You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Blake Ferkingstad <bf...@acentek.net> on 2015/03/30 17:17:23 UTC
API Signing Issue
Hello everyone,
I have a question on my API Signing code. The code below I have tested on commands like createDomain, listTemplates, and listServices. Those all run like expected, but I am running into trouble with createAccount.
function cloudstack_sign_sort($cmd)
{
$commands = explode('&', $cmd);
sort($commands);
$sort = implode('&', $commands);
return $sort;
}
function cloudstack_formatCmd($api, $cmd) {
$str = 'apiKey=' . $api . '&' . $cmd;
$str = strtolower(cloudstack_sign_sort($str));
return $str;
}
function cloudstack_encrypt($cmd, $secret) {
$hash = hash_hmac('sha1', $cmd, $secret, true);
$hash = base64_encode($hash);
return urlencode($hash);
}
function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
$url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' . $signature;
return $url;
}
function cloudstack_sign($command, $api, $secret, $baseUrl) {
$clean_command = substr($command, strpos($command, '?'));
$newCmd = cloudstack_formatCmd($api, $clean_command);
$signature = cloudstack_encrypt($newCmd, $secret);
$url = cloudstack_formattedUrl($baseUrl, $api, $clean_command, $signature);
return $url;
}
When I run the command it returns for createAccount I get 'Error: 401unable to verify user credentials and/or request signature'.
Is there something wrong with my code?
Thanks,
Blake Ferkingstad
Re: API Signing Issue
Posted by Erik Weber <te...@gmail.com>.
Try converting the '@' to %40
Erik
Den mandag 30. mars 2015 skrev Blake Ferkingstad <bf...@acentek.net>
følgende:
> Hi Erik,
>
> I tried adding html_entity_decode(), just in case and I am still getting
> the same error.
>
> When I sort my values this is what I get.
> accounttype=0
>
> &apikey=douqimqhlbwe9-lmlahndfpo8h7nsmrs1iot9b1fo9hctilunfzsoj0iuz-giqa55puhopate2xsmnugk0ebrg
> &command=createaccount
> &domainid=6f0189f4-2753-426a-afe6-aa7ce0bab82e
> &email=devtest@test.com <javascript:;>
> &firstname=devtest
> &lastname=devtest
> &password=testpassword
> &username=devtest
>
> http://localhost:8080/client/api?command=createAccount
> &username=DEVtest
> &email=DEVtest@test.com <javascript:;>
> &firstname=DEVtest
> &lastname=DEVtest
> &password=testpassword
> &domainid=6f0189f4-2753-426a-afe6-aa7ce0bab82e
> &accounttype=0
>
> &apiKey=DOuQimQHLbwe9-LmLahndFPO8H7NsMrs1iOt9B1fo9hctILUnFZsoJ0IuZ-GiQA55PUHOpatE2XsMNuGK0eBRg
> &signature=3UAD6iGfRS7ZSBExrov9LnfaNKA%3D
>
> The thing that seems strange to me is that it works with other commands.
> What I have noticed is that it seems to work with commands that don't have
> an attribute that is alphabetically greater than apiKey, like accounttype.
>
>
> -----Original Message-----
> From: Erik Weber [mailto:terbolous@gmail.com <javascript:;>]
> Sent: Monday, March 30, 2015 11:09 AM
> To: users@cloudstack.apache.org <javascript:;>
> Subject: Re: API Signing Issue
>
> No html entities or similar in $cmd that could be exploded and mistaken as
> a parameter?
>
> Erik
>
> Den mandag 30. mars 2015 skrev Blake Ferkingstad <bferkingstad@acentek.net
> <javascript:;>>
> følgende:
>
> > Hello everyone,
> >
> >
> >
> > I have a question on my API Signing code. The code below I have tested
> > on commands like createDomain, listTemplates, and listServices. Those
> > all run like expected, but I am running into trouble with createAccount.
> >
> >
> >
> > function cloudstack_sign_sort($cmd)
> >
> > {
> >
> > $commands = explode('&', $cmd);
> >
> > sort($commands);
> >
> > $sort = implode('&', $commands);
> >
> >
> >
> > return $sort;
> >
> > }
> >
> >
> >
> > function cloudstack_formatCmd($api, $cmd) {
> >
> > $str = 'apiKey=' . $api . '&' . $cmd;
> >
> > $str = strtolower(cloudstack_sign_sort($str));
> >
> >
> >
> > return $str;
> >
> > }
> >
> >
> >
> > function cloudstack_encrypt($cmd, $secret) {
> >
> > $hash = hash_hmac('sha1', $cmd, $secret, true);
> >
> > $hash = base64_encode($hash);
> >
> >
> >
> > return urlencode($hash);
> >
> > }
> >
> >
> >
> > function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
> >
> > $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' .
> > $signature;
> >
> >
> >
> > return $url;
> >
> > }
> >
> >
> >
> > function cloudstack_sign($command, $api, $secret, $baseUrl) {
> >
> > $clean_command = substr($command, strpos($command, '?'));
> >
> >
> >
> > $newCmd = cloudstack_formatCmd($api, $clean_command);
> >
> > $signature = cloudstack_encrypt($newCmd, $secret);
> >
> > $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command,
> > $signature);
> >
> >
> >
> > return $url;
> >
> > }
> >
> >
> >
> > When I run the command it returns for createAccount I get 'Error:
> > 401unable to verify user credentials and/or request signature'.
> >
> >
> >
> > Is there something wrong with my code?
> >
> >
> >
> > Thanks,
> >
> > Blake Ferkingstad
> >
> >
>
RE: API Signing Issue
Posted by Blake Ferkingstad <bf...@acentek.net>.
Hi Erik,
I tried adding html_entity_decode(), just in case and I am still getting the same error.
When I sort my values this is what I get.
accounttype=0
&apikey=douqimqhlbwe9-lmlahndfpo8h7nsmrs1iot9b1fo9hctilunfzsoj0iuz-giqa55puhopate2xsmnugk0ebrg
&command=createaccount
&domainid=6f0189f4-2753-426a-afe6-aa7ce0bab82e
&email=devtest@test.com
&firstname=devtest
&lastname=devtest
&password=testpassword
&username=devtest
http://localhost:8080/client/api?command=createAccount
&username=DEVtest
&email=DEVtest@test.com
&firstname=DEVtest
&lastname=DEVtest
&password=testpassword
&domainid=6f0189f4-2753-426a-afe6-aa7ce0bab82e
&accounttype=0
&apiKey=DOuQimQHLbwe9-LmLahndFPO8H7NsMrs1iOt9B1fo9hctILUnFZsoJ0IuZ-GiQA55PUHOpatE2XsMNuGK0eBRg
&signature=3UAD6iGfRS7ZSBExrov9LnfaNKA%3D
The thing that seems strange to me is that it works with other commands. What I have noticed is that it seems to work with commands that don't have an attribute that is alphabetically greater than apiKey, like accounttype.
-----Original Message-----
From: Erik Weber [mailto:terbolous@gmail.com]
Sent: Monday, March 30, 2015 11:09 AM
To: users@cloudstack.apache.org
Subject: Re: API Signing Issue
No html entities or similar in $cmd that could be exploded and mistaken as a parameter?
Erik
Den mandag 30. mars 2015 skrev Blake Ferkingstad <bf...@acentek.net>
følgende:
> Hello everyone,
>
>
>
> I have a question on my API Signing code. The code below I have tested
> on commands like createDomain, listTemplates, and listServices. Those
> all run like expected, but I am running into trouble with createAccount.
>
>
>
> function cloudstack_sign_sort($cmd)
>
> {
>
> $commands = explode('&', $cmd);
>
> sort($commands);
>
> $sort = implode('&', $commands);
>
>
>
> return $sort;
>
> }
>
>
>
> function cloudstack_formatCmd($api, $cmd) {
>
> $str = 'apiKey=' . $api . '&' . $cmd;
>
> $str = strtolower(cloudstack_sign_sort($str));
>
>
>
> return $str;
>
> }
>
>
>
> function cloudstack_encrypt($cmd, $secret) {
>
> $hash = hash_hmac('sha1', $cmd, $secret, true);
>
> $hash = base64_encode($hash);
>
>
>
> return urlencode($hash);
>
> }
>
>
>
> function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
>
> $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' .
> $signature;
>
>
>
> return $url;
>
> }
>
>
>
> function cloudstack_sign($command, $api, $secret, $baseUrl) {
>
> $clean_command = substr($command, strpos($command, '?'));
>
>
>
> $newCmd = cloudstack_formatCmd($api, $clean_command);
>
> $signature = cloudstack_encrypt($newCmd, $secret);
>
> $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command,
> $signature);
>
>
>
> return $url;
>
> }
>
>
>
> When I run the command it returns for createAccount I get 'Error:
> 401unable to verify user credentials and/or request signature'.
>
>
>
> Is there something wrong with my code?
>
>
>
> Thanks,
>
> Blake Ferkingstad
>
>
Re: API Signing Issue
Posted by Erik Weber <te...@gmail.com>.
No html entities or similar in $cmd that could be exploded and mistaken as
a parameter?
Erik
Den mandag 30. mars 2015 skrev Blake Ferkingstad <bf...@acentek.net>
følgende:
> Hello everyone,
>
>
>
> I have a question on my API Signing code. The code below I have tested on
> commands like createDomain, listTemplates, and listServices. Those all run
> like expected, but I am running into trouble with createAccount.
>
>
>
> function cloudstack_sign_sort($cmd)
>
> {
>
> $commands = explode('&', $cmd);
>
> sort($commands);
>
> $sort = implode('&', $commands);
>
>
>
> return $sort;
>
> }
>
>
>
> function cloudstack_formatCmd($api, $cmd) {
>
> $str = 'apiKey=' . $api . '&' . $cmd;
>
> $str = strtolower(cloudstack_sign_sort($str));
>
>
>
> return $str;
>
> }
>
>
>
> function cloudstack_encrypt($cmd, $secret) {
>
> $hash = hash_hmac('sha1', $cmd, $secret, true);
>
> $hash = base64_encode($hash);
>
>
>
> return urlencode($hash);
>
> }
>
>
>
> function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
>
> $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' .
> $signature;
>
>
>
> return $url;
>
> }
>
>
>
> function cloudstack_sign($command, $api, $secret, $baseUrl) {
>
> $clean_command = substr($command, strpos($command, '?'));
>
>
>
> $newCmd = cloudstack_formatCmd($api, $clean_command);
>
> $signature = cloudstack_encrypt($newCmd, $secret);
>
> $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command,
> $signature);
>
>
>
> return $url;
>
> }
>
>
>
> When I run the command it returns for createAccount I get 'Error:
> 401unable to verify user credentials and/or request signature'.
>
>
>
> Is there something wrong with my code?
>
>
>
> Thanks,
>
> Blake Ferkingstad
>
>
Re: API Signing Issue
Posted by Jeff Hair <je...@greenqloud.com>.
Do the logs show what the expected value vs the one you're sending is?
Or maybe it is failing for some other reason. If the signature in the
logs is different, then you are generating the request wrong.
On Mon, Mar 30, 2015 at 4:51 PM, Blake Ferkingstad
<bf...@acentek.net> wrote:
> Hi Nux!,
>
> Thanks for the link, we will look into that.
>
> It's just an interesting issue, part of the fun of it though. I will keep working on it and post any findings.
>
> Thanks,
> Blake
>
> -----Original Message-----
> From: Nux! [mailto:nux@li.nux.ro]
> Sent: Monday, March 30, 2015 11:35 AM
> To: users@cloudstack.apache.org
> Subject: Re: API Signing Issue
>
> You might be able to "bypass" the problem by using the integration port (make sure to firewall it as it allows non-auth requests), though I'd also be curious for a solution.
>
> https://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/API_Developers_Guide/#enabling-port-8096
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Blake Ferkingstad" <bf...@acentek.net>
>> To: users@cloudstack.apache.org
>> Sent: Monday, 30 March, 2015 16:17:23
>> Subject: API Signing Issue
>
>> Hello everyone,
>>
>>
>>
>> I have a question on my API Signing code. The code below I have tested
>> on commands like createDomain, listTemplates, and listServices. Those
>> all run like expected, but I am running into trouble with createAccount.
>>
>>
>>
>> function cloudstack_sign_sort($cmd)
>>
>> {
>>
>> $commands = explode('&', $cmd);
>>
>> sort($commands);
>>
>> $sort = implode('&', $commands);
>>
>>
>>
>> return $sort;
>>
>> }
>>
>>
>>
>> function cloudstack_formatCmd($api, $cmd) {
>>
>> $str = 'apiKey=' . $api . '&' . $cmd;
>>
>> $str = strtolower(cloudstack_sign_sort($str));
>>
>>
>>
>> return $str;
>>
>> }
>>
>>
>>
>> function cloudstack_encrypt($cmd, $secret) {
>>
>> $hash = hash_hmac('sha1', $cmd, $secret, true);
>>
>> $hash = base64_encode($hash);
>>
>>
>>
>> return urlencode($hash);
>>
>> }
>>
>>
>>
>> function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
>>
>> $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' .
>> $signature;
>>
>>
>>
>> return $url;
>>
>> }
>>
>>
>>
>> function cloudstack_sign($command, $api, $secret, $baseUrl) {
>>
>> $clean_command = substr($command, strpos($command, '?'));
>>
>>
>>
>> $newCmd = cloudstack_formatCmd($api, $clean_command);
>>
>> $signature = cloudstack_encrypt($newCmd, $secret);
>>
>> $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command,
>> $signature);
>>
>>
>>
>> return $url;
>>
>> }
>>
>>
>>
>> When I run the command it returns for createAccount I get 'Error:
>> 401unable to verify user credentials and/or request signature'.
>>
>>
>>
>> Is there something wrong with my code?
>>
>>
>>
>> Thanks,
>>
>> Blake Ferkingstad
--
Jeff Hair
Core Systems Developer
Tel: (+354) 415 0200
jeff@greenqloud.com
www.greenqloud.com
RE: API Signing Issue
Posted by Blake Ferkingstad <bf...@acentek.net>.
Hi everyone,
Quick update, after trying a new route after looking at some code on github I found my issue. The code I reviewed was Jason Hancock's code (https://github.com/jasonhancock/cloudstack-php-client/blob/master/src/BaseCloudStackClient.php)
My issue was I was rebuilding my query after I had signed it. I needed to keep my sorted query and dump it into my final url. The below function would work provided I had the apikey sorted in my $cmd variable.
function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
$url = $baseUrl . '?' . $cmd . '&signature=' . $signature;
return $url;
}
Thanks,
Blake Ferkingstad
-----Original Message-----
From: Blake Ferkingstad [mailto:bferkingstad@acentek.net]
Sent: Monday, March 30, 2015 11:51 AM
To: users@cloudstack.apache.org
Subject: RE: API Signing Issue
Hi Nux!,
Thanks for the link, we will look into that.
It's just an interesting issue, part of the fun of it though. I will keep working on it and post any findings.
Thanks,
Blake
-----Original Message-----
From: Nux! [mailto:nux@li.nux.ro]
Sent: Monday, March 30, 2015 11:35 AM
To: users@cloudstack.apache.org
Subject: Re: API Signing Issue
You might be able to "bypass" the problem by using the integration port (make sure to firewall it as it allows non-auth requests), though I'd also be curious for a solution.
https://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/API_Developers_Guide/#enabling-port-8096
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Blake Ferkingstad" <bf...@acentek.net>
> To: users@cloudstack.apache.org
> Sent: Monday, 30 March, 2015 16:17:23
> Subject: API Signing Issue
> Hello everyone,
>
>
>
> I have a question on my API Signing code. The code below I have tested
> on commands like createDomain, listTemplates, and listServices. Those
> all run like expected, but I am running into trouble with createAccount.
>
>
>
> function cloudstack_sign_sort($cmd)
>
> {
>
> $commands = explode('&', $cmd);
>
> sort($commands);
>
> $sort = implode('&', $commands);
>
>
>
> return $sort;
>
> }
>
>
>
> function cloudstack_formatCmd($api, $cmd) {
>
> $str = 'apiKey=' . $api . '&' . $cmd;
>
> $str = strtolower(cloudstack_sign_sort($str));
>
>
>
> return $str;
>
> }
>
>
>
> function cloudstack_encrypt($cmd, $secret) {
>
> $hash = hash_hmac('sha1', $cmd, $secret, true);
>
> $hash = base64_encode($hash);
>
>
>
> return urlencode($hash);
>
> }
>
>
>
> function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
>
> $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' .
> $signature;
>
>
>
> return $url;
>
> }
>
>
>
> function cloudstack_sign($command, $api, $secret, $baseUrl) {
>
> $clean_command = substr($command, strpos($command, '?'));
>
>
>
> $newCmd = cloudstack_formatCmd($api, $clean_command);
>
> $signature = cloudstack_encrypt($newCmd, $secret);
>
> $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command,
> $signature);
>
>
>
> return $url;
>
> }
>
>
>
> When I run the command it returns for createAccount I get 'Error:
> 401unable to verify user credentials and/or request signature'.
>
>
>
> Is there something wrong with my code?
>
>
>
> Thanks,
>
> Blake Ferkingstad
RE: API Signing Issue
Posted by Blake Ferkingstad <bf...@acentek.net>.
Hi Nux!,
Thanks for the link, we will look into that.
It's just an interesting issue, part of the fun of it though. I will keep working on it and post any findings.
Thanks,
Blake
-----Original Message-----
From: Nux! [mailto:nux@li.nux.ro]
Sent: Monday, March 30, 2015 11:35 AM
To: users@cloudstack.apache.org
Subject: Re: API Signing Issue
You might be able to "bypass" the problem by using the integration port (make sure to firewall it as it allows non-auth requests), though I'd also be curious for a solution.
https://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/API_Developers_Guide/#enabling-port-8096
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Blake Ferkingstad" <bf...@acentek.net>
> To: users@cloudstack.apache.org
> Sent: Monday, 30 March, 2015 16:17:23
> Subject: API Signing Issue
> Hello everyone,
>
>
>
> I have a question on my API Signing code. The code below I have tested
> on commands like createDomain, listTemplates, and listServices. Those
> all run like expected, but I am running into trouble with createAccount.
>
>
>
> function cloudstack_sign_sort($cmd)
>
> {
>
> $commands = explode('&', $cmd);
>
> sort($commands);
>
> $sort = implode('&', $commands);
>
>
>
> return $sort;
>
> }
>
>
>
> function cloudstack_formatCmd($api, $cmd) {
>
> $str = 'apiKey=' . $api . '&' . $cmd;
>
> $str = strtolower(cloudstack_sign_sort($str));
>
>
>
> return $str;
>
> }
>
>
>
> function cloudstack_encrypt($cmd, $secret) {
>
> $hash = hash_hmac('sha1', $cmd, $secret, true);
>
> $hash = base64_encode($hash);
>
>
>
> return urlencode($hash);
>
> }
>
>
>
> function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
>
> $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' .
> $signature;
>
>
>
> return $url;
>
> }
>
>
>
> function cloudstack_sign($command, $api, $secret, $baseUrl) {
>
> $clean_command = substr($command, strpos($command, '?'));
>
>
>
> $newCmd = cloudstack_formatCmd($api, $clean_command);
>
> $signature = cloudstack_encrypt($newCmd, $secret);
>
> $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command,
> $signature);
>
>
>
> return $url;
>
> }
>
>
>
> When I run the command it returns for createAccount I get 'Error:
> 401unable to verify user credentials and/or request signature'.
>
>
>
> Is there something wrong with my code?
>
>
>
> Thanks,
>
> Blake Ferkingstad
Re: API Signing Issue
Posted by Nux! <nu...@li.nux.ro>.
You might be able to "bypass" the problem by using the integration port (make sure to firewall it as it allows non-auth requests), though I'd also be curious for a solution.
https://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/API_Developers_Guide/#enabling-port-8096
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Blake Ferkingstad" <bf...@acentek.net>
> To: users@cloudstack.apache.org
> Sent: Monday, 30 March, 2015 16:17:23
> Subject: API Signing Issue
> Hello everyone,
>
>
>
> I have a question on my API Signing code. The code below I have tested on
> commands like createDomain, listTemplates, and listServices. Those all run like
> expected, but I am running into trouble with createAccount.
>
>
>
> function cloudstack_sign_sort($cmd)
>
> {
>
> $commands = explode('&', $cmd);
>
> sort($commands);
>
> $sort = implode('&', $commands);
>
>
>
> return $sort;
>
> }
>
>
>
> function cloudstack_formatCmd($api, $cmd) {
>
> $str = 'apiKey=' . $api . '&' . $cmd;
>
> $str = strtolower(cloudstack_sign_sort($str));
>
>
>
> return $str;
>
> }
>
>
>
> function cloudstack_encrypt($cmd, $secret) {
>
> $hash = hash_hmac('sha1', $cmd, $secret, true);
>
> $hash = base64_encode($hash);
>
>
>
> return urlencode($hash);
>
> }
>
>
>
> function cloudstack_formattedUrl($baseUrl, $api, $cmd, $signature) {
>
> $url = $baseUrl . '?' . $cmd . '&apiKey=' . $api . '&signature=' . $signature;
>
>
>
> return $url;
>
> }
>
>
>
> function cloudstack_sign($command, $api, $secret, $baseUrl) {
>
> $clean_command = substr($command, strpos($command, '?'));
>
>
>
> $newCmd = cloudstack_formatCmd($api, $clean_command);
>
> $signature = cloudstack_encrypt($newCmd, $secret);
>
> $url = cloudstack_formattedUrl($baseUrl, $api, $clean_command, $signature);
>
>
>
> return $url;
>
> }
>
>
>
> When I run the command it returns for createAccount I get 'Error: 401unable to
> verify user credentials and/or request signature'.
>
>
>
> Is there something wrong with my code?
>
>
>
> Thanks,
>
> Blake Ferkingstad