1.0",
+  "X-Ops-Authorization-1"=>X_OPS_AUTHORIZATION_LINES[0],
+  "X-Ops-Authorization-2"=>X_OPS_AUTHORIZATION_LINES[1],
+  "X-Ops-Authorization-3"=>X_OPS_AUTHORIZATION_LINES[2],
+  "X-Ops-Authorization-4"=>X_OPS_AUTHORIZATION_LINES[3],
+  "X-Ops-Authorization-5"=>X_OPS_AUTHORIZATION_LINES[4],
+  "X-Ops-Authorization-6"=>X_OPS_AUTHORIZATION_LINES[5],
+  "X-Ops-Timestamp"=>TIMESTAMP_ISO8601
+}
+
+# This is what will be in request.params for the Merb case.
+MERB_REQUEST_PARAMS = {
+  "name"=>"zsh", "action"=>"create", "controller"=>"chef_server_api/cookbooks", 
+  "organization_id"=>"local-test-org", "requesting_actor_id"=>REQUESTING_ACTOR_ID,
+}
+
+# Tis is what will be in request.env for the Merb case.
+MERB_HEADERS = {
+  # These are used by signatureverification. An arbitrary sampling of non-HTTP_*
+  # headers are in here to exercise that code path.
+  "HTTP_HOST"=>"127.0.0.1", 
+  "HTTP_X_OPS_SIGN"=>"version=1.0",
+  "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", 
+  "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601, 
+  "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH, 
+  "HTTP_X_OPS_USERID"=>USER_ID, 
+  "HTTP_X_OPS_AUTHORIZATION_1"=>X_OPS_AUTHORIZATION_LINES[0], 
+  "HTTP_X_OPS_AUTHORIZATION_2"=>X_OPS_AUTHORIZATION_LINES[1], 
+  "HTTP_X_OPS_AUTHORIZATION_3"=>X_OPS_AUTHORIZATION_LINES[2], 
+  "HTTP_X_OPS_AUTHORIZATION_4"=>X_OPS_AUTHORIZATION_LINES[3], 
+  "HTTP_X_OPS_AUTHORIZATION_5"=>X_OPS_AUTHORIZATION_LINES[4], 
+  "HTTP_X_OPS_AUTHORIZATION_6"=>X_OPS_AUTHORIZATION_LINES[5], 
+
+  # Random sampling
+  "REMOTE_ADDR"=>"127.0.0.1", 
+  "PATH_INFO"=>"/organizations/local-test-org/cookbooks", 
+  "REQUEST_PATH"=>"/organizations/local-test-org/cookbooks", 
+  "CONTENT_TYPE"=>"multipart/form-data; boundary=----RubyMultipartClient6792ZZZZZ",
+  "CONTENT_LENGTH"=>"394", 
+}
+
+PASSENGER_REQUEST_PARAMS = {
+  "action"=>"create",
+  #"tarball"=>#<File:/tmp/RackMultipart20091120-25570-mgq2sa-0>,
+  "controller"=>"api/v1/cookbooks",
+  "cookbook"=>"{\"category\":\"databases\"}",
+}
+
+PASSENGER_HEADERS = {
+  # These are used by signatureverification. An arbitrary sampling of non-HTTP_*
+  # headers are in here to exercise that code path.
+  "HTTP_HOST"=>"127.0.0.1", 
+  "HTTP_X_OPS_SIGN"=>"version=1.0",
+  "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", 
+  "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601, 
+  "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH, 
+  "HTTP_X_OPS_USERID"=>USER_ID, 
+  "HTTP_X_OPS_AUTHORIZATION_1"=>X_OPS_AUTHORIZATION_LINES[0], 
+  "HTTP_X_OPS_AUTHORIZATION_2"=>X_OPS_AUTHORIZATION_LINES[1], 
+  "HTTP_X_OPS_AUTHORIZATION_3"=>X_OPS_AUTHORIZATION_LINES[2], 
+  "HTTP_X_OPS_AUTHORIZATION_4"=>X_OPS_AUTHORIZATION_LINES[3], 
+  "HTTP_X_OPS_AUTHORIZATION_5"=>X_OPS_AUTHORIZATION_LINES[4], 
+  "HTTP_X_OPS_AUTHORIZATION_6"=>X_OPS_AUTHORIZATION_LINES[5], 
+
+  # Random set of other headers to exercirse the non- HTTP_ code path
+  "HTTP_ACCEPT"=>"application/json",
+  "SERVER_SOFTWARE"=>"Apache",
+  "SCRIPT_URI"=>"http://com-stg.opscode.com/api/v1/cookbooks",
+  "SCRIPT_NAME"=>"",
+  "SERVER_ADDR"=>"10.242.197.174",
+  "SERVER_NAME"=>"com-stg.opscode.com",
+  "DOCUMENT_ROOT"=>"/srv/opscode-community/current/public",
+}
+
+# generated with
+#   openssl genrsa -out private.pem 2048
+#   openssl rsa -in private.pem -out public.pem -pubout
+PUBLIC_KEY = <<EOS
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ueqo76MXuP6XqZBILFz
+iH/9AI7C6PaN5W0dSvkr9yInyGHSz/IR1+4tqvP2qlfKVKI4CP6BFH251Ft9qMUB
+uAsnlAVQ1z0exDtIFFOyQCdR7iXmjBIWMSS4buBwRQXwDK7id1OxtU23qVJv+xwE
+V0IzaaSJmaGLIbvRBD+qatfUuQJBMU/04DdJIwvLtZBYdC2219m5dUBQaa4bimL+
+YN9EcsDzD9h9UxQo5ReK7b3cNMzJBKJWLzFBcJuePMzAnLFktr/RufX4wpXe6XJx
+oVPaHo72GorLkwnQ0HYMTY8rehT4mDi1FI969LHCFFaFHSAaRnwdXaQkJmSfcxzC
+YQIDAQAB
+-----END PUBLIC KEY-----
+EOS
+
+PRIVATE_KEY = <<EOS
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0ueqo76MXuP6XqZBILFziH/9AI7C6PaN5W0dSvkr9yInyGHS
+z/IR1+4tqvP2qlfKVKI4CP6BFH251Ft9qMUBuAsnlAVQ1z0exDtIFFOyQCdR7iXm
+jBIWMSS4buBwRQXwDK7id1OxtU23qVJv+xwEV0IzaaSJmaGLIbvRBD+qatfUuQJB
+MU/04DdJIwvLtZBYdC2219m5dUBQaa4bimL+YN9EcsDzD9h9UxQo5ReK7b3cNMzJ
+BKJWLzFBcJuePMzAnLFktr/RufX4wpXe6XJxoVPaHo72GorLkwnQ0HYMTY8rehT4
+mDi1FI969LHCFFaFHSAaRnwdXaQkJmSfcxzCYQIDAQABAoIBAQCW3I4sKN5B9jOe
+xq/pkeWBq4OvhW8Ys1yW0zFT8t6nHbB1XrwscQygd8gE9BPqj3e0iIEqtdphbPmj
+VHqTYbC0FI6QDClifV7noTwTBjeIOlgZ0NSUN0/WgVzIOxUz2mZ2vBZUovKILPqG
+TOi7J7RXMoySMdcXpP1f+PgvYNcnKsT72UcWaSXEV8/zo+Zm/qdGPVWwJonri5Mp
+DVm5EQSENBiRyt028rU6ElXORNmoQpVjDVqZ1gipzXkifdjGyENw2rt4V/iKYD7V
+5iqXOsvP6Cemf4gbrjunAgDG08S00kiUgvVWcdXW+dlsR2nCvH4DOEe3AYYh/aH8
+DxEE7FbtAoGBAPcNO8fJ56mNw0ow4Qg38C+Zss/afhBOCfX4O/SZKv/roRn5+gRM
+KRJYSVXNnsjPI1plzqR4OCyOrjAhtuvL4a0DinDzf1+fiztyNohwYsW1vYmqn3ti
+EN0GhSgE7ppZjqvLQ3f3LUTxynhA0U+k9wflb4irIlViTUlCsOPkrNJDAoGBANqL
+Q+vvuGSsmRLU/Cenjy+Mjj6+QENg51dz34o8JKuVKIPKU8pNnyeLa5fat0qD2MHm
+OB9opeQOcw0dStodxr6DB3wi83bpjeU6BWUGITNiWEaZEBrQ0aiqNJJKrrHm8fAZ
+9o4l4oHc4hI0kYVYYDuxtKuVJrzZiEapTwoOcYiLAoGBAI/EWbeIHZIj9zOjgjEA
+LHvm25HtulLOtyk2jd1njQhlHNk7CW2azIPqcLLH99EwCYi/miNH+pijZ2aHGCXb
+/bZrSxM0ADmrZKDxdB6uGCyp+GS2sBxjEyEsfCyvwhJ8b3Q100tqwiNO+d5FCglp
+HICx2dgUjuRVUliBwOK93nx1AoGAUI8RhIEjOYkeDAESyhNMBr0LGjnLOosX+/as
+qiotYkpjWuFULbibOFp+WMW41vDvD9qrSXir3fstkeIAW5KqVkO6mJnRoT3Knnra
+zjiKOITCAZQeiaP8BO5o3pxE9TMqb9VCO3ffnPstIoTaN4syPg7tiGo8k1SklVeH
+2S8lzq0CgYAKG2fljIYWQvGH628rp4ZcXS4hWmYohOxsnl1YrszbJ+hzR+IQOhGl
+YlkUQYXhy9JixmUUKtH+NXkKX7Lyc8XYw5ETr7JBT3ifs+G7HruDjVG78EJVojbd
+8uLA+DdQm5mg4vd1GTiSK65q/3EeoBlUaVor3HhLFki+i9qpT8CBsg==
+-----END RSA PRIVATE KEY-----
+EOS

data/spec/spec.opts

@@ -0,0 +1,4 @@
+--colour
+--format specdoc
+--loadby mtime
+--reverse

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification 
+name: mixlib-authentication
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 1
+  - 1
+  - 0
+  version: 1.1.0
+platform: ruby
+authors: 
+- Opscode, Inc.
+autorequire: mixlib-authentication
+bindir: bin
+cert_chain: []
+
+date: 2010-02-28 00:00:00 -08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: mixlib-log
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+description: Mixes in simple per-request authentication
+email: info@opscode.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+- LICENSE
+- NOTICE
+files: 
+- LICENSE
+- README.rdoc
+- Rakefile
+- NOTICE
+- lib/mixlib/authentication/digester.rb
+- lib/mixlib/authentication/signatureverification.rb
+- lib/mixlib/authentication/signedheaderauth.rb
+- lib/mixlib/authentication.rb
+- spec/mixlib/authentication/mixlib_authentication_spec.rb
+- spec/spec.opts
+has_rdoc: true
+homepage: http://www.opscode.com
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Mixes in simple per-request authentication
+test_files: []
+