mirror of https://github.com/apache/jclouds.git
Added password decryption functionality for Windows hosts
This commit is contained in:
parent
6704bed6dd
commit
88465a3eba
|
@ -0,0 +1,103 @@
|
||||||
|
/**
|
||||||
|
* Licensed to jclouds, Inc. (jclouds) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. jclouds licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package org.jclouds.cloudstack.domain;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Andrei Savu
|
||||||
|
*/
|
||||||
|
public class EncryptedPasswordAndPrivateKey {
|
||||||
|
|
||||||
|
public static Builder builder() {
|
||||||
|
return new Builder();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static class Builder {
|
||||||
|
private String encryptedPassword;
|
||||||
|
private String privateKey;
|
||||||
|
|
||||||
|
public Builder encryptedPassword(String encryptedPassword) {
|
||||||
|
this.encryptedPassword = encryptedPassword;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Builder encryptedPassword(EncryptedPassword password) {
|
||||||
|
return encryptedPassword(password.getEncryptedPassword());
|
||||||
|
}
|
||||||
|
|
||||||
|
public Builder privateKey(String privateKey) {
|
||||||
|
this.privateKey = privateKey;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public EncryptedPasswordAndPrivateKey build() {
|
||||||
|
return new EncryptedPasswordAndPrivateKey(encryptedPassword, privateKey);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private final String encryptedPassword;
|
||||||
|
private final String privateKey;
|
||||||
|
|
||||||
|
public EncryptedPasswordAndPrivateKey(String encryptedPassword, String privateKey) {
|
||||||
|
this.encryptedPassword = encryptedPassword;
|
||||||
|
this.privateKey = privateKey;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the encrypted password String representation
|
||||||
|
*/
|
||||||
|
public String getEncryptedPassword() {
|
||||||
|
return encryptedPassword;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return get the string representation of the private key
|
||||||
|
*/
|
||||||
|
public String getPrivateKey() {
|
||||||
|
return privateKey;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean equals(Object o) {
|
||||||
|
if (this == o) return true;
|
||||||
|
if (o == null || getClass() != o.getClass()) return false;
|
||||||
|
|
||||||
|
EncryptedPasswordAndPrivateKey that = (EncryptedPasswordAndPrivateKey) o;
|
||||||
|
|
||||||
|
if (encryptedPassword != null ? !encryptedPassword.equals(that.encryptedPassword) : that.encryptedPassword != null)
|
||||||
|
return false;
|
||||||
|
if (privateKey != null ? !privateKey.equals(that.privateKey) : that.privateKey != null) return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int hashCode() {
|
||||||
|
int result = encryptedPassword != null ? encryptedPassword.hashCode() : 0;
|
||||||
|
result = 31 * result + (privateKey != null ? privateKey.hashCode() : 0);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return "EncryptedPasswordAndPrivateKey{" +
|
||||||
|
"encryptedPassword='" + encryptedPassword + '\'' +
|
||||||
|
", privateKey='" + privateKey + '\'' +
|
||||||
|
'}';
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,61 @@
|
||||||
|
package org.jclouds.cloudstack.functions;
|
||||||
|
|
||||||
|
import com.google.common.base.Function;
|
||||||
|
import com.google.common.base.Throwables;
|
||||||
|
import com.google.inject.Inject;
|
||||||
|
import com.google.inject.Singleton;
|
||||||
|
import org.jclouds.cloudstack.domain.EncryptedPasswordAndPrivateKey;
|
||||||
|
import org.jclouds.crypto.Crypto;
|
||||||
|
import org.jclouds.crypto.Pems;
|
||||||
|
import org.jclouds.domain.LoginCredentials;
|
||||||
|
import org.jclouds.encryption.internal.Base64;
|
||||||
|
import org.jclouds.javax.annotation.Nullable;
|
||||||
|
|
||||||
|
import javax.crypto.Cipher;
|
||||||
|
import java.nio.charset.Charset;
|
||||||
|
import java.security.KeyFactory;
|
||||||
|
import java.security.PrivateKey;
|
||||||
|
import java.security.spec.KeySpec;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Given an encrypted Windows Administrator password and the decryption key, return a LoginCredentials instance.
|
||||||
|
*
|
||||||
|
* @author Richard Downer, Andrei Savu
|
||||||
|
*/
|
||||||
|
@Singleton
|
||||||
|
public class WindowsLoginCredentialsFromEncryptedData implements Function<EncryptedPasswordAndPrivateKey, LoginCredentials> {
|
||||||
|
|
||||||
|
private final Crypto crypto;
|
||||||
|
|
||||||
|
@Inject
|
||||||
|
public WindowsLoginCredentialsFromEncryptedData(Crypto crypto) {
|
||||||
|
this.crypto = crypto;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public LoginCredentials apply(@Nullable EncryptedPasswordAndPrivateKey dataAndKey) {
|
||||||
|
if (dataAndKey == null)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
try {
|
||||||
|
KeySpec keySpec = Pems.privateKeySpec(dataAndKey.getPrivateKey());
|
||||||
|
KeyFactory kf = crypto.rsaKeyFactory();
|
||||||
|
PrivateKey privKey = kf.generatePrivate(keySpec);
|
||||||
|
|
||||||
|
Cipher cipher = crypto.cipher("RSA/NONE/PKCS1Padding");
|
||||||
|
cipher.init(Cipher.DECRYPT_MODE, privKey);
|
||||||
|
byte[] cipherText = Base64.decode(dataAndKey.getEncryptedPassword());
|
||||||
|
byte[] plainText = cipher.doFinal(cipherText);
|
||||||
|
String password = new String(plainText, Charset.forName("ASCII"));
|
||||||
|
|
||||||
|
return LoginCredentials.builder()
|
||||||
|
.user("Administrator")
|
||||||
|
.password(password)
|
||||||
|
.noPrivateKey()
|
||||||
|
.build();
|
||||||
|
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw Throwables.propagate(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -20,19 +20,24 @@ package org.jclouds.cloudstack.compute;
|
||||||
|
|
||||||
import org.jclouds.cloudstack.compute.options.CloudStackTemplateOptions;
|
import org.jclouds.cloudstack.compute.options.CloudStackTemplateOptions;
|
||||||
import org.jclouds.cloudstack.domain.EncryptedPassword;
|
import org.jclouds.cloudstack.domain.EncryptedPassword;
|
||||||
|
import org.jclouds.cloudstack.domain.EncryptedPasswordAndPrivateKey;
|
||||||
import org.jclouds.cloudstack.domain.Network;
|
import org.jclouds.cloudstack.domain.Network;
|
||||||
import org.jclouds.cloudstack.domain.SshKeyPair;
|
import org.jclouds.cloudstack.domain.SshKeyPair;
|
||||||
import org.jclouds.cloudstack.domain.TrafficType;
|
import org.jclouds.cloudstack.domain.TrafficType;
|
||||||
import org.jclouds.cloudstack.features.BaseCloudStackClientLiveTest;
|
import org.jclouds.cloudstack.features.BaseCloudStackClientLiveTest;
|
||||||
|
import org.jclouds.cloudstack.functions.WindowsLoginCredentialsFromEncryptedData;
|
||||||
import org.jclouds.cloudstack.options.ListNetworksOptions;
|
import org.jclouds.cloudstack.options.ListNetworksOptions;
|
||||||
import org.jclouds.compute.RunNodesException;
|
import org.jclouds.compute.RunNodesException;
|
||||||
import org.jclouds.compute.domain.NodeMetadata;
|
import org.jclouds.compute.domain.NodeMetadata;
|
||||||
import org.jclouds.compute.domain.Template;
|
import org.jclouds.compute.domain.Template;
|
||||||
import org.jclouds.compute.predicates.NodePredicates;
|
import org.jclouds.compute.predicates.NodePredicates;
|
||||||
import org.testng.Assert;
|
import org.jclouds.crypto.Crypto;
|
||||||
|
import org.jclouds.encryption.bouncycastle.BouncyCastleCrypto;
|
||||||
import org.testng.annotations.Test;
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.cert.CertificateException;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.logging.Level;
|
import java.util.logging.Level;
|
||||||
import java.util.logging.Logger;
|
import java.util.logging.Logger;
|
||||||
|
@ -43,9 +48,9 @@ import static com.google.common.collect.Iterables.getOnlyElement;
|
||||||
import static com.google.common.collect.Sets.newTreeSet;
|
import static com.google.common.collect.Sets.newTreeSet;
|
||||||
import static org.jclouds.cloudstack.options.CreateNetworkOptions.Builder.vlan;
|
import static org.jclouds.cloudstack.options.CreateNetworkOptions.Builder.vlan;
|
||||||
import static org.jclouds.cloudstack.options.ListNetworkOfferingsOptions.Builder.specifyVLAN;
|
import static org.jclouds.cloudstack.options.ListNetworkOfferingsOptions.Builder.specifyVLAN;
|
||||||
|
import static org.testng.Assert.assertEquals;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
|
||||||
* @author Adrian Cole
|
* @author Adrian Cole
|
||||||
*/
|
*/
|
||||||
@Test(groups = "live", testName = "CloudStackExperimentLiveTest")
|
@Test(groups = "live", testName = "CloudStackExperimentLiveTest")
|
||||||
|
@ -66,7 +71,7 @@ public class CloudStackExperimentLiveTest extends BaseCloudStackClientLiveTest {
|
||||||
|
|
||||||
// Warning: the vlan id is not set in the response - using an workaround
|
// Warning: the vlan id is not set in the response - using an workaround
|
||||||
URI broadcastUri = URI.create("vlan://" + vlanId);
|
URI broadcastUri = URI.create("vlan://" + vlanId);
|
||||||
for(Network net : networks) {
|
for (Network net : networks) {
|
||||||
if (broadcastUri.equals(net.getBroadcastURI())) {
|
if (broadcastUri.equals(net.getBroadcastURI())) {
|
||||||
long jobId = domainAdminContext.getApi().getNetworkClient().deleteNetwork(net.getId());
|
long jobId = domainAdminContext.getApi().getNetworkClient().deleteNetwork(net.getId());
|
||||||
adminJobComplete.apply(jobId);
|
adminJobComplete.apply(jobId);
|
||||||
|
@ -98,14 +103,14 @@ public class CloudStackExperimentLiveTest extends BaseCloudStackClientLiveTest {
|
||||||
|
|
||||||
// find a network offering that supports vlans in our zone
|
// find a network offering that supports vlans in our zone
|
||||||
long offeringId = get(
|
long offeringId = get(
|
||||||
context.getApi().getOfferingClient().listNetworkOfferings(specifyVLAN(true).zoneId(zoneId)), 0).getId();
|
context.getApi().getOfferingClient().listNetworkOfferings(specifyVLAN(true).zoneId(zoneId)), 0).getId();
|
||||||
|
|
||||||
// create an arbitrary network
|
// create an arbitrary network
|
||||||
network = domainAdminContext.getApi()
|
network = domainAdminContext.getApi()
|
||||||
.getNetworkClient()
|
.getNetworkClient()
|
||||||
// startIP/endIP/netmask/gateway must be specified together
|
// startIP/endIP/netmask/gateway must be specified together
|
||||||
.createNetworkInZone(zoneId, offeringId, group, group,
|
.createNetworkInZone(zoneId, offeringId, group, group,
|
||||||
vlan(vlanId).startIP("192.168.1.2").netmask("255.255.255.0").gateway("192.168.1.1"));
|
vlan(vlanId).startIP("192.168.1.2").netmask("255.255.255.0").gateway("192.168.1.1"));
|
||||||
|
|
||||||
// set options to specify this network id
|
// set options to specify this network id
|
||||||
template.getOptions().as(CloudStackTemplateOptions.class).networkId(network.getId());
|
template.getOptions().as(CloudStackTemplateOptions.class).networkId(network.getId());
|
||||||
|
@ -127,7 +132,8 @@ public class CloudStackExperimentLiveTest extends BaseCloudStackClientLiveTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testCreateWindowsMachineWithKeyPairAndCheckIfTheGeneratedPasswordIsEncrypted() throws RunNodesException {
|
public void testCreateWindowsMachineWithKeyPairAndCheckIfTheGeneratedPasswordIsEncrypted()
|
||||||
|
throws RunNodesException, NoSuchAlgorithmException, CertificateException {
|
||||||
// final Map<String, String> sshKey = SshKeys.generate();
|
// final Map<String, String> sshKey = SshKeys.generate();
|
||||||
// final String publicKey = sshKey.get("public");
|
// final String publicKey = sshKey.get("public");
|
||||||
|
|
||||||
|
@ -151,8 +157,12 @@ public class CloudStackExperimentLiveTest extends BaseCloudStackClientLiveTest {
|
||||||
EncryptedPassword password = client.getVirtualMachineClient()
|
EncryptedPassword password = client.getVirtualMachineClient()
|
||||||
.getEncryptedPasswordForVirtualMachine(Long.parseLong(node.getId()));
|
.getEncryptedPasswordForVirtualMachine(Long.parseLong(node.getId()));
|
||||||
|
|
||||||
Assert.fail("Private key:" + keyPair.getPrivateKey() + "\nPassword: " + password.getEncryptedPassword());
|
Crypto crypto = new BouncyCastleCrypto();
|
||||||
// TODO: decrypt the password
|
WindowsLoginCredentialsFromEncryptedData passwordDecrypt = new WindowsLoginCredentialsFromEncryptedData(crypto);
|
||||||
|
|
||||||
|
assertEquals(passwordDecrypt.apply(EncryptedPasswordAndPrivateKey.builder()
|
||||||
|
.encryptedPassword(password).privateKey(keyPair.getPrivateKey()).build())
|
||||||
|
.getPassword(), "bX7vvptvw");
|
||||||
|
|
||||||
} finally {
|
} finally {
|
||||||
if (node != null) {
|
if (node != null) {
|
||||||
|
|
|
@ -21,11 +21,17 @@ package org.jclouds.cloudstack.features;
|
||||||
import com.google.common.collect.ImmutableMultimap;
|
import com.google.common.collect.ImmutableMultimap;
|
||||||
import org.jclouds.cloudstack.CloudStackContext;
|
import org.jclouds.cloudstack.CloudStackContext;
|
||||||
import org.jclouds.cloudstack.domain.EncryptedPassword;
|
import org.jclouds.cloudstack.domain.EncryptedPassword;
|
||||||
|
import org.jclouds.cloudstack.domain.EncryptedPasswordAndPrivateKey;
|
||||||
|
import org.jclouds.cloudstack.functions.WindowsLoginCredentialsFromEncryptedData;
|
||||||
|
import org.jclouds.crypto.Crypto;
|
||||||
|
import org.jclouds.encryption.bouncycastle.BouncyCastleCrypto;
|
||||||
import org.jclouds.http.HttpRequest;
|
import org.jclouds.http.HttpRequest;
|
||||||
import org.jclouds.http.HttpResponse;
|
import org.jclouds.http.HttpResponse;
|
||||||
import org.testng.annotations.Test;
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.cert.CertificateException;
|
||||||
|
|
||||||
import static org.testng.Assert.assertEquals;
|
import static org.testng.Assert.assertEquals;
|
||||||
|
|
||||||
|
@ -37,7 +43,7 @@ import static org.testng.Assert.assertEquals;
|
||||||
@Test(groups = "unit", testName = "VirtualMachineClientExpectTest")
|
@Test(groups = "unit", testName = "VirtualMachineClientExpectTest")
|
||||||
public class VirtualMachineClientExpectTest extends BaseCloudStackRestClientExpectTest<VirtualMachineClient> {
|
public class VirtualMachineClientExpectTest extends BaseCloudStackRestClientExpectTest<VirtualMachineClient> {
|
||||||
|
|
||||||
public void testGetPasswordForVirtualMachineWhenResponseIs2xx() {
|
public void testGetPasswordForVirtualMachineWhenResponseIs2xx() throws NoSuchAlgorithmException, CertificateException {
|
||||||
String privateKey = "-----BEGIN RSA PRIVATE KEY-----\n" +
|
String privateKey = "-----BEGIN RSA PRIVATE KEY-----\n" +
|
||||||
"MIICXgIBAAKBgQDnaPKhTNgw7qPJVp3qsT+7XhhAbip25a0AnUgq8Fb9LPcZk00p\n" +
|
"MIICXgIBAAKBgQDnaPKhTNgw7qPJVp3qsT+7XhhAbip25a0AnUgq8Fb9LPcZk00p\n" +
|
||||||
"jm+m4JrKmDWKZWrHMNBhCNHMzvV9KrAXUMzL4s7mdEicbxTKratTYoyJM7a87bcZ\n" +
|
"jm+m4JrKmDWKZWrHMNBhCNHMzvV9KrAXUMzL4s7mdEicbxTKratTYoyJM7a87bcZ\n" +
|
||||||
|
@ -77,7 +83,11 @@ public class VirtualMachineClientExpectTest extends BaseCloudStackRestClientExpe
|
||||||
|
|
||||||
assertEquals(actual, expected);
|
assertEquals(actual, expected);
|
||||||
|
|
||||||
// TODO: decrypt the returned password using the private key
|
Crypto crypto = new BouncyCastleCrypto();
|
||||||
|
WindowsLoginCredentialsFromEncryptedData passwordDecrypt = new WindowsLoginCredentialsFromEncryptedData(crypto);
|
||||||
|
|
||||||
|
assertEquals(passwordDecrypt.apply(EncryptedPasswordAndPrivateKey.builder()
|
||||||
|
.encryptedPassword(actual).privateKey(privateKey).build()).getPassword(), "bX7vvptvw");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
Loading…
Reference in New Issue