Hi Swen,
Unfortunately it still seems to be the same.
Now these are the steps I take to make the call:
I call the create url function with the following:
$command['command'] = "listUsers";
$command['showicon'] = 'true';
$result = $this->call_api($this->createlink(http_build_query($command)));
Creating url, happens within createlink function:
$link = $this->baseurl . $this->apikey . "&" . $command . "&" .$this->response
. "&" . $this->signature($command);
Creating signature (function signature)
$hash = hash_hmac("sha1",strtolower($this->apikey . "&" . $command . "&" .
$this->response),$this->secretkey, true);
$base64encoded = base64_encode($hash);
return "signature=" . urlencode($base64encoded);
The call_api is just a curl command so nothing interesting there.
When I dump the output before it creates the signature, to see what the input
is for the signature:
apikey=<SNIP,obviously>&command=listusers&showicon=true&response=json
The URL looks the same, except that it is not lowercased. They are all are in
alphabetical order (thanks associative arrays :) )
So it all looks fine, but still the response is:
unable to verify user credentials and/or request signature
if I only use "command", there is no issue. And just to make sure, it seems to
happen with more additional parameters:
username=localuser
showicon=true
accounttype=admin (any type btw)
however, listall=true works? tried to combine it with the above 3, but then it
doesn't work again.
I would expect them to be implemented and I am making a mistake somewhere in
the code.. but then again why does listall work but the other 3 not 🙂
So I am wondering what I am doing wrong..
Regards,
JeanPaul
________________________________
From: JeanPaul van der Mijle <[email protected]>
Sent: Friday, March 31, 2023 8:47 AM
To: [email protected] <[email protected]>
Subject: Re: API question.
Hi Swen!
Going to put my responses in line
Hi JeanPaul,
I am sure you know this link, but I will posted it in case you did not use
it: http://docs.cloudstack.apache.org/en/latest/developersguide/dev.html
Yes I am aware of this documetation 🙂.
I am not really sure what you mean by "passwords needs to be hashed in md5",
as far as I know you need to use HMAC SHA-1 to create the signature. Can you
please provide more information regarding the plain text password situation?
Sure, the HMAC SHA-1 is only for signature, but you can also verify and get API
keys using username and password.
This is the call: https://cloudstack.apache.org/api/apidocs-4.17/apis/login.html
What I actually do with the portal is check if username and password is valid,
then get API keys using an admin user, and use the API keys for the rest of the
calls, if incorrect of course, it will either say invalid user/pass or no API
rights if there is no API key.
Works perfect, except as in the documention it states:
https://cloudstack.apache.org/api/apidocs-4.17/apis/login.html
password Hashed password (Default is MD5). If you wish to use any other
hashing algorithm, you would need to write a custom authentication adapter See
Docs section.
However after trying for an hour figuring out why this didn't work, I noticed
that with only worked with plaintext
Regarding your issue with icons: I am only able to test on version 4.18.0.0
at the moment, so I am unsure how it was in 4.17.2.0, but I am able to get
icon via api. You need to set showicon=true and if the user has an icon you
get it as base64image. Please be aware that if the user does not have an
icon, then there is no icon tag in the response.
Here is the api call I used before encrypting it:
command=listUsers&showicon=true&response=json
I am going to upgade today, as the user I tested with had an icon, nothing
worked, not true, not 1 and not yes. I expected it to work with true being the
logical one but didn't work.
Thanks so far, going to upgrade it today and see if it works better.
With regards,
JeanPau
________________________________
From: [email protected] <[email protected]>
Sent: Monday, March 27, 2023 11:06 AM
To: [email protected] <[email protected]>
Subject: AW: API question.
Hi JeanPaul,
I am sure you know this link, but I will posted it in case you did not use
it: http://docs.cloudstack.apache.org/en/latest/developersguide/dev.html
I am not really sure what you mean by "passwords needs to be hashed in md5",
as far as I know you need to use HMAC SHA-1 to create the signature. Can you
please provide more information regarding the plain text password situation?
Regarding your issue with icons: I am only able to test on version 4.18.0.0
at the moment, so I am unsure how it was in 4.17.2.0, but I am able to get
icon via api. You need to set showicon=true and if the user has an icon you
get it as base64image. Please be aware that if the user does not have an
icon, then there is no icon tag in the response.
Here is the api call I used before encrypting it:
command=listUsers&showicon=true&response=json
Hope that helps!
regards,
Swen
-----Ursprüngliche Nachricht-----
Von: JeanPaul van der Mijle <[email protected]>
Gesendet: Freitag, 24. März 2023 16:10
An: [email protected]
Betreff: API question.
Hi All,
Been playing with the API for a bit for an easy access/streamlined front
end. I have found out several things that seems not right in the documents.
Following the documents at https://cloudstack.apache.org/api/apidocs-4.17/,
since we have 4.17.2.0 installed at the moment, I found that the documents
isn't always right. For instance:
Authentication, Login.
It mentions passwords needs to be hashed in md5. I was debugging over an
hour why it didn't work, to find out this was not true and it just accepts
plain text passwords. Even if MD5 is weak, it is not the biggest issue right
now. Documents refer for other options of hashing should be made myself.
Which is on the task list anyway as MD5 is only good for testing. But it is
not even there.
Now for the thing that bugs me the most right now, which doesn't stop the
rest of the development but is quite annoying:
Users, listUsers. *
Users, getUser.
Accounts, listAccounts. *
All have the same issue, in the response I should get icon response too. At
least 1 out of the 3. It's not there.
For the other 2 (marked with *) they both have in their request a non
required flag: showicon.
I tried:
showicon
showicon=true
showicon=1
showicon=yes
So far, all errors out and I get the message that either credentials are at
fault or that the signature is incorrect.
However, removing this flag, the command works. So I doubt it is faulty
creds.
I did the flag as well within the signature, as outside the signature, so
far no juice.
I am aware about the pickyness of the API, so within PHP I just build up an
array and run http_build_query to keep the alphabetic order on the request.
Hope someone can give me insight!
Thanks, have a nice weekend.
With regards,
JeanPaul
