Title: Support FIPS-compatible API signing by andrijapanicsb · Pull Request #213 · apache/cloudstack-cloudmonkey · GitHub
Open Graph Title: Support FIPS-compatible API signing by andrijapanicsb · Pull Request #213 · apache/cloudstack-cloudmonkey
X Title: Support FIPS-compatible API signing by andrijapanicsb · Pull Request #213 · apache/cloudstack-cloudmonkey
Description: Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudStack deployments that still require or allow HmacSHA1. CloudMonkey profiles now support a profile-level signaturealgorithm setting: auto HmacSHA512 HmacSHA1 New and migrated profiles default to auto. In auto mode, CloudMonkey probes the active endpoint with the read-only listApis API, trying HmacSHA512 first and falling back to HmacSHA1 only if the SHA-512 probe fails authentication/signature verification. Once a probe succeeds, the concrete algorithm is persisted to the active profile before the user-requested API command is executed. This avoids retrying user-requested APIs directly and prevents duplicate execution of state-changing commands during signature algorithm detection. Motivation When legacy algorithms are disabled, CloudStack rejects API requests signed with HmacSHA1 and accepts modern HmacSHA512 signatures. CloudMonkey previously signed API key requests with HmacSHA1 only, so API key authentication failed against such deployments. This change allows CloudMonkey to work with FIPS-compatible CloudStack environments while keeping existing legacy deployments usable without manual trial and error. Behavior New or migrated profiles If signaturealgorithm is absent from an existing profile, CloudMonkey writes: signaturealgorithm = auto Auto detection When API key and secret key authentication is used and the active profile is set to auto, CloudMonkey: Sends a read-only listApis listall=true probe signed with HmacSHA512. If that succeeds, persists: signaturealgorithm = HmacSHA512 If SHA-512 fails authentication/signature verification, retries the same read-only probe with HmacSHA1. If SHA-1 succeeds, persists: signaturealgorithm = HmacSHA1 Executes the original user-requested API only after detection has completed. Explicit configuration If a profile explicitly sets HmacSHA512 or HmacSHA1, CloudMonkey uses only that configured algorithm and does not silently fall back. Prompt indicator Profiles using HmacSHA512 show a -fips marker in the interactive prompt. For example: (localcloud-fips) cmk > The marker indicates that CloudMonkey is using the FIPS-compatible CloudStack API signing algorithm. It does not imply full end-to-end FIPS validation of the local environment. Debug logging Auto-detection probe attempts are logged only when debug mode is enabled. Normal interactive output is not noisy when fallback succeeds. Debug output includes which signature algorithm probe is attempted, which probe fails, and which algorithm is selected. Testing Automated tests added: HmacSHA1 signature generation against a fixed request string HmacSHA512 signature generation against a fixed request string default profile uses signaturealgorithm = auto missing signaturealgorithm is migrated to auto explicit HmacSHA512 does not silently try HmacSHA1 auto persists HmacSHA512 when the SHA-512 probe succeeds auto falls back and persists HmacSHA1 when SHA-512 fails but SHA-1 succeeds auto does not retry the user-requested API directly, avoiding duplicate execution risk for state-changing APIs prompt shows -fips when the active profile uses HmacSHA512 Command run: go test ./... Lab verification Verified against a CloudStack lab environment. With legacy algorithms enabled: api.legacy.algorithm.supported=true auto selected and persisted HmacSHA512 read-only sync succeeded and discovered 878 APIs With legacy algorithms disabled: api.legacy.algorithm.supported=false Control checks: forced signaturealgorithm = HmacSHA1 failed with HTTP 401 signature verification error forced signaturealgorithm = HmacSHA512 succeeded signaturealgorithm = auto succeeded and persisted HmacSHA512 Observed result: forced HmacSHA1: HTTP 401: unable to verify user credentials and/or request signature forced HmacSHA512: Discovered 878 APIs auto detection: Discovered 878 APIs signaturealgorithm = HmacSHA512 Performance note I also compared SHA-1 and SHA-512 signing overhead during local validation. Local signer-only measurement showed SHA-512 signing is slower than SHA-1 in isolation, but still on the order of microseconds per request. Lab API request latency was dominated by network and CloudStack server round-trip time, with no meaningful API-level bottleneck observed from using HmacSHA512. Benchmark tooling and result artifacts are not included in this PR. Compatibility Existing profiles without signaturealgorithm migrate to auto. Older CloudStack deployments that only support HmacSHA1 remain supported through auto fallback or explicit HmacSHA1 configuration. CloudStack deployments with legacy algorithms disabled are supported through HmacSHA512. Username/password session authentication is not changed. Notes The detection probe intentionally uses listApis before executing the user-requested API so that state-changing APIs are not retried as part of algorithm detection.
Open Graph Description: Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudSt...
X Description: Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudSt...
Opengraph URL: https://github.com/apache/cloudstack-cloudmonkey/pull/213
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:f2d6159f-6f6a-f2e8-67bd-0f84575a94f0 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | C5EC:44273:67F987:94DAEF:6A4E37FB |
| html-safe-nonce | 7975713efb46c258aef5034505efa08ba0b24296ae70688cafc3afbf5fb744e3 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNUVDOjQ0MjczOjY3Rjk4Nzo5NERBRUY6NkE0RTM3RkIiLCJ2aXNpdG9yX2lkIjoiMjIzMTY5ODc5NzI5MjgyODY2NyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 279a0980070d107c69b6835bf7b2014230465e22eb846db1798ce5082bf61495 |
| hovercard-subject-tag | pull_request:3787754378 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/apache/cloudstack-cloudmonkey/pull/213/files |
| twitter:image | https://avatars.githubusercontent.com/u/45762285?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/45762285?s=400&v=4 |
| og:image:alt | Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudSt... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/apache/cloudstack-cloudmonkey git https://github.com/apache/cloudstack-cloudmonkey.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 13641478 |
| octolytics-dimension-repository_nwo | apache/cloudstack-cloudmonkey |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 13641478 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack-cloudmonkey |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 42a6d378d7587a44c93aca255096cd66b7c8eb2d |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width