[chef] How to modify path used in signature

[Ameir Abdeldayem < >]

Hello,

I work at a big company with several different ops teams.  For the most part, each ops team maintains its own open-source Chef server.

I'm looking into the feasibility of mimicking the Hosted Chef style of paths, e.g. /organizations/opsteam1.  So, for a node list from knife, the request would look like 'GET /organizations/opsteam1/nodes'.

If I put this behind a proxy and rewrite the path to just '/nodes', I get a 401.  After looking at the auth page at http://docs.opscode.com/auth.html, that makes sense, since the hashed path is part of the signed request.

In order for this to work, the client needs to sign the request with '/nodes' as the path, even if the target path differs.

I know I'll likely need to override https://github.com/opscode/mixlib-authentication/blob/a32e96a6a8cd53e2ff2a775ef0f757550289f89b/lib/mixlib/authentication/signedheaderauth.rb#L119 in both knife and chef-client to achieve what I'm looking for.  I don't mind requiring that folks install a knife plugin or a gem for this to work. 

Could you give me direction on how to best achieve this?

I know I could probably just setup some nginx rewrites on the Chef server, but I'd like for the server to be as vanilla as can be.

Thanks!

-Ameir

P.S.  This is just a high-level example of what I'm trying to achieve.  I'm mainly looking to find out how to proxy a request that updates values used in the signature, without the proxy having to be the signer.  Sending the correctly-signed payload from the client is ideal.