Class: Mixlib::Authentication::SignatureVerification

Inherits:

Object

• Object
• Mixlib::Authentication::SignatureVerification

Extended by:

Forwardable

Includes:

SignedHeaderAuth

Defined in:

lib/mixlib/authentication/signatureverification.rb

Constant Summary

Constants included from SignedHeaderAuth

Mixlib::Authentication::SignedHeaderAuth::ALGORITHM_FOR_VERSION, Mixlib::Authentication::SignedHeaderAuth::DEFAULT_PROTO_VERSION, Mixlib::Authentication::SignedHeaderAuth::DEFAULT_SIGN_ALGORITHM, Mixlib::Authentication::SignedHeaderAuth::NULL_ARG, Mixlib::Authentication::SignedHeaderAuth::SUPPORTED_ALGORITHMS, Mixlib::Authentication::SignedHeaderAuth::SUPPORTED_VERSIONS

Instance Method Summary

• #authenticate_request(user_secret, time_skew = (15 * 60)) ⇒ Object

  Takes the request, boils down the pieces we are interested in, looks up the user, generates a signature, and compares to the signature in the request ====Headers.

• #authenticate_user_request(request, user_lookup, time_skew = (15 * 60)) ⇒ Object
• #headers ⇒ Object

  The authorization header is a Base64-encoded version of an RSA signature.

• #initialize(request = nil) ⇒ SignatureVerification constructor

  A new instance of SignatureVerification.

• #valid_content_hash? ⇒ Boolean
• #valid_request? ⇒ Boolean
• #valid_signature? ⇒ Boolean
• #valid_timestamp? ⇒ Boolean

Methods included from SignedHeaderAuth

#algorithm, #canonicalize_request, #do_sign, #do_sign_ssh_agent, #proto_version, #sign, signing_object, #validate_sign_version_digest!

Constructor Details

#initialize(request = nil) ⇒ SignatureVerification

Returns a new instance of SignatureVerification.

# File 'lib/mixlib/authentication/signatureverification.rb', line 55

def initialize(request = nil)
  @auth_request = HTTPAuthenticationRequest.new(request) if request

  @valid_signature, @valid_timestamp, @valid_content_hash = false, false, false

  @hashed_body = nil
end

Instance Method Details

#authenticate_request(user_secret, time_skew = (15 * 60)) ⇒ Object

Takes the request, boils down the pieces we are interested in, looks up the user, generates a signature, and compares to the signature in the request

Headers

X-Ops-Sign: algorithm=sha1;version=1.0; X-Ops-UserId: <user_id> X-Ops-Timestamp: X-Ops-Content-Hash: X-Ops-Authorization-#line_number

# File 'lib/mixlib/authentication/signatureverification.rb', line 78

def authenticate_request(user_secret, time_skew = (15 * 60))
  Mixlib::Authentication.logger.trace "Initializing header auth : #{request.inspect}"

  @user_secret       = user_secret
  @allowed_time_skew = time_skew # in seconds

  begin
    parts = parse_signing_description

    # version 1.0 clients don't include their algorithm in the
    # signing description, so default to sha1
    parts[:algorithm] ||= "sha1"

    verify_signature(parts[:algorithm], parts[:version])
    verify_timestamp
    verify_content_hash

  rescue StandardError => se
    raise AuthenticationError, "Failed to authenticate user request. Check your client key and clock: #{se.message}", se.backtrace
  end

  if valid_request?
    SignatureResponse.new(user_id)
  else
    nil
  end
end

#authenticate_user_request(request, user_lookup, time_skew = (15 * 60)) ⇒ Object

# File 'lib/mixlib/authentication/signatureverification.rb', line 63

def authenticate_user_request(request, user_lookup, time_skew = (15 * 60))
  @auth_request = HTTPAuthenticationRequest.new(request)
  authenticate_request(user_lookup, time_skew)
end

#headers ⇒ Object

The authorization header is a Base64-encoded version of an RSA signature. The client sent it on multiple header lines, starting at index 1 - X-Ops-Authorization-1, X-Ops-Authorization-2, etc. Pull them out and concatenate.

# File 'lib/mixlib/authentication/signatureverification.rb', line 126

def headers
  @headers ||= request.env.inject({}) { |memo, kv| memo[$2.tr("-", "_").downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo }
end

#valid_content_hash? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mixlib/authentication/signatureverification.rb', line 114

def valid_content_hash?
  @valid_content_hash
end

#valid_request? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mixlib/authentication/signatureverification.rb', line 118

def valid_request?
  valid_signature? && valid_timestamp? && valid_content_hash?
end

#valid_signature? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mixlib/authentication/signatureverification.rb', line 106

def valid_signature?
  @valid_signature
end

#valid_timestamp? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mixlib/authentication/signatureverification.rb', line 110

def valid_timestamp?
  @valid_timestamp
end