signatureverification.rb in mixlib-authentication-1.3.0.beta.0

- old
+ new

@@ -32,11 +32,11 @@
 
       def_delegator :@auth_request, :http_method
 
       def_delegator :@auth_request, :path
 
-      def_delegator :auth_request, :signing_description
+      def_delegator :@auth_request, :signing_description
 
       def_delegator :@auth_request, :user_id
 
       def_delegator :@auth_request, :timestamp
 
@@ -48,12 +48,10 @@
 
       def_delegator :@auth_request, :request
 
       include Mixlib::Authentication::SignedHeaderAuth
 
-      attr_reader :auth_request
-
       def initialize(request=nil)
         @auth_request = HTTPAuthenticationRequest.new(request) if request
 
         @valid_signature, @valid_timestamp, @valid_content_hash = false, false, false
 
@@ -63,16 +61,17 @@
 
       def authenticate_user_request(request, user_lookup, time_skew=(15*60))
         @auth_request = HTTPAuthenticationRequest.new(request)
         authenticate_request(user_lookup, time_skew)
       end
+
       # Takes the request, boils down the pieces we are interested in,
       # looks up the user, generates a signature, and compares to
       # the signature in the request
       # ====Headers
       #
-      # X-Ops-Sign: algorithm=sha256;version=1.0;
+      # X-Ops-Sign: algorithm=sha1;version=1.0;
       # X-Ops-UserId: <user_id>
       # X-Ops-Timestamp:
       # X-Ops-Content-Hash: 
       # X-Ops-Authorization-#{line_number}
       def authenticate_request(user_secret, time_skew=(15*60))
@@ -80,16 +79,17 @@
 
         @user_secret       = user_secret
         @allowed_time_skew = time_skew # in seconds
 
         begin
-          @auth_request
-          
-          #BUGBUG Not doing anything with the signing description yet [cb]          
-          parse_signing_description
+          parts = parse_signing_description
 
-          verify_signature
+          # version 1.0 clients don't include their algorithm in the
+          # signing description, so default to sha1
+          parts[:algorithm] ||= 'sha1'
+
+          verify_signature(parts[:algorithm], parts[:version])
           verify_timestamp
           verify_content_hash
 
         rescue StandardError=>se
           raise AuthenticationError,"Failed to authenticate user request. Check your client key and clock: #{se.message}", se.backtrace
@@ -134,11 +134,11 @@
             raise MissingAuthenticationHeader, "required authentication header #{header.to_s.upcase} missing"
           end
         end
       end
 
-      def verify_signature
-        candidate_block = canonicalize_request
+      def verify_signature(algorithm, version)
+        candidate_block = canonicalize_request(algorithm, version)
         request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(request_signature))
         @valid_signature = (request_decrypted_block == candidate_block)
 
         # Keep the debug messages lined up so it's easy to scan them
         Mixlib::Authentication::Log.debug("Verifying request signature:")