[one-users] RPC API and PHP (auth pb)
Carlos Martín Sánchez
cmartin at opennebula.org
Tue Mar 26 08:36:55 PDT 2013
Great, I'm glad you made it work. Thanks for posting the final code.
Regards
--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization
www.OpenNebula.org | cmartin at opennebula.org |
@OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
On Tue, Mar 26, 2013 at 3:51 PM, Nicolas Bélan <nicolas.belan at gmail.com>wrote:
> Hello,
>
> nope, the code is base64_encoded.
>
> I found it !!
>
> You have an error in your code (well ... a default usage, not an error)
> and I did not notice it quickly.
>
> You do not set any Initialization Vector for the AES-256-CBC.
> mcrypt and openssl implementation does not like that !
> So, I tried to pass through, (and failed) and I find this lib:
> http://phpseclib.sourceforge.net/
> The implementation is good, and the result is fine. I can now call RPC
> through serveradmin ...
>
> I cut&paste for list users sample code:
>
> http://pastebin.com/06Z52nXG
>
> Have a nice day
> Best regards
> nicolas.
>
>
> Le 26/03/2013 11:30, Carlos Martín Sánchez a écrit :
>
> Your second code looks better.
> In ruby the encrypted token is then encoded to Base64, is this step
> missing from your code?
>
> Regards
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula>
>
>
> On Tue, Mar 26, 2013 at 1:31 AM, Nicolas Bélan <nicolas.belan at gmail.com>wrote:
>
>> Hi,
>>
>> Well, the encrypted field is not clear for me.
>>
>> I tried:
>> function test_request_1() {
>> // build userAuth
>> $userAuth = $this->oca_username . ":" . $this->user_email .
>> ":" . sha1($this->oca_password);
>> $request = xmlrpc_encode_request("one.vmpool.info",
>> array($userAuth, -2, -1, -1 , -1));
>> $content = stream_context_create(array(
>> "http" => array("method" => "POST",
>> "header" => "Content-Type: text/xml",
>> "content" => $request
>> )
>> ));
>> $file = file_get_contents($this->oca_base_url, false, $content);
>> $response = xmlrpc_decode($file);
>> }
>>
>> But, I got:
>> Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final block length
>> Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:- VirtualMachinePoolInfo
>> result FAILURE [VirtualMachinePoolInfo] User couldn't be authenticated,
>> aborting call.
>>
>> oca_username is "serveradmin", and "oca_password" is the password of
>> serveradmin.
>> user_email is the login id of the client.
>>
>> The think that I can not understand is the following:
>> I captured the third field:
>> PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3
>> it is 64 chars long.
>>
>> a sha1(str) is 40 bytes long.
>>
>> So, how ruby can make a 40+24 sha1() password ?
>>
>>
>> I tested also using:
>> function test_aes_4() {
>> // let's do it with openssl
>> // like Ruby, we generate a 40 bytes key, but only 32 bytes for
>> aes-256-CBC
>> $key = substr(sha1($this->oca_password), 0,
>> $this->mcrypt_keysize);
>> $this->assertEquals($this->mcrypt_keysize, strlen($key));
>> // let's make data with an iv
>> $iv = mcrypt_create_iv($this->mcrypt_ivsize);
>> $data = $this->oca_username . ":" . $this->user_email . ":" .
>> time()+3600;
>> $encrypted_data64 = openssl_encrypt($data, "aes-256-cbc", $key,
>> false, $iv);
>> $this->assertEquals(64, strlen($encrypted_data64));
>> }
>>
>> It failed with:
>> 2) CloudTest::test_aes_4
>> Failed asserting that 24 matches expected 64.
>>
>> -- sure, the ! "reply all" was an error, sorry
>>
>> Best regards,
>> Nicolas
>>
>> Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit :
>>
>> Hi,
>>
>> On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan <nicolas.belan at gmail.com>wrote:
>>
>>> Hello,
>>>
>>> the problem is that password is in a LDAP tree, and I do not get clear
>>> user password from the user (got it in SHA1) through web connection.
>>>
>>> I only map ldap[uidnumber] to get various other informations (DNS owner,
>>> SMTP accounting, Support requests and so on).
>>> I would like to keep avoiding getting clear text password to access
>>> OpenNebula Interface.
>>> If it is not possible, I may get access directly to SQL Database, but
>>> this not what I would like to do first ...
>>>
>>
>> In that case serveradmin is the right approach.
>>
>> I see in your first email that you already found login_token in
>> server_cipher_auth.rb. Maybe you were not using the same encryption
>> algorithm, aes-256-cbc?
>>
>> Regards
>>
>> PS: Please reply to the list, more people may find it useful...
>> --
>> Carlos Martín, MSc
>> Project Engineer
>> OpenNebula - The Open-source Solution for Data Center Virtualization
>> www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org
>> | @OpenNebula <http://twitter.com/opennebula>
>>
>>
>>
>>> Regards,
>>> nicolas.
>>>
>>> Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit :
>>>
>>> Hi,
>>>
>>> The serveradmin users allows more secure communications, and advanced
>>> authentication scenarios, like browser certificates [1]. But if you are
>>> building a simple user interface, you might want to keep things simple and
>>> use the 'username:password' session token for your xmlrpc requests.
>>>
>>> Regards
>>>
>>> [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth
>>> --
>>> Carlos Martín, MSc
>>> Project Engineer
>>> OpenNebula - The Open-source Solution for Data Center Virtualization
>>> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula>
>>>
>>>
>>> On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan <nicolas.belan at gmail.com>wrote:
>>>
>>>> Hello,
>>>>
>>>> well, i would like to display to user their vm, networks, images and so
>>>> on, according to the role and access of each user.
>>>> so i am trying to use as much as possible openNebula rbac and rpc to
>>>> retrieve only right informations.
>>>> the step after is to deploy vm as user, not as oneadmin or serveradmin,
>>>> but directly as "user"
>>>>
>>>> the service i am building is a very simplified user interface. the step
>>>> after for the user is to have access to self service, but to begin, i would
>>>> like to hide some concepts to make easier cloud access.
>>>>
>>>> best regards,
>>>> nicolas
>>>> Le 22 mars 2013 à 17:25, Tino Vazquez <tinova at opennebula.org> a écrit :
>>>>
>>>> > Hi Nicolas,
>>>> >
>>>> > serveradmin is used by Sunstone and related interface services. Did
>>>> > you try it out with other users (ie, oneadmin)?
>>>> >
>>>> > Depending on what type of service you are building, you may be
>>>> > interested indeed in serveradmin. Could you elaborate a bit more on
>>>> > that?
>>>> >
>>>> > Regards
>>>> > --
>>>> > Constantino Vázquez Blanco, PhD, MSc
>>>> > Project Engineer
>>>> > OpenNebula - The Open-Source Solution for Data Center Virtualization
>>>> > www.OpenNebula.org | @tinova79 | @OpenNebula
>>>> >
>>>> >
>>>> > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan <
>>>> nicolas.belan at gmail.com> wrote:
>>>> >> Hello the list,
>>>> >>
>>>> >> I am trying (unsuccessfully) to call RPM methods.
>>>> >>
>>>> >> The problem is that I can not make my user authenticated by code
>>>> (while
>>>> >> it is ok with http://localhost:4567/ui)
>>>> >> I am using version 3.8.3.
>>>> >>
>>>> >> I am trying to user serveradmin:<user>:<password> with it does not
>>>> work
>>>> >> as written in the documentation.
>>>> >> Deeply investigating, I found, in
>>>> >> /usr/lib/one/ruby/server_cipher_auth.rb that the third part is a
>>>> token,
>>>> >> but i am not ruby compliant....
>>>> >> It seems, If i understand, that:
>>>> >> a string is built with: "serveradmin:username:time()+expire"
>>>> >> the serveradmin password is used to create a key.
>>>> >> This key is then used to cipher (salted ?) the previous string.
>>>> >> The result is then appended like that:
>>>> >> "serveradmin:username:cipher(key,serveradmin:username:time()+expire)"
>>>> >> and sent as the first parameter of the rpc call.
>>>> >> Am i completely wrong ?
>>>> >> For example:
>>>> >>
>>>> serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB
>>>> >>
>>>> >> Using perl, I failed to authenticate user ....
>>>> >> using tcpdump, it seems that the third part is quite constant during
>>>> a
>>>> >> certain laps of time ...
>>>> >> So, I may be wrong with my time() expire part ....
>>>> >> Can you help me writing this part of code ? Perl or PHP are welcome
>>>> ;)
>>>> >>
>>>> >> Thank you for you help
>>>> >>
>>>> >> Best regards,
>>>> >> Nicolas.
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> _______________________________________________
>>>> >> Users mailing list
>>>> >> Users at lists.opennebula.org
>>>> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>> >>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130326/9e1e314d/attachment-0002.htm>
More information about the Users
mailing list