File: mixlib_authentication_spec.rb

package info (click to toggle)
ruby-mixlib-authentication 1.1.4-2
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 172 kB
  • sloc: ruby: 636; makefile: 2
file content (366 lines) | stat: -rw-r--r-- 14,181 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
 
#
# Author:: Tim Hinderliter (<tim@opscode.com>)
# Author:: Christopher Walters (<cw@opscode.com>)
# Copyright:: Copyright (c) 2009, 2010 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

require File.expand_path(File.join(File.dirname(__FILE__), '..','..','spec_helper'))
require 'rubygems'

require 'ostruct'
require 'openssl'
require 'mixlib/authentication/signatureverification'
require 'time'

# TODO: should make these regular spec-based mock objects.
class MockRequest
  attr_accessor :env, :params, :path, :raw_post

  def initialize(path, params, headers, raw_post)
    @path = path
    @params = params
    @env = headers
    @raw_post = raw_post
  end

  def method
    "POST"
  end
end

class MockFile
  def initialize
    @have_read = nil
  end

  def self.length
    BODY.length
  end

  def read(len, out_str)
    if @have_read.nil?
      @have_read = 1
      out_str[0..-1] = BODY
      BODY
    else
      nil
    end
  end
end

# Uncomment this to get some more info from the methods we're testing.
#Mixlib::Authentication::Log.logger = Logger.new(STDERR)
#Mixlib::Authentication::Log.level :debug

describe "Mixlib::Authentication::SignedHeaderAuth" do
  it "should generate the correct string to sign and signature" do
    # fix the timestamp, private key and body so we get the same answer back
    # every time.
    args = {
      :body => BODY, 
      :user_id => USER_ID,
      :http_method => :post,
      :timestamp => TIMESTAMP_ISO8601,    # fixed timestamp so we get back the same answer each time.
      :file => MockFile.new,
      :path => PATH,
    }

    private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
      
    signing_obj = Mixlib::Authentication::SignedHeaderAuth.signing_object(args)
    
    expected_string_to_sign = <<EOS
Method:POST
Hashed Path:#{HASHED_CANONICAL_PATH}
X-Ops-Content-Hash:#{HASHED_BODY}
X-Ops-Timestamp:#{TIMESTAMP_ISO8601}
X-Ops-UserId:#{USER_ID}
EOS
    signing_obj.canonicalize_request.should == expected_string_to_sign.chomp

    # If you need to regenerate the constants in this test spec, print out
    # the results of res.inspect and copy them as appropriate into the 
    # the constants in this file.
    res = signing_obj.sign(private_key)
    #$stderr.puts "res.inspect = #{res.inspect}"
    res.should == EXPECTED_SIGN_RESULT
  end

  it "should not choke when signing a request for a resource with a long name" do
    args = {
      :body => BODY, 
      :user_id => USER_ID,
      :http_method => :put,
      :timestamp => TIMESTAMP_ISO8601,    # fixed timestamp so we get back the same answer each time.
      :file => MockFile.new,
      :path => PATH + "/nodes/#{"A" * 100}"}

    private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
      
    signing_obj = Mixlib::Authentication::SignedHeaderAuth.signing_object(args)
    
    lambda { signing_obj.sign(private_key) }.should_not raise_error
  end
end

describe "Mixlib::Authentication::SignatureVerification" do
  
  before(:each) do
    @user_private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
  end

  it "should authenticate a File-containing request - Merb" do
    request_params = MERB_REQUEST_PARAMS.clone
    request_params["file"] =
      { "size"=>MockFile.length, "content_type"=>"application/octet-stream", "filename"=>"zsh.tar.gz", "tempfile"=>MockFile.new }

    mock_request = MockRequest.new(PATH, request_params, MERB_HEADERS, "")
    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)

    service = Mixlib::Authentication::SignatureVerification.new
    res = service.authenticate_user_request(mock_request, @user_private_key)
    res.should_not be_nil
  end

  it "should authenticate a normal (post body) request - Merb" do
    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS, BODY)
    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)

    service = Mixlib::Authentication::SignatureVerification.new
    res = service.authenticate_user_request(mock_request, @user_private_key)
    res.should_not be_nil
  end

  it "should authenticate a File-containing request - Passenger" do
    request_params = PASSENGER_REQUEST_PARAMS.clone
    request_params["tarball"] = MockFile.new

    mock_request = MockRequest.new(PATH, request_params, PASSENGER_HEADERS, "")
    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)

    auth_req = Mixlib::Authentication::SignatureVerification.new
    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
    res.should_not be_nil
  end

  it "shouldn't authenticate if an Authorization header is missing" do
    headers = MERB_HEADERS.clone
    headers.delete("HTTP_X_OPS_SIGN")

    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
    Time.stub!(:now).and_return(TIMESTAMP_OBJ)

    auth_req = Mixlib::Authentication::SignatureVerification.new
    lambda {auth_req.authenticate_user_request(mock_request, @user_private_key)}.should raise_error(Mixlib::Authentication::AuthenticationError)

    auth_req.should_not be_a_valid_request
    auth_req.should_not be_a_valid_timestamp
    auth_req.should_not be_a_valid_signature
    auth_req.should_not be_a_valid_content_hash
  end


  it "shouldn't authenticate if Authorization header is wrong" do
    headers = MERB_HEADERS.clone
    headers["HTTP_X_OPS_CONTENT_HASH"] += "_"

    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)

    auth_req = Mixlib::Authentication::SignatureVerification.new
    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
    res.should be_nil

    auth_req.should_not be_a_valid_request
    auth_req.should be_a_valid_timestamp
    auth_req.should be_a_valid_signature
    auth_req.should_not be_a_valid_content_hash
  end

  it "shouldn't authenticate if the timestamp is not within bounds" do
    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, MERB_HEADERS, BODY)
    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ - 1000)

    auth_req = Mixlib::Authentication::SignatureVerification.new
    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
    res.should be_nil
    auth_req.should_not be_a_valid_request
    auth_req.should_not be_a_valid_timestamp
    auth_req.should be_a_valid_signature
    auth_req.should be_a_valid_content_hash
  end

  it "shouldn't authenticate if the signature is wrong" do
    headers =  MERB_HEADERS.dup
    headers["HTTP_X_OPS_AUTHORIZATION_1"] = "epicfail"
    mock_request = MockRequest.new(PATH, MERB_REQUEST_PARAMS, headers, BODY)
    Time.should_receive(:now).at_least(:once).and_return(TIMESTAMP_OBJ)

    auth_req = Mixlib::Authentication::SignatureVerification.new
    res = auth_req.authenticate_user_request(mock_request, @user_private_key)
    res.should be_nil
    auth_req.should_not be_a_valid_request
    auth_req.should_not be_a_valid_signature
    auth_req.should be_a_valid_timestamp
    auth_req.should be_a_valid_content_hash
  end

end

USER_ID = "spec-user"
BODY = "Spec Body"
HASHED_BODY = "DFteJZPVv6WKdQmMqZUQUumUyRs=" # Base64.encode64(Digest::SHA1.digest("Spec Body")).chomp
TIMESTAMP_ISO8601 = "2009-01-01T12:00:00Z"
TIMESTAMP_OBJ = Time.parse("Thu Jan 01 12:00:00 -0000 2009")
PATH = "/organizations/clownco"
HASHED_CANONICAL_PATH = "YtBWDn1blGGuFIuKksdwXzHU9oE=" # Base64.encode64(Digest::SHA1.digest("/organizations/clownco")).chomp

REQUESTING_ACTOR_ID = "c0f8a68c52bffa1020222a56b23cccfa"

# Content hash is ???TODO
X_OPS_CONTENT_HASH = "DFteJZPVv6WKdQmMqZUQUumUyRs="
X_OPS_AUTHORIZATION_LINES = [
  "jVHrNniWzpbez/eGWjFnO6lINRIuKOg40ZTIQudcFe47Z9e/HvrszfVXlKG4",
  "NMzYZgyooSvU85qkIUmKuCqgG2AIlvYa2Q/2ctrMhoaHhLOCWWoqYNMaEqPc",
  "3tKHE+CfvP+WuPdWk4jv4wpIkAz6ZLxToxcGhXmZbXpk56YTmqgBW2cbbw4O",
  "IWPZDHSiPcw//AYNgW1CCDptt+UFuaFYbtqZegcBd2n/jzcWODA7zL4KWEUy",
  "9q4rlh/+1tBReg60QdsmDRsw/cdO1GZrKtuCwbuD4+nbRdVBKv72rqHX9cu0",
  "utju9jzczCyB+sSAQWrxSsXB/b8vV2qs0l4VD2ML+w=="
]

# We expect Mixlib::Authentication::SignedHeaderAuth#sign to return this
# if passed the BODY above.
EXPECTED_SIGN_RESULT = {
  "X-Ops-Content-Hash"=>X_OPS_CONTENT_HASH,
  "X-Ops-Userid"=>USER_ID,
  "X-Ops-Sign"=>"version=1.0",
  "X-Ops-Authorization-1"=>X_OPS_AUTHORIZATION_LINES[0],
  "X-Ops-Authorization-2"=>X_OPS_AUTHORIZATION_LINES[1],
  "X-Ops-Authorization-3"=>X_OPS_AUTHORIZATION_LINES[2],
  "X-Ops-Authorization-4"=>X_OPS_AUTHORIZATION_LINES[3],
  "X-Ops-Authorization-5"=>X_OPS_AUTHORIZATION_LINES[4],
  "X-Ops-Authorization-6"=>X_OPS_AUTHORIZATION_LINES[5],
  "X-Ops-Timestamp"=>TIMESTAMP_ISO8601
}

# This is what will be in request.params for the Merb case.
MERB_REQUEST_PARAMS = {
  "name"=>"zsh", "action"=>"create", "controller"=>"chef_server_api/cookbooks", 
  "organization_id"=>"local-test-org", "requesting_actor_id"=>REQUESTING_ACTOR_ID,
}

# Tis is what will be in request.env for the Merb case.
MERB_HEADERS = {
  # These are used by signatureverification. An arbitrary sampling of non-HTTP_*
  # headers are in here to exercise that code path.
  "HTTP_HOST"=>"127.0.0.1", 
  "HTTP_X_OPS_SIGN"=>"version=1.0",
  "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", 
  "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601, 
  "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH, 
  "HTTP_X_OPS_USERID"=>USER_ID, 
  "HTTP_X_OPS_AUTHORIZATION_1"=>X_OPS_AUTHORIZATION_LINES[0], 
  "HTTP_X_OPS_AUTHORIZATION_2"=>X_OPS_AUTHORIZATION_LINES[1], 
  "HTTP_X_OPS_AUTHORIZATION_3"=>X_OPS_AUTHORIZATION_LINES[2], 
  "HTTP_X_OPS_AUTHORIZATION_4"=>X_OPS_AUTHORIZATION_LINES[3], 
  "HTTP_X_OPS_AUTHORIZATION_5"=>X_OPS_AUTHORIZATION_LINES[4], 
  "HTTP_X_OPS_AUTHORIZATION_6"=>X_OPS_AUTHORIZATION_LINES[5], 

  # Random sampling
  "REMOTE_ADDR"=>"127.0.0.1", 
  "PATH_INFO"=>"/organizations/local-test-org/cookbooks", 
  "REQUEST_PATH"=>"/organizations/local-test-org/cookbooks", 
  "CONTENT_TYPE"=>"multipart/form-data; boundary=----RubyMultipartClient6792ZZZZZ",
  "CONTENT_LENGTH"=>"394", 
}

PASSENGER_REQUEST_PARAMS = {
  "action"=>"create",
  #"tarball"=>#<File:/tmp/RackMultipart20091120-25570-mgq2sa-0>,
  "controller"=>"api/v1/cookbooks",
  "cookbook"=>"{\"category\":\"databases\"}",
}

PASSENGER_HEADERS = {
  # These are used by signatureverification. An arbitrary sampling of non-HTTP_*
  # headers are in here to exercise that code path.
  "HTTP_HOST"=>"127.0.0.1", 
  "HTTP_X_OPS_SIGN"=>"version=1.0",
  "HTTP_X_OPS_REQUESTID"=>"127.0.0.1 1258566194.85386", 
  "HTTP_X_OPS_TIMESTAMP"=>TIMESTAMP_ISO8601, 
  "HTTP_X_OPS_CONTENT_HASH"=>X_OPS_CONTENT_HASH, 
  "HTTP_X_OPS_USERID"=>USER_ID, 
  "HTTP_X_OPS_AUTHORIZATION_1"=>X_OPS_AUTHORIZATION_LINES[0], 
  "HTTP_X_OPS_AUTHORIZATION_2"=>X_OPS_AUTHORIZATION_LINES[1], 
  "HTTP_X_OPS_AUTHORIZATION_3"=>X_OPS_AUTHORIZATION_LINES[2], 
  "HTTP_X_OPS_AUTHORIZATION_4"=>X_OPS_AUTHORIZATION_LINES[3], 
  "HTTP_X_OPS_AUTHORIZATION_5"=>X_OPS_AUTHORIZATION_LINES[4], 
  "HTTP_X_OPS_AUTHORIZATION_6"=>X_OPS_AUTHORIZATION_LINES[5], 

  # Random set of other headers to exercirse the non- HTTP_ code path
  "HTTP_ACCEPT"=>"application/json",
  "SERVER_SOFTWARE"=>"Apache",
  "SCRIPT_URI"=>"http://com-stg.opscode.com/api/v1/cookbooks",
  "SCRIPT_NAME"=>"",
  "SERVER_ADDR"=>"10.242.197.174",
  "SERVER_NAME"=>"com-stg.opscode.com",
  "DOCUMENT_ROOT"=>"/srv/opscode-community/current/public",
}

# generated with
#   openssl genrsa -out private.pem 2048
#   openssl rsa -in private.pem -out public.pem -pubout
PUBLIC_KEY = <<EOS
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ueqo76MXuP6XqZBILFz
iH/9AI7C6PaN5W0dSvkr9yInyGHSz/IR1+4tqvP2qlfKVKI4CP6BFH251Ft9qMUB
uAsnlAVQ1z0exDtIFFOyQCdR7iXmjBIWMSS4buBwRQXwDK7id1OxtU23qVJv+xwE
V0IzaaSJmaGLIbvRBD+qatfUuQJBMU/04DdJIwvLtZBYdC2219m5dUBQaa4bimL+
YN9EcsDzD9h9UxQo5ReK7b3cNMzJBKJWLzFBcJuePMzAnLFktr/RufX4wpXe6XJx
oVPaHo72GorLkwnQ0HYMTY8rehT4mDi1FI969LHCFFaFHSAaRnwdXaQkJmSfcxzC
YQIDAQAB
-----END PUBLIC KEY-----
EOS

PRIVATE_KEY = <<EOS
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0ueqo76MXuP6XqZBILFziH/9AI7C6PaN5W0dSvkr9yInyGHS
z/IR1+4tqvP2qlfKVKI4CP6BFH251Ft9qMUBuAsnlAVQ1z0exDtIFFOyQCdR7iXm
jBIWMSS4buBwRQXwDK7id1OxtU23qVJv+xwEV0IzaaSJmaGLIbvRBD+qatfUuQJB
MU/04DdJIwvLtZBYdC2219m5dUBQaa4bimL+YN9EcsDzD9h9UxQo5ReK7b3cNMzJ
BKJWLzFBcJuePMzAnLFktr/RufX4wpXe6XJxoVPaHo72GorLkwnQ0HYMTY8rehT4
mDi1FI969LHCFFaFHSAaRnwdXaQkJmSfcxzCYQIDAQABAoIBAQCW3I4sKN5B9jOe
xq/pkeWBq4OvhW8Ys1yW0zFT8t6nHbB1XrwscQygd8gE9BPqj3e0iIEqtdphbPmj
VHqTYbC0FI6QDClifV7noTwTBjeIOlgZ0NSUN0/WgVzIOxUz2mZ2vBZUovKILPqG
TOi7J7RXMoySMdcXpP1f+PgvYNcnKsT72UcWaSXEV8/zo+Zm/qdGPVWwJonri5Mp
DVm5EQSENBiRyt028rU6ElXORNmoQpVjDVqZ1gipzXkifdjGyENw2rt4V/iKYD7V
5iqXOsvP6Cemf4gbrjunAgDG08S00kiUgvVWcdXW+dlsR2nCvH4DOEe3AYYh/aH8
DxEE7FbtAoGBAPcNO8fJ56mNw0ow4Qg38C+Zss/afhBOCfX4O/SZKv/roRn5+gRM
KRJYSVXNnsjPI1plzqR4OCyOrjAhtuvL4a0DinDzf1+fiztyNohwYsW1vYmqn3ti
EN0GhSgE7ppZjqvLQ3f3LUTxynhA0U+k9wflb4irIlViTUlCsOPkrNJDAoGBANqL
Q+vvuGSsmRLU/Cenjy+Mjj6+QENg51dz34o8JKuVKIPKU8pNnyeLa5fat0qD2MHm
OB9opeQOcw0dStodxr6DB3wi83bpjeU6BWUGITNiWEaZEBrQ0aiqNJJKrrHm8fAZ
9o4l4oHc4hI0kYVYYDuxtKuVJrzZiEapTwoOcYiLAoGBAI/EWbeIHZIj9zOjgjEA
LHvm25HtulLOtyk2jd1njQhlHNk7CW2azIPqcLLH99EwCYi/miNH+pijZ2aHGCXb
/bZrSxM0ADmrZKDxdB6uGCyp+GS2sBxjEyEsfCyvwhJ8b3Q100tqwiNO+d5FCglp
HICx2dgUjuRVUliBwOK93nx1AoGAUI8RhIEjOYkeDAESyhNMBr0LGjnLOosX+/as
qiotYkpjWuFULbibOFp+WMW41vDvD9qrSXir3fstkeIAW5KqVkO6mJnRoT3Knnra
zjiKOITCAZQeiaP8BO5o3pxE9TMqb9VCO3ffnPstIoTaN4syPg7tiGo8k1SklVeH
2S8lzq0CgYAKG2fljIYWQvGH628rp4ZcXS4hWmYohOxsnl1YrszbJ+hzR+IQOhGl
YlkUQYXhy9JixmUUKtH+NXkKX7Lyc8XYw5ETr7JBT3ifs+G7HruDjVG78EJVojbd
8uLA+DdQm5mg4vd1GTiSK65q/3EeoBlUaVor3HhLFki+i9qpT8CBsg==
-----END RSA PRIVATE KEY-----
EOS