Your second code looks better. In ruby the encrypted token is then encoded to Base64, is this step missing from your code?
Regards -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula<http://twitter.com/opennebula><[email protected]> On Tue, Mar 26, 2013 at 1:31 AM, Nicolas Bélan <[email protected]>wrote: > Hi, > > Well, the encrypted field is not clear for me. > > I tried: > function test_request_1() { > // build userAuth > $userAuth = $this->oca_username . ":" . $this->user_email . ":" > . sha1($this->oca_password); > $request = xmlrpc_encode_request("one.vmpool.info", > array($userAuth, -2, -1, -1 , -1)); > $content = stream_context_create(array( > "http" => array("method" => "POST", > "header" => "Content-Type: text/xml", > "content" => $request > ) > )); > $file = file_get_contents($this->oca_base_url, false, $content); > $response = xmlrpc_decode($file); > } > > But, I got: > Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final block length > Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:- VirtualMachinePoolInfo > result FAILURE [VirtualMachinePoolInfo] User couldn't be authenticated, > aborting call. > > oca_username is "serveradmin", and "oca_password" is the password of > serveradmin. > user_email is the login id of the client. > > The think that I can not understand is the following: > I captured the third field: > PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3 > it is 64 chars long. > > a sha1(str) is 40 bytes long. > > So, how ruby can make a 40+24 sha1() password ? > > > I tested also using: > function test_aes_4() { > // let's do it with openssl > // like Ruby, we generate a 40 bytes key, but only 32 bytes for > aes-256-CBC > $key = substr(sha1($this->oca_password), 0, $this->mcrypt_keysize); > $this->assertEquals($this->mcrypt_keysize, strlen($key)); > // let's make data with an iv > $iv = mcrypt_create_iv($this->mcrypt_ivsize); > $data = $this->oca_username . ":" . $this->user_email . ":" . > time()+3600; > $encrypted_data64 = openssl_encrypt($data, "aes-256-cbc", $key, > false, $iv); > $this->assertEquals(64, strlen($encrypted_data64)); > } > > It failed with: > 2) CloudTest::test_aes_4 > Failed asserting that 24 matches expected 64. > > -- sure, the ! "reply all" was an error, sorry > > Best regards, > Nicolas > > Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit : > > Hi, > > On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan <[email protected]>wrote: > >> Hello, >> >> the problem is that password is in a LDAP tree, and I do not get clear >> user password from the user (got it in SHA1) through web connection. >> >> I only map ldap[uidnumber] to get various other informations (DNS owner, >> SMTP accounting, Support requests and so on). >> I would like to keep avoiding getting clear text password to access >> OpenNebula Interface. >> If it is not possible, I may get access directly to SQL Database, but >> this not what I would like to do first ... >> > > In that case serveradmin is the right approach. > > I see in your first email that you already found login_token in > server_cipher_auth.rb. Maybe you were not using the same encryption > algorithm, aes-256-cbc? > > Regards > > PS: Please reply to the list, more people may find it useful... > -- > Carlos Martín, MSc > Project Engineer > OpenNebula - The Open-source Solution for Data Center Virtualization > www.OpenNebula.org <http://www.opennebula.org/> | [email protected] > | @OpenNebula <http://twitter.com/opennebula> > > > >> Regards, >> nicolas. >> >> Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit : >> >> Hi, >> >> The serveradmin users allows more secure communications, and advanced >> authentication scenarios, like browser certificates [1]. But if you are >> building a simple user interface, you might want to keep things simple and >> use the 'username:password' session token for your xmlrpc requests. >> >> Regards >> >> [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - The Open-source Solution for Data Center Virtualization >> www.OpenNebula.org | [email protected] | >> @OpenNebula<http://twitter.com/opennebula> >> >> >> On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan >> <[email protected]>wrote: >> >>> Hello, >>> >>> well, i would like to display to user their vm, networks, images and so >>> on, according to the role and access of each user. >>> so i am trying to use as much as possible openNebula rbac and rpc to >>> retrieve only right informations. >>> the step after is to deploy vm as user, not as oneadmin or serveradmin, >>> but directly as "user" >>> >>> the service i am building is a very simplified user interface. the step >>> after for the user is to have access to self service, but to begin, i would >>> like to hide some concepts to make easier cloud access. >>> >>> best regards, >>> nicolas >>> Le 22 mars 2013 à 17:25, Tino Vazquez <[email protected]> a écrit : >>> >>> > Hi Nicolas, >>> > >>> > serveradmin is used by Sunstone and related interface services. Did >>> > you try it out with other users (ie, oneadmin)? >>> > >>> > Depending on what type of service you are building, you may be >>> > interested indeed in serveradmin. Could you elaborate a bit more on >>> > that? >>> > >>> > Regards >>> > -- >>> > Constantino Vázquez Blanco, PhD, MSc >>> > Project Engineer >>> > OpenNebula - The Open-Source Solution for Data Center Virtualization >>> > www.OpenNebula.org | @tinova79 | @OpenNebula >>> > >>> > >>> > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan < >>> [email protected]> wrote: >>> >> Hello the list, >>> >> >>> >> I am trying (unsuccessfully) to call RPM methods. >>> >> >>> >> The problem is that I can not make my user authenticated by code >>> (while >>> >> it is ok with http://localhost:4567/ui) >>> >> I am using version 3.8.3. >>> >> >>> >> I am trying to user serveradmin:<user>:<password> with it does not >>> work >>> >> as written in the documentation. >>> >> Deeply investigating, I found, in >>> >> /usr/lib/one/ruby/server_cipher_auth.rb that the third part is a >>> token, >>> >> but i am not ruby compliant.... >>> >> It seems, If i understand, that: >>> >> a string is built with: "serveradmin:username:time()+expire" >>> >> the serveradmin password is used to create a key. >>> >> This key is then used to cipher (salted ?) the previous string. >>> >> The result is then appended like that: >>> >> "serveradmin:username:cipher(key,serveradmin:username:time()+expire)" >>> >> and sent as the first parameter of the rpc call. >>> >> Am i completely wrong ? >>> >> For example: >>> >> >>> serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB >>> >> >>> >> Using perl, I failed to authenticate user .... >>> >> using tcpdump, it seems that the third part is quite constant during a >>> >> certain laps of time ... >>> >> So, I may be wrong with my time() expire part .... >>> >> Can you help me writing this part of code ? Perl or PHP are welcome ;) >>> >> >>> >> Thank you for you help >>> >> >>> >> Best regards, >>> >> Nicolas. >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> Users mailing list >>> >> [email protected] >>> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >> >> >> > >
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
