0

I implemented a WSSE client to access my orocrm implementation REST API. It works if I run it on the same server, so I can say that it is correct. It doesn't work if I run it from another server on the same LAN (so I'm sure that only the local httpd server is involved). This is the code and it works locally. Is there some httpd directive to set to manage correctly WSSE header?

    <?php

    $username = 'admin';
    $apiUserKey = '32e4c7a5f3a4c1f59b85be43f2e33dcd5afacbac';
    $userSalt = ''; // Will be removed in version 1.0 of OroCRM
    $url = 'http://my-server-LAN-IP/crm-application/web/app_dev.php/api/rest/latest/users';


    $oroWsse = new OroWsseAuthentification($username, $apiUserKey, $userSalt);

    $ch = curl_init();

    $headers = $oroWsse->getHeaders();

    print_r($headers);

    $array = array(
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER => $headers,
        CURLOPT_HEADER => 0,
        CURLOPT_FAILONERROR => true,
        CURLOPT_URL => $url
    );

    curl_setopt_array($ch, $array);

    $result = curl_exec($ch);

    if ( $result === false) {
        echo curl_error($ch);
    } else {
        echo ($result) . "\n";
    }

    curl_close($ch);


    class OroWsseAuthentification
    {
        protected $_username;
        protected $_apiKey;
        protected $_userSalt;

        /**
         * @param $username
         * @param $apiUserKey
         * @param string $userSalt
         */
        public function __construct ($username, $apiUserKey, $userSalt = '')
        {
            $this->_username = $username;
            $this->_apiKey = $apiUserKey;
            $this->_userSalt = $userSalt; // deprecated in OroCRM v1.0
        }

        /**
         * @param $raw
         * @param $salt
         * @return string
         */
        private function _encodePassword($raw, $salt)
        {
            $salted = $this->_mergePasswordAndSalt($raw, $salt);
            $digest = hash('sha1', $salted, true);

            return base64_encode($digest);
        }

        /**
         * @param $password
         * @param $salt
         * @return string
         * @throws InvalidArgumentException
         */
        private function _mergePasswordAndSalt($password, $salt)
        {
            if (empty($salt)) {
                return $password;
            }

            if (false !== strrpos($salt, '{') || false !== strrpos($salt, '}')) {
                throw new \InvalidArgumentException('Cannot use { or } in salt.');
            }

            return $password.'{'.$salt.'}';
        }

        /**
         * @return array
         */
        public function getHeaders ()
        {
            // this is my server hostname
            $prefix = 'my-server-hostname';
            $created = date('c');
            $nonce  = base64_encode(substr(md5(uniqid($prefix . '_', true)), 0, 16));

            $passwordDigest = $this->_encodePassword(base64_decode($nonce) . $created . $this->_apiKey, $this->_userSalt);

            $wsseProfile = sprintf(
                'X-WSSE: UsernameToken Username="%s", PasswordDigest="%s", Nonce="%s", Created="%s"',
                $this->_username,
                $passwordDigest,
                $nonce,
                $created
            );

            return array(
                'Authorization: WSSE profile="UsernameToken"',
                $wsseProfile
            );
        }
    }
Alessandra
  • 467
  • 2
  • 6
  • 24

1 Answers1

0

Are you sure that datetime on both servers is the same? Do you use new WSSE header for each request (as it's required by WSSE spec)?

ishakuta
  • 136
  • 4