marpaia / chef-golang

Go library to interact with the Chef server API
Other
77 stars 31 forks source link

Looks like post auth isn't working #11

Closed spheromak closed 10 years ago

spheromak commented 10 years ago

I moved some code to using a real chef-server today, and noticed my post methods were not authing right.

I will debug more, and attach a PR when i figure out whats up.

Requesting solve for runlist &{{ "run_list": [ "base"] } 0 -1}
([]uint8) {
 00000000  7b 22 65 72 72 6f 72 22  3a 5b 22 49 6e 76 61 6c  |{"error":["Inval|
 00000010  69 64 20 73 69 67 6e 61  74 75 72 65 20 66 6f 72  |id signature for|
 00000020  20 75 73 65 72 20 6f 72  20 63 6c 69 65 6e 74 20  | user or client |
 00000030  27 79 6f 64 61 27 22 5d  7d                       |'test'"]}|
}
spheromak commented 10 years ago

I suppose the real issue here was that this didn't error out somewhere in the API. I had to catch this in the body of the response.

marpaia commented 10 years ago

yes, nice find, the chef api authentication scheme is by far the biggest clusterfuck i've ever seen. with GET requests, it works like this: https://github.com/marpaia/chef-golang/blob/master/api.go#L413-425

Perhaps it needs to sign different material (perhaps body contents as well?) with POST requests?

marpaia commented 10 years ago

you're totally right about no finding it in the API though, when a request's authentication fails, is the HTTP response code different or is it just the body?

spheromak commented 10 years ago

I think it was just the body.

spheromak commented 10 years ago

@marpaia you on freenode atm ?

marpaia commented 10 years ago

@spheromak i'm not but hit me up via messenger on facebook: https://www.facebook.com/mike.arpaia

ctdk commented 10 years ago

Yes, the body needs to be hashed, and yes, it's an absolute nightmare. This may be useful for figuring out how to hash the body: https://github.com/ctdk/goiardi/blob/auth/authentication/authentication.go#L219. It took a while, but all that authentication stuff's passing the chef-pedant tests now, so it should be working the same as chef's authentication for PUT and POST.

There may be some corner cases where it isn't, but so far chef-pedant hasn't revealed any problems. The only areas it gets dreadfully unhappy is a few chef-pedant tests were it calculates the hash with a body for requests to GET and DELETE. Chef-server apparently will read the body and authenticate the request (then giving a 405 because the method isn't allowed), while go (and by extension goiardi) does not have any body in GET or DELETE requests, so authorization fails.

spheromak commented 10 years ago

@ctdk thanks for the help I got goiardi up and running with auth for testing. It does behave the same as chef-server. I will look into adding the body inspection in the client api

spheromak commented 10 years ago

just wanted to update for anyone looking here. haven't been able to get at this for last few weeks, but hoping to get something kicked out relatively soon.

spheromak commented 10 years ago

Fixed in #12