chef - [chef] Re: Re: Re: Examples of mixlib-authentication use?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Examples of mixlib-authentication use?

From: Jeremy Bingham < >
To:
Subject: [chef] Re: Re: Re: Examples of mixlib-authentication use?
Date: Sun, 1 Jun 2014 23:34:04 -0700

Signed headers are verified server-side by assembling the expected unencrypted header from the other headers the client sent, decrypting the signed header sent by the client, and comparing the expected header with the decrypted header sent by the client. If the results match, it's verified. Remember that the headers are encrypted with the client's *private* key, and decrypted with the *public* key.

What are you trying to do exactly, though? From my understanding clients don't ever need to verify the signed headers, only properly assemble and encrypt them.

-j

On Sun, Jun 1, 2014 at 9:53 PM, DV < " target="_blank"> > wrote:

Thanks for this - I've actually also found one more example of how to sign headers (which is also something I need to do), together it'll be useful to figuring it out. But haven't found any examples of verifying signed headers (HTTPAuthenticationRequest) yet..

https://github.com/opscode/chef/blob/master/lib/chef/http/auth_credentials.rb#L39

On Sun, Jun 1, 2014 at 3:07 PM, Seth Vargo < " target="_blank"> > wrote:

https://github.com/sethvargo/chef-api/blob/ee9fac591ba76342c10ceeb2d93e80722fa66e5c/lib/chef-api/connection.rb#L469-L494

Thanks,
Seth

On May 30, 2014, at 7:25 PM, DV < " target="_blank"> > wrote:

Hey all,

I'm having a hard time writing a seemingly simple block of code to verify a Chef API request using mixlib-authentication gem (https://github.com/opscode/mixlib-authentication).

I looked at the sample in spec/mixlib/authentication/http_authentication_request_spec.rb, and came up with the following, but somehow I get an exception.

Can anyone point me to a sample code or give any pointers? Much appreciated.

46 @p = Http::Parser.new
47 @p. do |h|
48 p [:on_headers_complete, h]
49 request = Struct.new(:env, :method, :path)

50 @request = request.new(h, "GET", '/roles')
51 p [:request, @request]
52 @m = ::Mixlib::Authentication::HTTPAuthenticationRequest.new(request)

53 if @m.user_id() == "TheOne"
54 conn.relay_to_servers @buffer
55 @buffer.clear
56 else
57 conn.send_data "HTTP/1.1 403 Forbidden\r\n\r\n"

58 end
59 end

And the output:

[[:connection,
"GET /roles HTTP/1.1\r\nX-Ops-Timestamp: 2014-05-30T23:10:50Z\r\nX-Remote-Request-Id: 8fbe67a4-35bc-4ee9-985e-5f1bf243175e\r\nX-Ops-Authorization-6: dZUoWOdG7LVAxZUKoNLFRHFAWCansQKhCPnuwLOy4g==\r\nX-Ops-Authorization-5: RBAEk3dzqBA5DiGFKoIg6Md5tKhtOtlLUn1wpDgjsqTmNRaOtICw+I1ywvHd\r\nX-Ops-Authorization-4: 1DGUtojK/UpD3ynTaQ3jMvDzV3dRDEXqLfiYbX6rgvoItjkjr+eW8Ihgmvmm\r\nX-Ops-Authorization-3: rmPxz4JQxYCur4sZSHDfqK4JHBD7PgCgimPdwiXdGnoeAafc+c3VorBW49/s\r\nX-Ops-Authorization-2: KipV+P2K5DFku5tnspDAZEo0Tr/rF9W5mA8gfF8P0sD3blIoH8w5+XQAZ+cQ\r\nX-Ops-Authorization-1: RW3GO1FBBhlc1Wpr99XMy+TUIjIOF9WRM46dmpOFxgM3anJuq0RlDxxtT6T5\r\nX-Chef-Version: 11.12.2\r\nX-Ops-Content-Hash: 2jmj7l5rSw0yVb/vlWAYkK/YBwk=\r\nConnection: close\r\nX-Ops-Sign: algorithm=sha1;version=1.0;\r\nAccept: application/json\r\nX-Ops-Userid: XXX\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nUser-Agent: Chef Knife/11.12.2 (ruby-1.8.7-p352; ohai-7.0.2; x86_64-linux; +http://opscode.com)\r\nHost: chef11-proxy-1:8080\r\n\r\n"]]

[:on_headers_complete, {"X-Ops-Timestamp"=>"2014-05-30T23:10:50Z", "X-Remote-Request-Id"=>"8fbe67a4-35bc-4ee9-985e-5f1bf243175e", "X-Ops-Authorization-6"=>"dZUoWOdG7LVAxZUKoNLFRHFAWCansQKhCPnuwLOy4g==", "X-Ops-Authorization-5"=>"RBAEk3dzqBA5DiGFKoIg6Md5tKhtOtlLUn1wpDgjsqTmNRaOtICw+I1ywvHd", "X-Ops-Authorization-4"=>"1DGUtojK/UpD3ynTaQ3jMvDzV3dRDEXqLfiYbX6rgvoItjkjr+eW8Ihgmvmm", "X-Ops-Authorization-3"=>"rmPxz4JQxYCur4sZSHDfqK4JHBD7PgCgimPdwiXdGnoeAafc+c3VorBW49/s", "X-Ops-Authorization-2"=>"KipV+P2K5DFku5tnspDAZEo0Tr/rF9W5mA8gfF8P0sD3blIoH8w5+XQAZ+cQ", "X-Ops-Authorization-1"=>"RW3GO1FBBhlc1Wpr99XMy+TUIjIOF9WRM46dmpOFxgM3anJuq0RlDxxtT6T5", "X-Chef-Version"=>"11.12.2", "X-Ops-Content-Hash"=>"2jmj7l5rSw0yVb/vlWAYkK/YBwk=", "Connection"=>"close", "X-Ops-Sign"=>"algorithm=sha1;version=1.0;", "Accept"=>"application/json", "X-Ops-Userid"=>"XXX", "Accept-Encoding"=>"gzip;q=1.0,deflate;q=0.6,identity;q=0.3", "User-Agent"=>"Chef Knife/11.12.2 (ruby-1.8.7-p352; ohai-7.0.2; x86_64-linux; +http://opscode.com)", "Host"=>"chef11-proxy-1:8080"}]

[:request, #<struct env={"X-Ops-Timestamp"=>"2014-05-30T23:10:50Z", "X-Remote-Request-Id"=>"8fbe67a4-35bc-4ee9-985e-5f1bf243175e", "X-Ops-Authorization-6"=>"dZUoWOdG7LVAxZUKoNLFRHFAWCansQKhCPnuwLOy4g==", "X-Ops-Authorization-5"=>"RBAEk3dzqBA5DiGFKoIg6Md5tKhtOtlLUn1wpDgjsqTmNRaOtICw+I1ywvHd", "X-Ops-Authorization-4"=>"1DGUtojK/UpD3ynTaQ3jMvDzV3dRDEXqLfiYbX6rgvoItjkjr+eW8Ihgmvmm", "X-Ops-Authorization-3"=>"rmPxz4JQxYCur4sZSHDfqK4JHBD7PgCgimPdwiXdGnoeAafc+c3VorBW49/s", "X-Ops-Authorization-2"=>"KipV+P2K5DFku5tnspDAZEo0Tr/rF9W5mA8gfF8P0sD3blIoH8w5+XQAZ+cQ", "X-Ops-Authorization-1"=>"RW3GO1FBBhlc1Wpr99XMy+TUIjIOF9WRM46dmpOFxgM3anJuq0RlDxxtT6T5", "X-Chef-Version"=>"11.12.2", "X-Ops-Content-Hash"=>"2jmj7l5rSw0yVb/vlWAYkK/YBwk=", "Connection"=>"close", "X-Ops-Sign"=>"algorithm=sha1;version=1.0;", "Accept"=>"application/json", "X-Ops-Userid"=>"XXX", "Accept-Encoding"=>"gzip;q=1.0,deflate;q=0.6,identity;q=0.3", "User-Agent"=>"Chef Knife/11.12.2 (ruby-1.8.7-p352; ohai-7.0.2; x86_64-linux; +http://opscode.com)", "Host"=>"chef11-proxy-1:8080"}, method="GET", path="/roles">]

/usr/lib64/ruby/gems/1.9.1/gems/mixlib-authentication-1.3.0/lib/mixlib/authentication/http_authentication_request.rb:36:in `headers': undefined method `env' for #<Class:0x00000001ef4178> (NoMethodError)

from /usr/lib64/ruby/gems/1.9.1/gems/mixlib-authentication-1.3.0/lib/mixlib/authentication/http_authentication_request.rb:77:in `validate_headers!'
from /usr/lib64/ruby/gems/1.9.1/gems/mixlib-authentication-1.3.0/lib/mixlib/authentication/http_authentication_request.rb:32:in `initialize'

from /usr/lib64/ruby/gems/1.9.1/gems/chef-proxy-0.0.1/lib/chef/proxy.rb:52:in `new'
--
Best regards, Dmitriy V.

--
Best regards, Dmitriy V.

[chef] Re: Examples of mixlib-authentication use?, Seth Vargo, 06/01/2014
- [chef] Re: Re: Examples of mixlib-authentication use?, DV, 06/01/2014
  - [chef] Re: Re: Re: Examples of mixlib-authentication use?, Jeremy Bingham, 06/01/2014
    - [chef] Re: Examples of mixlib-authentication use?, Stephen Delano, 06/01/2014
    - [chef] Re: Re: Re: Re: Examples of mixlib-authentication use?, DV, 06/02/2014
      - [chef] Re: Re: Re: Re: Re: Examples of mixlib-authentication use?, Jeremy Bingham, 06/02/2014
        
        [chef] Re: Re: Re: Re: Re: Re: Examples of mixlib-authentication use?, Stephen Delano, 06/02/2014
        
        [chef] Re: Re: Re: Re: Re: Re: Re: Examples of mixlib-authentication use?, DV, 06/02/2014
        
        [chef] Re: Re: Re: Re: Re: Re: Examples of mixlib-authentication use?, DV, 06/02/2014