mixlib-authentication 1.1.2 → 1.1.4.rc.1

data/Rakefile

@@ -5,7 +5,7 @@ require 'date'
 require 'spec/rake/spectask'
 
 GEM = "mixlib-authentication"
-GEM_VERSION = "1.1.2"
+GEM_VERSION = "1.1.4.rc.1"
 AUTHOR = "Opscode, Inc."
 EMAIL = "info@opscode.com"
 HOMEPAGE = "http://www.opscode.com"

data/lib/mixlib/authentication.rb

@@ -20,6 +20,12 @@ require 'mixlib/log'
 
 module Mixlib
   module Authentication
+    class AuthenticationError < StandardError
+    end
+
+    class MissingAuthenticationHeader < AuthenticationError
+    end
+
     class Log
       extend  Mixlib::Log      
     end

data/lib/mixlib/authentication/http_authentication_request.rb

@@ -0,0 +1,87 @@
+#
+# Author:: Daniel DeLeo (<dan@opscode.com>)
+# Copyright:: Copyright (c) 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/authentication'
+
+module Mixlib
+  module Authentication
+    class HTTPAuthenticationRequest
+
+      MANDATORY_HEADERS = [:x_ops_sign, :x_ops_userid, :x_ops_timestamp, :host, :x_ops_content_hash]
+
+      attr_reader :request
+
+      def initialize(request)
+        @request = request
+        @request_signature = nil
+        validate_headers!
+      end
+
+      def headers
+        @headers ||= @request.env.inject({ }) { |memo, kv| memo[$2.gsub(/\-/,"_").downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
+      end
+
+      def http_method
+        @request.method.to_s
+      end
+
+      def path
+        @request.path.to_s
+      end
+
+      def signing_description
+        headers[:x_ops_sign].chomp
+      end
+
+      def user_id
+        headers[:x_ops_userid].chomp
+      end
+
+      def timestamp
+        headers[:x_ops_timestamp].chomp
+      end
+
+      def host
+        headers[:host].chomp
+      end
+
+      def content_hash
+        headers[:x_ops_content_hash].chomp
+      end
+
+      def request_signature
+        unless @request_signature
+          @request_signature = headers.find_all { |h| h[0].to_s =~ /^x_ops_authorization_/ }.sort { |x,y| x.to_s <=> y.to_s}.map { |i| i[1] }.join("\n")
+          Mixlib::Authentication::Log.debug "Reconstituted (user-supplied) request signature: #{@request_signature}"
+        end
+        @request_signature
+      end
+
+
+      def validate_headers!
+        missing_headers = MANDATORY_HEADERS - headers.keys
+        unless missing_headers.empty?
+          missing_headers.map! { |h| h.to_s.upcase }
+          raise MissingAuthenticationHeader, "missing required authentication header(s) '#{missing_headers.join("', '")}'"
+        end
+      end
+
+
+    end
+  end
+end

data/lib/mixlib/authentication/signatureverification.rb

@@ -17,19 +17,54 @@
 # limitations under the License.
 #
 
-require 'ostruct'
 require 'net/http'
+require 'forwardable'
 require 'mixlib/authentication'
+require 'mixlib/authentication/http_authentication_request'
 require 'mixlib/authentication/signedheaderauth'
 
 module Mixlib
   module Authentication
+    SignatureResponse = Struct.new(:name)
+
     class SignatureVerification
+      extend Forwardable
+
+      def_delegator :@auth_request, :http_method
+
+      def_delegator :@auth_request, :path
+
+      def_delegator :auth_request, :signing_description
+
+      def_delegator :@auth_request, :user_id
+
+      def_delegator :@auth_request, :timestamp
+
+      def_delegator :@auth_request, :host
+
+      def_delegator :@auth_request, :request_signature
+
+      def_delegator :@auth_request, :content_hash
+
+      def_delegator :@auth_request, :request
 
       include Mixlib::Authentication::SignedHeaderAuth
-      
-      attr_reader :hashed_body, :timestamp, :http_method, :path, :user_id
 
+      attr_reader :auth_request
+
+      def initialize(request=nil)
+        @auth_request = HTTPAuthenticationRequest.new(request) if request
+
+        @valid_signature, @valid_timestamp, @valid_content_hash = false, false, false
+
+        @hashed_body = nil
+      end
+
+
+      def authenticate_user_request(request, user_lookup, time_skew=(15*60))
+        @auth_request = HTTPAuthenticationRequest.new(request)
+        authenticate_request(user_lookup, time_skew)
+      end
       # Takes the request, boils down the pieces we are interested in,
       # looks up the user, generates a signature, and compares to
       # the signature in the request
@@ -40,35 +75,105 @@ module Mixlib
       # X-Ops-Timestamp:
       # X-Ops-Content-Hash: 
       # X-Ops-Authorization-#{line_number}
-      def authenticate_user_request(request, user_lookup, time_skew=(15*60))
+      def authenticate_request(user_secret, time_skew=(15*60))
         Mixlib::Authentication::Log.debug "Initializing header auth : #{request.inspect}"
-        
-        headers ||= request.env.inject({ }) { |memo, kv| memo[$2.gsub(/\-/,"_").downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
-        digester = Mixlib::Authentication::Digester
+
+        @user_secret       = user_secret
+        @allowed_time_skew = time_skew # in seconds
 
         begin
-          @allowed_time_skew   = time_skew # in seconds
-          @http_method         = request.method.to_s
-          @path                = request.path.to_s
-          @signing_description = headers[:x_ops_sign].chomp
-          @user_id             = headers[:x_ops_userid].chomp
-          @timestamp           = headers[:x_ops_timestamp].chomp
-          @host                = headers[:host].chomp
-          @content_hash        = headers[:x_ops_content_hash].chomp
-          @user_secret         = user_lookup
-
-          # The authorization header is a Base64-encoded version of an RSA signature.
-          # The client sent it on multiple header lines, starting at index 1 - 
-          # X-Ops-Authorization-1, X-Ops-Authorization-2, etc. Pull them out and
-          # concatenate.
-
-          # if there are 11 headers, the sort breaks - it becomes lexicographic sort rather than numeric [cb]
-          @request_signature = headers.find_all { |h| h[0].to_s =~ /^x_ops_authorization_/ }.sort { |x,y| x.to_s <=> y.to_s}.map { |i| i[1] }.join("\n")
-          Mixlib::Authentication::Log.debug "Reconstituted request signature: #{@request_signature}"
+          @auth_request
           
-          # The request signature is based on any file attached, if any. Otherwise
-          # it's based on the body of the request.
-          # TODO: tim: 2009-12-28: It'd be nice to remove this special case, and
+          #BUGBUG Not doing anything with the signing description yet [cb]          
+          parse_signing_description
+
+          verify_signature
+          verify_timestamp
+          verify_content_hash
+
+        rescue StandardError=>se
+          raise AuthenticationError,"Failed to authenticate user request. Check your client key and clock: #{se.message}", se.backtrace
+        end
+
+        if valid_request?
+          SignatureResponse.new(user_id)
+        else
+          nil
+        end
+      end
+
+      def valid_signature?
+        @valid_signature
+      end
+
+      def valid_timestamp?
+        @valid_timestamp
+      end
+
+      def valid_content_hash?
+        @valid_content_hash
+      end
+
+      def valid_request?
+        valid_signature? && valid_timestamp? && valid_content_hash?
+      end
+
+      # The authorization header is a Base64-encoded version of an RSA signature.
+      # The client sent it on multiple header lines, starting at index 1 - 
+      # X-Ops-Authorization-1, X-Ops-Authorization-2, etc. Pull them out and
+      # concatenate.
+      def headers
+        @headers ||= request.env.inject({ }) { |memo, kv| memo[$2.gsub(/\-/,"_").downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
+      end
+
+      private
+
+      def assert_required_headers_present
+        MANDATORY_HEADERS.each do |header|
+          unless headers.key?(header)
+            raise MissingAuthenticationHeader, "required authentication header #{header.to_s.upcase} missing"
+          end
+        end
+      end
+
+      def verify_signature
+        candidate_block = canonicalize_request
+        request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(request_signature))
+        @valid_signature = (request_decrypted_block == candidate_block)
+
+        # Keep the debug messages lined up so it's easy to scan them
+        Mixlib::Authentication::Log.debug("Verifying request signature:")
+        Mixlib::Authentication::Log.debug(" Expected Block is: '#{candidate_block}'")
+        Mixlib::Authentication::Log.debug("Decrypted block is: '#{request_decrypted_block}'")
+        Mixlib::Authentication::Log.debug("Signatures match? : '#{@valid_signature}'")
+
+        @valid_signature
+      rescue => e
+        Mixlib::Authentication::Log.debug("Failed to verify request signature: #{e.class.name}: #{e.message}")
+        @valid_signature = false
+      end
+
+      def verify_timestamp
+        @valid_timestamp = timestamp_within_bounds?(Time.parse(timestamp), Time.now)
+      end
+
+      def verify_content_hash
+        @valid_content_hash = (content_hash == hashed_body)
+
+        # Keep the debug messages lined up so it's easy to scan them
+        Mixlib::Authentication::Log.debug("Expected content hash is: '#{hashed_body}'")
+        Mixlib::Authentication::Log.debug(" Request Content Hash is: '#{content_hash}'")
+        Mixlib::Authentication::Log.debug("           Hashes match?: #{@valid_content_hash}")
+
+        @valid_content_hash
+      end
+
+
+      # The request signature is based on any file attached, if any. Otherwise
+      # it's based on the body of the request.
+      def hashed_body
+        unless @hashed_body
+          # TODO: tim: 2009-112-28: It'd be nice to remove this special case, and
           # always hash the entire request body. In the file case it would just be
           # expanded multipart text - the entire body of the POST.
           #
@@ -106,31 +211,10 @@ module Mixlib
             Mixlib::Authentication::Log.debug "Digesting body: '#{body}'"
             @hashed_body = digester.hash_string(body)
           end
-          
-          Mixlib::Authentication::Log.debug "Authenticating user : #{user_id}, User secret is : #{@user_secret}, Request signature is :\n#{@request_signature}, Hashed Body is : #{@hashed_body}"
-          
-          #BUGBUG Not doing anything with the signing description yet [cb]          
-          parse_signing_description
-          candidate_block = canonicalize_request
-          request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(@request_signature))
-          signatures_match = (request_decrypted_block == candidate_block)
-          timeskew_is_acceptable = timestamp_within_bounds?(Time.parse(timestamp), Time.now)
-          hashes_match = @content_hash == hashed_body
-        rescue StandardError=>se
-          raise StandardError,"Failed to authenticate user request.  Most likely missing a necessary header: #{se.message}", se.backtrace
-        end
-        
-        Mixlib::Authentication::Log.debug "Candidate Block is: '#{candidate_block}'\nRequest decrypted block is: '#{request_decrypted_block}'\nCandidate content hash is: #{hashed_body}\nRequest Content Hash is: '#{@content_hash}'\nSignatures match: #{signatures_match}, Allowed Time Skew: #{timeskew_is_acceptable}, Hashes match?: #{hashes_match}\n"
-        
-        if signatures_match and timeskew_is_acceptable and hashes_match
-          OpenStruct.new(:name=>user_id)
-        else
-          nil
         end
+        @hashed_body
       end
-      
-      private
-      
+
       # Compare the request timestamp with boundary time
       # 
       # 

data/lib/mixlib/authentication/signedheaderauth.rb

@@ -19,13 +19,13 @@
 
 require 'time'
 require 'base64'
-require 'ostruct'
 require 'digest/sha1'
 require 'mixlib/authentication'
 require 'mixlib/authentication/digester'
 
 module Mixlib
   module Authentication
+
     module SignedHeaderAuth
       
       SIGNING_DESCRIPTION = 'version=1.0'
@@ -34,7 +34,7 @@ module Mixlib
       # with the simple OpenStruct extended with the auth functions
       class << self
         def signing_object(args={ })
-          OpenStruct.new(args).extend SignedHeaderAuth
+          SigningObject.new(args[:http_method], args[:path], args[:body], args[:host], args[:timestamp], args[:user_id], args[:file])
         end
       end
 
@@ -107,7 +107,7 @@ module Mixlib
       # ====Parameters
       #
       def parse_signing_description
-        parts = @signing_description.strip.split(";").inject({ }) do |memo, part|
+        parts = signing_description.strip.split(";").inject({ }) do |memo, part|
           field_name, field_value = part.split("=")
           memo[field_name.to_sym] = field_value.strip
           memo
@@ -122,5 +122,10 @@ module Mixlib
       private :canonical_time, :canonical_path, :parse_signing_description, :digester
       
     end
+
+    class SigningObject < Struct.new(:http_method, :path, :body, :host, :timestamp, :user_id, :file)
+      include SignedHeaderAuth
+    end
+
   end
 end

data/spec/mixlib/authentication/http_authentication_request_spec.rb

@@ -0,0 +1,129 @@
+# Author:: Daniel DeLeo (<dan@opscode.com>)
+# Copyright:: Copyright (c) 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require File.expand_path(File.join(File.dirname(__FILE__), '..','..','spec_helper'))
+
+require 'mixlib/authentication'
+require 'mixlib/authentication/http_authentication_request'
+require 'ostruct'
+require 'pp'
+
+describe Mixlib::Authentication::HTTPAuthenticationRequest do
+  before do
+    request = Struct.new(:env, :method, :path)
+
+    @timestamp_iso8601 = "2009-01-01T12:00:00Z"
+    @x_ops_content_hash = "DFteJZPVv6WKdQmMqZUQUumUyRs="
+    @user_id = "spec-user"
+    @http_x_ops_lines = [
+      "jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4",
+      "NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc",
+      "3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O",
+      "IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy",
+      "9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0",
+      "utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w=="]
+    @merb_headers = {
+      # These are used by signatureverification. An arbitrary sampling of non-HTTP_*
+      # headers are in here to exercise that code path.
+      "HTTP_HOST"=>"127.0.0.1", 
+      "HTTP_X_OPS_SIGN"=>"version=1.0",
+      "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", 
+      "HTTP_X_OPS_TIMESTAMP"=>@timestamp_iso8601, 
+      "HTTP_X_OPS_CONTENT_HASH"=>@x_ops_content_hash, 
+      "HTTP_X_OPS_USERID"=>@user_id, 
+      "HTTP_X_OPS_AUTHORIZATION_1"=>@http_x_ops_lines[0], 
+      "HTTP_X_OPS_AUTHORIZATION_2"=>@http_x_ops_lines[1], 
+      "HTTP_X_OPS_AUTHORIZATION_3"=>@http_x_ops_lines[2], 
+      "HTTP_X_OPS_AUTHORIZATION_4"=>@http_x_ops_lines[3], 
+      "HTTP_X_OPS_AUTHORIZATION_5"=>@http_x_ops_lines[4], 
+      "HTTP_X_OPS_AUTHORIZATION_6"=>@http_x_ops_lines[5], 
+
+      # Random sampling
+      "REMOTE_ADDR"=>"127.0.0.1", 
+      "PATH_INFO"=>"/organizations/local-test-org/cookbooks", 
+      "REQUEST_PATH"=>"/organizations/local-test-org/cookbooks", 
+      "CONTENT_TYPE"=>"multipart/form-data; boundary=----RubyMultipartClient6792ZZZZZ",
+      "CONTENT_LENGTH"=>"394", 
+    }
+    @request = request.new(@merb_headers, "POST", '/nodes')
+    @http_authentication_request = Mixlib::Authentication::HTTPAuthenticationRequest.new(@request)
+  end
+
+  it "normalizes the headers to lowercase symbols" do
+    expected = {:host=>"127.0.0.1",
+                :x_ops_sign=>"version=1.0",
+                :x_ops_requestid=>"127.0.0.1 1258566194.85386",
+                :x_ops_timestamp=>"2009-01-01T12:00:00Z",
+                :x_ops_content_hash=>"DFteJZPVv6WKdQmMqZUQUumUyRs=",
+                :x_ops_userid=>"spec-user",
+                :x_ops_authorization_1=>"jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4",
+                :x_ops_authorization_2=>"NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc",
+                :x_ops_authorization_3=>"3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O",
+                :x_ops_authorization_4=>"IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy",
+                :x_ops_authorization_5=>"9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0",
+                :x_ops_authorization_6=>"utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w=="}
+    @http_authentication_request.headers.should == expected
+  end
+
+  it "raises an error when not all required headers are given" do
+    @merb_headers.delete("HTTP_X_OPS_SIGN")
+    exception = Mixlib::Authentication::MissingAuthenticationHeader
+    auth_req = Mixlib::Authentication::HTTPAuthenticationRequest.new(@request)
+    lambda {auth_req.validate_headers!}.should raise_error(exception)
+  end
+
+  it "extracts the path from the request" do
+    @http_authentication_request.path.should == '/nodes'
+  end
+
+  it "extracts the request method from the request" do
+    @http_authentication_request.http_method.should == 'POST'
+  end
+
+  it "extracts the signing description from the request headers" do
+    @http_authentication_request.signing_description.should == 'version=1.0'
+  end
+
+  it "extracts the user_id from the request headers" do
+    @http_authentication_request.user_id.should == 'spec-user'
+  end
+
+  it "extracts the timestamp from the request headers" do
+    @http_authentication_request.timestamp.should == "2009-01-01T12:00:00Z"
+  end
+
+  it "extracts the host from the request headers" do
+    @http_authentication_request.host.should == "127.0.0.1"
+  end
+
+  it "extracts the content hash from the request headers" do
+    @http_authentication_request.content_hash.should == "DFteJZPVv6WKdQmMqZUQUumUyRs="
+  end
+
+  it "rebuilds the request signature from the headers" do
+    expected=<<-SIG
+jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4
+NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc
+3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O
+IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy
+9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0
+utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w==
+SIG
+    @http_authentication_request.request_signature.should == expected.chomp
+  end
+
+end

data/spec/mixlib/authentication/mixlib_authentication_spec.rb

@@ -17,9 +17,7 @@
 # limitations under the License.
 #
 
-$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "..", "lib")) # lib in mixlib-authentication
-$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "..", "..", "mixlib-log", "lib")) # mixlib-log/log
-
+require File.expand_path(File.join(File.dirname(__FILE__), '..','..','spec_helper'))
 require 'rubygems'
 
 require 'ostruct'
@@ -64,6 +62,7 @@ class MockFile
 end
 
 # Uncomment this to get some more info from the methods we're testing.
+#Mixlib::Authentication::Log.logger = Logger.new(STDERR)
 #Mixlib::Authentication::Log.level :debug
 
 describe "Mixlib::Authentication::SignedHeaderAuth" do
@@ -152,11 +151,28 @@ describe "Mixlib::Authentication::SignatureVerification" do
     mock_request = MockRequest.new(PATH, request_params, PASSENGER_HEADERS, "")
     Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
-    service = Mixlib::Authentication::SignatureVerification.new
-    res = service.authenticate_user_request(mock_request, @user_private_key)
+    auth_req = Mixlib::Authentication::SignatureVerification.new
+    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
     res.should_not be_nil
   end
 
+  it "shouldn't authenticate if an Authorization header is missing" do
+    headers = MERB_HEADERS.clone
+    headers.delete("HTTP_X_OPS_SIGN")
+
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
+    Time.stub!(:now).and_return(TIMESTAMP_OBJ)
+
+    auth_req = Mixlib::Authentication::SignatureVerification.new
+    lambda {auth_req.authenticate_user_request(mock_request, @user_private_key)}.should raise_error(Mixlib::Authentication::AuthenticationError)
+
+    auth_req.should_not be_a_valid_request
+    auth_req.should_not be_a_valid_timestamp
+    auth_req.should_not be_a_valid_signature
+    auth_req.should_not be_a_valid_content_hash
+  end
+
+
   it "shouldn't authenticate if Authorization header is wrong" do
     headers = MERB_HEADERS.clone
     headers["HTTP_X_OPS_CONTENT_HASH"] += "_"
@@ -164,9 +180,42 @@ describe "Mixlib::Authentication::SignatureVerification" do
     mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
     Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
 
-    service = Mixlib::Authentication::SignatureVerification.new
-    res = service.authenticate_user_request(mock_request, @user_private_key)
+    auth_req = Mixlib::Authentication::SignatureVerification.new
+    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
+    res.should be_nil
+
+    auth_req.should_not be_a_valid_request
+    auth_req.should be_a_valid_timestamp
+    auth_req.should be_a_valid_signature
+    auth_req.should_not be_a_valid_content_hash
+  end
+
+  it "shouldn't authenticate if the timestamp is not within bounds" do
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS, BODY)
+    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ - 1000)
+
+    auth_req = Mixlib::Authentication::SignatureVerification.new
+    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
+    res.should be_nil
+    auth_req.should_not be_a_valid_request
+    auth_req.should_not be_a_valid_timestamp
+    auth_req.should be_a_valid_signature
+    auth_req.should be_a_valid_content_hash
+  end
+
+  it "shouldn't authenticate if the signature is wrong" do
+    headers =  MERB_HEADERS.dup
+    headers["HTTP_X_OPS_AUTHORIZATION_1"] = "epicfail"
+    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
+    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)
+
+    auth_req = Mixlib::Authentication::SignatureVerification.new
+    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
     res.should be_nil
+    auth_req.should_not be_a_valid_request
+    auth_req.should_not be_a_valid_signature
+    auth_req.should be_a_valid_timestamp
+    auth_req.should be_a_valid_content_hash
   end
 
 end

data/spec/spec_helper.rb

@@ -0,0 +1,23 @@
+#
+# Author:: Tim Hinderliter (<tim@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "lib")) # lib in mixlib-authentication
+$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "mixlib-log", "lib")) # mixlib-log/log
+
+require 'rubygems'

metadata

@@ -1,12 +1,14 @@
 --- !ruby/object:Gem::Specification 
 name: mixlib-authentication
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  prerelease: true
   segments: 
   - 1
   - 1
-  - 2
-  version: 1.1.2
+  - 4
+  - rc
+  - 1
+  version: 1.1.4.rc.1
 platform: ruby
 authors: 
 - Opscode, Inc.
@@ -14,13 +16,14 @@ autorequire: mixlib-authentication
 bindir: bin
 cert_chain: []
 
-date: 2010-03-17 00:00:00 -07:00
+date: 2010-07-23 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: mixlib-log
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
@@ -45,11 +48,14 @@ files:
 - Rakefile
 - NOTICE
 - lib/mixlib/authentication/digester.rb
+- lib/mixlib/authentication/http_authentication_request.rb
 - lib/mixlib/authentication/signatureverification.rb
 - lib/mixlib/authentication/signedheaderauth.rb
 - lib/mixlib/authentication.rb
+- spec/mixlib/authentication/http_authentication_request_spec.rb
 - spec/mixlib/authentication/mixlib_authentication_spec.rb
 - spec/spec.opts
+- spec/spec_helper.rb
 has_rdoc: true
 homepage: http://www.opscode.com
 licenses: []
@@ -60,6 +66,7 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
@@ -67,16 +74,19 @@ required_ruby_version: !ruby/object:Gem::Requirement
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version 
       segments: 
-      - 0
-      version: "0"
+      - 1
+      - 3
+      - 1
+      version: 1.3.1
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Mixes in simple per-request authentication