chef / mixlib-authentication Goto Github PK

View Code? Open in Web Editor NEW

22.0 71.0 27.0 274 KB

AuthN signing and verification. Appears in both the client and server

License: Apache License 2.0

Ruby 98.26% Shell 1.11% PowerShell 0.63%

mixlib-authentication's Introduction

Mixlib::Authentication

Umbrella Project: Chef Foundation

Project State: Active

Issues Response Time Maximum: 14 days

Pull Request Response Time Maximum: 14 days

Mixlib::Authentication provides a class-based header signing authentication object, like the one used in Chef.

Documentation

All documentation is written using YARD. You can generate a by running:

rake docs

Contributing

For information on contributing to this project please see our Contributing Documentation

License & Copyright

Copyright:: Copyright (c) 2009-2019 Chef Software, Inc.
License:: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

mixlib-authentication's People

Contributors

Stargazers

Watchers

mixlib-authentication's Issues

Hashed Path HTTP header violates RFC

Hey there,

I've recently discovered that the authentication headers created by Mixlib::Authentication are actually in violation of Internet RFCs. Specifically, HTTP headers cannot contain space characters. Unfortunately, due to this it is causing issues with other software I am using that sees this as an invalid request.

Should we consider revising this to no longer use the space in the header?

In rfc2616 an HTTP header name is defined as such:

       CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

...

       token          = 1*<any CHAR except CTLs or separators>
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

...

       message-header = field-name ":" [ field-value ]
       field-name     = token

Per this RFC, a token cannot contain spaces and an HTTP field header is considered a token.

Cheers!
-Tim

Dependabot can't parse your Gemfile

Dependabot couldn't parse the Gemfile found at /Gemfile.

The error Dependabot encountered was:

Dependabot only supports uninterpolated string arguments to eval_gemfile. Got `__FILE__ + ".local"`

Version 1.4.3 breaks the Chef gem < 14, berks, and Chefspec gems

Hi,

Earlier today we had builds starting to fail around our chef cookbooks and roles uploads. Upon inspecting I determined that this is caused by version 1.4.3 of mixlib-authentication, albeit kind of indirectly.

As you can see both have errors using the chef-linked gems:

Roles - using berks
bundler: failed to load command: berks (/var/app/jenkins/bundles/ruby/2.3.0/bin/berks)
NoMethodError: undefined method `trace' for #Logger:0x007f6f5f75f578

App cookbook - chefspec

bundle exec rspec

Chef encountered an error attempting to load the node data for "chefspec"

Unexpected Error:
NoMethodError: undefined method `trace' for #Logger:0x007fe5444919a8
Did you mean? trace_var
trap

This gem is used by basically any gem that wants to speak to the Chef server. This includes chefspec, berks (via ridley gem) etc. This is made worse by those gems in question having the following version requirements:

chef (versions 12.x and 13.x): (~> 1.4)
ridley (5.1.1): (>=1.3.0)

It appears this change: 23e5b67
Depends on this in the mixlib-log gem (in version 2.1.0) : chef/mixlib-log@6bf78bb#diff-19783d72fc4cc244ae938eef663eb3a9

However, walking and resolving our gemfile dependencies doesn't give us this version. Our Chef gems (of varying versions) ask for mixlib-log (~> 1.3) picking up 1.7.0. This causes it to go boom with this version of mixlib-authentication.

mixlib-authentication is a dependency of the chef gem and berkshelf (via the Ridley gem). Version 1.4.3 which uses functionality from mixlib-log but this functionality was only added in mixlib-log 2.1.0 and this version isn’t a dependency of mixlib-authentication.

The issue in our case is the versions of the chef gem/berkshelf we use want mixlib-log (~> 1.3). This causes it to blow up because the functionality used by mixlib-authentication isn’t present in the version of mixlib-log we pull in (1.7.0). I expect this isn’t the case in Chef 14 but this essentially breaks the chef (12/13) gems with this change. All the chef versions before 14 and berkshelf/ridley want mixlib-authentication ~> 1.4 hence when 1.4.3 was released it gets pulled in and causes the chef and berkshelf gems to break.

I'm not sure what the best fix is here but this is basically a breaking change via dependencies and it being a patch release isn't being great as it is being picked up everywhere as shown above.

Version 1.4.3 introduces logger bug

➜  test git:(knife_fix) ✗ bundle exec knife role list -VV
INFO: Using configuration from /Users/matt/.chef/knife.rb
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_request
DEBUG: Signing the request as matt
/Users/matt/.rvm/gems/ruby-2.3.0/gems/mixlib-log-1.7.1/lib/mixlib/log.rb:152:in `block in method_missing': undefined method `trace' for #<Logger:0x007fccffed13f8> (NoMethodError)
Did you mean?  trace_var
               trap
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/mixlib-log-1.7.1/lib/mixlib/log.rb:152:in `each'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/mixlib-log-1.7.1/lib/mixlib/log.rb:152:in `method_missing'
        from /Users/matt/.rvm/gems/ruby-2.3.0/bundler/gems/mixlib-authentication-a5b9bc93e291/lib/mixlib/authentication/signedheaderauth.rb:250:in `do_sign'
        from /Users/matt/.rvm/gems/ruby-2.3.0/bundler/gems/mixlib-authentication-a5b9bc93e291/lib/mixlib/authentication/signedheaderauth.rb:111:in `sign'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http/auth_credentials.rb:51:in `signature_headers'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http/authenticator.rb:102:in `authentication_headers'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http/authenticator.rb:51:in `handle_request'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http.rb:296:in `block in apply_request_middleware'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http.rb:294:in `each'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http.rb:294:in `inject'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http.rb:294:in `apply_request_middleware'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http.rb:146:in `request'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/http.rb:115:in `get'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/role.rb:207:in `list'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/knife/role_list.rb:38:in `run'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/knife.rb:443:in `block in run_with_pretty_exceptions'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/local_mode.rb:44:in `with_server_connectivity'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/knife.rb:442:in `run_with_pretty_exceptions'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/knife.rb:219:in `run'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/lib/chef/application/knife.rb:156:in `run'
        from /Users/matt/.rvm/gems/ruby-2.3.0/gems/chef-12.21.31/bin/knife:25:in `<top (required)>'
        from /Users/matt/.rvm/gems/ruby-2.3.0/bin/knife:23:in `load'
        from /Users/matt/.rvm/gems/ruby-2.3.0/bin/knife:23:in `<main>'
        from /Users/matt/.rvm/gems/ruby-2.3.0/bin/ruby_executable_hooks:15:in `eval'
        from /Users/matt/.rvm/gems/ruby-2.3.0/bin/ruby_executable_hooks:15:in `<main>'

Gemfile:

source 'https://rubygems.org'

gem 'chef', '~> 12.21.0'
gem 'mixlib-authentication', '= 1.4.3', :git => 'https://github.com/chef/mixlib-authentication', branch: 'v1.4.3'

Gem::ImpossibleDependenciesError

gem install chef results in the following.

 ERROR:  While executing gem ... (Gem::ImpossibleDependenciesError)
    mixlib-authentication-1.4.0 requires rspec-core (~> 3.2) but it conflicted:
  Activated rspec-core-3.4.2 instead of (= 3.5.0.beta1) via:
    rspec-3.5.0.beta1, serverspec-2.29.2, chef-12.7.2

1.4.0 tag missing

looks like 1.4.0 tag was not pushed:
https://github.com/chef/mixlib-authentication/releases

perhaps even some more commits to master missing?

https://rubygems.org/gems/mixlib-authentication has more versions than in github:

1.4.0 - January 19, 2016 (22 KB)
1.4.0.rc.1 - December 16, 2015 (22 KB)
1.4.0.rc.0 - December 11, 2015 (22 KB)

chef / mixlib-authentication Goto Github PK

mixlib-authentication's Introduction

Mixlib::Authentication

Documentation

Contributing

License & Copyright

mixlib-authentication's People

Contributors

Stargazers

Watchers

Forkers

mixlib-authentication's Issues

Hashed Path HTTP header violates RFC

Dependabot can't parse your Gemfile

Version 1.4.3 breaks the Chef gem < 14, berks, and Chefspec gems

Version 1.4.3 introduces logger bug

Gem::ImpossibleDependenciesError

1.4.0 tag missing

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent