René's URL Explorer Experiment


Title: Support FIPS-compatible API signing by andrijapanicsb · Pull Request #213 · apache/cloudstack-cloudmonkey · GitHub

Open Graph Title: Support FIPS-compatible API signing by andrijapanicsb · Pull Request #213 · apache/cloudstack-cloudmonkey

X Title: Support FIPS-compatible API signing by andrijapanicsb · Pull Request #213 · apache/cloudstack-cloudmonkey

Description: Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudStack deployments that still require or allow HmacSHA1. CloudMonkey profiles now support a profile-level signaturealgorithm setting: auto HmacSHA512 HmacSHA1 New and migrated profiles default to auto. In auto mode, CloudMonkey probes the active endpoint with the read-only listApis API, trying HmacSHA512 first and falling back to HmacSHA1 only if the SHA-512 probe fails authentication/signature verification. Once a probe succeeds, the concrete algorithm is persisted to the active profile before the user-requested API command is executed. This avoids retrying user-requested APIs directly and prevents duplicate execution of state-changing commands during signature algorithm detection. Motivation When legacy algorithms are disabled, CloudStack rejects API requests signed with HmacSHA1 and accepts modern HmacSHA512 signatures. CloudMonkey previously signed API key requests with HmacSHA1 only, so API key authentication failed against such deployments. This change allows CloudMonkey to work with FIPS-compatible CloudStack environments while keeping existing legacy deployments usable without manual trial and error. Behavior New or migrated profiles If signaturealgorithm is absent from an existing profile, CloudMonkey writes: signaturealgorithm = auto Auto detection When API key and secret key authentication is used and the active profile is set to auto, CloudMonkey: Sends a read-only listApis listall=true probe signed with HmacSHA512. If that succeeds, persists: signaturealgorithm = HmacSHA512 If SHA-512 fails authentication/signature verification, retries the same read-only probe with HmacSHA1. If SHA-1 succeeds, persists: signaturealgorithm = HmacSHA1 Executes the original user-requested API only after detection has completed. Explicit configuration If a profile explicitly sets HmacSHA512 or HmacSHA1, CloudMonkey uses only that configured algorithm and does not silently fall back. Prompt indicator Profiles using HmacSHA512 show a -fips marker in the interactive prompt. For example: (localcloud-fips) cmk > The marker indicates that CloudMonkey is using the FIPS-compatible CloudStack API signing algorithm. It does not imply full end-to-end FIPS validation of the local environment. Debug logging Auto-detection probe attempts are logged only when debug mode is enabled. Normal interactive output is not noisy when fallback succeeds. Debug output includes which signature algorithm probe is attempted, which probe fails, and which algorithm is selected. Testing Automated tests added: HmacSHA1 signature generation against a fixed request string HmacSHA512 signature generation against a fixed request string default profile uses signaturealgorithm = auto missing signaturealgorithm is migrated to auto explicit HmacSHA512 does not silently try HmacSHA1 auto persists HmacSHA512 when the SHA-512 probe succeeds auto falls back and persists HmacSHA1 when SHA-512 fails but SHA-1 succeeds auto does not retry the user-requested API directly, avoiding duplicate execution risk for state-changing APIs prompt shows -fips when the active profile uses HmacSHA512 Command run: go test ./... Lab verification Verified against a CloudStack lab environment. With legacy algorithms enabled: api.legacy.algorithm.supported=true auto selected and persisted HmacSHA512 read-only sync succeeded and discovered 878 APIs With legacy algorithms disabled: api.legacy.algorithm.supported=false Control checks: forced signaturealgorithm = HmacSHA1 failed with HTTP 401 signature verification error forced signaturealgorithm = HmacSHA512 succeeded signaturealgorithm = auto succeeded and persisted HmacSHA512 Observed result: forced HmacSHA1: HTTP 401: unable to verify user credentials and/or request signature forced HmacSHA512: Discovered 878 APIs auto detection: Discovered 878 APIs signaturealgorithm = HmacSHA512 Performance note I also compared SHA-1 and SHA-512 signing overhead during local validation. Local signer-only measurement showed SHA-512 signing is slower than SHA-1 in isolation, but still on the order of microseconds per request. Lab API request latency was dominated by network and CloudStack server round-trip time, with no meaningful API-level bottleneck observed from using HmacSHA512. Benchmark tooling and result artifacts are not included in this PR. Compatibility Existing profiles without signaturealgorithm migrate to auto. Older CloudStack deployments that only support HmacSHA1 remain supported through auto fallback or explicit HmacSHA1 configuration. CloudStack deployments with legacy algorithms disabled are supported through HmacSHA512. Username/password session authentication is not changed. Notes The detection probe intentionally uses listApis before executing the user-requested API so that state-changing APIs are not retried as part of algorithm detection.

Open Graph Description: Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudSt...

X Description: Support FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudSt...

Opengraph URL: https://github.com/apache/cloudstack-cloudmonkey/pull/213

X: @github

direct link

Domain: github.com

route-pattern/:user_id/:repository/pull/:id/files(.:format)
route-controllerpull_requests
route-actionfiles
fetch-noncev2:f2d6159f-6f6a-f2e8-67bd-0f84575a94f0
current-catalog-service-hashae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b
request-idC5EC:44273:67F987:94DAEF:6A4E37FB
html-safe-nonce7975713efb46c258aef5034505efa08ba0b24296ae70688cafc3afbf5fb744e3
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNUVDOjQ0MjczOjY3Rjk4Nzo5NERBRUY6NkE0RTM3RkIiLCJ2aXNpdG9yX2lkIjoiMjIzMTY5ODc5NzI5MjgyODY2NyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmac279a0980070d107c69b6835bf7b2014230465e22eb846db1798ce5082bf61495
hovercard-subject-tagpull_request:3787754378
github-keyboard-shortcutsrepository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///pull_requests/show/files
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/apache/cloudstack-cloudmonkey/pull/213/files
twitter:imagehttps://avatars.githubusercontent.com/u/45762285?s=400&v=4
twitter:cardsummary_large_image
og:imagehttps://avatars.githubusercontent.com/u/45762285?s=400&v=4
og:image:altSupport FIPS-compatible API request signing in CloudMonkey Summary This change adds support for CloudStack API key request signing with HmacSHA512, while preserving compatibility with older CloudSt...
og:site_nameGitHub
og:typeobject
hostnamegithub.com
expected-hostnamegithub.com
None030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0
turbo-cache-controlno-preview
diff-viewunified
go-importgithub.com/apache/cloudstack-cloudmonkey git https://github.com/apache/cloudstack-cloudmonkey.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id13641478
octolytics-dimension-repository_nwoapache/cloudstack-cloudmonkey
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id13641478
octolytics-dimension-repository_network_root_nwoapache/cloudstack-cloudmonkey
turbo-body-classeslogged-out env-production page-responsive full-width
disable-turbotrue
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release42a6d378d7587a44c93aca255096cd66b7c8eb2d
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack-cloudmonkey%2Fpull%2F213%2Ffiles
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack-cloudmonkey%2Fpull%2F213%2Ffiles
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fpull_requests%2Fshow%2Ffiles&source=header-repo&source_repo=apache%2Fcloudstack-cloudmonkey
Reloadhttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Reloadhttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Reloadhttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Please reload this pagehttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
apache https://github.com/apache
cloudstack-cloudmonkeyhttps://github.com/apache/cloudstack-cloudmonkey
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack-cloudmonkey
Fork 79 https://github.com/login?return_to=%2Fapache%2Fcloudstack-cloudmonkey
Star 115 https://github.com/login?return_to=%2Fapache%2Fcloudstack-cloudmonkey
Code https://github.com/apache/cloudstack-cloudmonkey
Issues 8 https://github.com/apache/cloudstack-cloudmonkey/issues
Pull requests 13 https://github.com/apache/cloudstack-cloudmonkey/pulls
Actions https://github.com/apache/cloudstack-cloudmonkey/actions
Projects https://github.com/apache/cloudstack-cloudmonkey/projects
Wiki https://github.com/apache/cloudstack-cloudmonkey/wiki
Security and quality 0 https://github.com/apache/cloudstack-cloudmonkey/security
Insights https://github.com/apache/cloudstack-cloudmonkey/pulse
Code https://github.com/apache/cloudstack-cloudmonkey
Issues https://github.com/apache/cloudstack-cloudmonkey/issues
Pull requests https://github.com/apache/cloudstack-cloudmonkey/pulls
Actions https://github.com/apache/cloudstack-cloudmonkey/actions
Projects https://github.com/apache/cloudstack-cloudmonkey/projects
Wiki https://github.com/apache/cloudstack-cloudmonkey/wiki
Security and quality https://github.com/apache/cloudstack-cloudmonkey/security
Insights https://github.com/apache/cloudstack-cloudmonkey/pulse
Sign up for GitHub https://github.com/signup?return_to=%2Fapache%2Fcloudstack-cloudmonkey%2Fissues%2Fnew%2Fchoose
terms of servicehttps://docs.github.com/terms
privacy statementhttps://docs.github.com/privacy
Sign inhttps://github.com/login?return_to=%2Fapache%2Fcloudstack-cloudmonkey%2Fissues%2Fnew%2Fchoose
andrijapanicsbhttps://github.com/andrijapanicsb
mainhttps://github.com/apache/cloudstack-cloudmonkey/tree/main
cmk-fips-api-signinghttps://github.com/apache/cloudstack-cloudmonkey/tree/cmk-fips-api-signing
Conversation 6 https://github.com/apache/cloudstack-cloudmonkey/pull/213
Commits 1 https://github.com/apache/cloudstack-cloudmonkey/pull/213/commits
Checks 7 https://github.com/apache/cloudstack-cloudmonkey/pull/213/checks
Files changed 6 https://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Support FIPS-compatible API signing https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#top
Show all changes 1 commit https://github.com/apache/cloudstack-cloudmonkey/pull/213/files
f9231bf Support FIPS-compatible API signing andrijapanicsb Jun 2, 2026 https://github.com/apache/cloudstack-cloudmonkey/pull/213/commits/f9231bf69b2c48ff229f29f75b025388bf45e76e
Clear filters https://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Please reload this pagehttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Please reload this pagehttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
network.go https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
network_test.go https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-a09b9ec2f8a71b924157b542860984329c824894e5b26258c2c07ba8c565cc62
set.go https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-10c20198a021697447b46a62d6814a08ec74b7d5035fbfe350f95c3cc96c370f
config.go https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-fe44f09c4d5977b5f5eaea29170b6a0748819c9d02271746a20d81a5f3efca17
config_test.go https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-373f5578b8f362a364b50b0d01919a57da64c128547ca10d49df8ae422237c82
prompt.go https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-b724ec332b3149136545b4cb391dde5ee161cf1c5ed7c1697fdeb1b8095a576d
cmd/network.gohttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
View file https://github.com/apache/cloudstack-cloudmonkey/blob/f9231bf69b2c48ff229f29f75b025388bf45e76e/cmd/network.go
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/apache/cloudstack-cloudmonkey/pull/213/{{ revealButtonHref }}
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
andrijapanicsbhttps://github.com/andrijapanicsb
Jun 2, 2026https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#r3344773177
Learn morehttps://docs.github.com/articles/managing-disruptive-comments/#hiding-a-comment
Please reload this pagehttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
https://github.com/apache/cloudstack-cloudmonkey/actions/runs/26796112436/job/78992711503?pr=213
https://github.com/apache/cloudstack-cloudmonkey/actions/runs/26817200017/job/79061900361?pr=213
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
https://github.com/apache/cloudstack-cloudmonkey/pull/213/files#diff-e9daf86a1d986c4dd2d04a1d6fde640154bfd9dd95ff08d6e6f4e70aa13f58a9
Please reload this pagehttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
Please reload this pagehttps://github.com/apache/cloudstack-cloudmonkey/pull/213/files
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.