rbvmomi 1.8.2 → 2.4.1

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    MjIzODk3MDBhOTNjMDg5ODAyZjgyNWZjNDMwYzk2OTQ2NTQzYmEyYw==
-  data.tar.gz: !binary |-
-    Y2U1MmQ2YTM2NzNiOTI1NzYyMzhkYmZmODdkMGVhNWE5OTBlMzY5Nw==
+SHA256:
+  metadata.gz: fa94b53805d6066da9dab0c887099c1fbda5f3bbf053b828d24fa3532761276f
+  data.tar.gz: a1061d9d03c38eda8a17061e6fb6ffc8ce7053f4d14c237201e5690cd8e77ee6
 SHA512:
-  metadata.gz: !binary |-
-    NjA5YmM1ZTExODA5ODM4NjllNTU0OGEyOGIxNTQ2OTIzNzRjODEyOWE1MDkz
-    MjM5MmZjNTMwZTg1MDUwZjE0MWI2ODVhYTdmN2IyOWUyNTYzODY0MDMzMzg5
-    ODU3YzY0Y2MzMjg5MzM1MTdiZWI0MGJlMjM1ODIzNWMxYjFiZTI=
-  data.tar.gz: !binary |-
-    OTZiMDI4MzA5ODcwOTAwN2I1MDNiOTBlNWNjYWI2OTdhNWQzYWI0M2M1YzI5
-    ZWZiMDVjNTRhNTg5MTU0ZmE5Yzg5YTY5NDcwNWZmMDIxMTY1ZGUwZGZkNzUw
-    NTBhOGJjN2ZmYzI0MjVlZDBkM2UxZjkyNDU3YzY2NGZjNTkzOWU=
+  metadata.gz: '082a81fbb750449c92511db26dd03e4df2de5602f9091c1b035c70a7e4389ce40d4b8a2df9600f49f6feb9f96239811165f2b0b0df5c6b9ef49f0a3b98a95d26'
+  data.tar.gz: 0a1cceb5a1c08fb369ef0629ca9aa824c42192f9625d1f0ebc2baf0b912cf76b7d47f4088450dd1b4520f0f58a8ec815070912733fff6d4fbb8b4739580cd44c

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2010 VMware, Inc.  All Rights Reserved.
+Copyright (c) 2010-2017 VMware, Inc.  All Rights Reserved.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -0,0 +1,114 @@
+# RbVmomi
+
+[<img src="https://badge.fury.io/rb/rbvmomi.svg" alt="gem-version">](https://rubygems.org/gems/rbvmomi) 
+[<img src="https://travis-ci.org/vmware/rbvmomi.svg?branch=master" alt="travis-ci">](http://travis-ci.org/vmware/rbvmomi) 
+[<img src="https://badges.gitter.im/vmware/rbvmomi.svg">](https://gitter.im/vmware/rbvmomi)
+
+This is a community-supported, open source project at VMware. It is built and
+maintained by programmers like you!
+
+## Introduction
+
+RbVmomi is a Ruby interface to the vSphere API. Like the Perl and Java SDKs,
+you can use it to manage ESX and vCenter servers. The current release
+supports the vSphere 6.5 API. RbVmomi specific documentation is
+[online](http://rdoc.info/github/vmware/rbvmomi/master/frames) and is meant to
+be used alongside the official [documentation](http://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssdk.apiref.doc/right-pane.html).
+
+## Installation
+
+    gem install rbvmomi
+
+### Support for older Ruby versions
+
+RbVmomi supports Ruby 1.8.7 and higher, but certain dependencies may need
+pinning to older versions to get a compatible set of gems.
+
+On Ruby 1.8.7:
+
+* use `nokogiri` 1.5.x (Gemfile: `gem 'nokogiri', '< 1.6'`)
+
+
+On both Ruby 1.9 and 1.8.7:
+
+* use `json` 1.x (Gemfile: `gem 'json', '< 2'`)
+
+
+## Usage
+
+A simple example of turning on a VM:
+
+```ruby
+require 'rbvmomi'
+
+vim = RbVmomi::VIM.connect(host: 'foo', user: 'bar', password: 'baz')
+dc = vim.serviceInstance.find_datacenter('my_datacenter') || fail('datacenter not found')
+vm = dc.find_vm('my_vm') || fail('VM not found')
+vm.PowerOnVM_Task.wait_for_completion
+```
+
+This code uses several RbVmomi extensions to the vSphere API for concision.
+The expanded snippet below uses only standard API calls and should be familiar
+to users of the Java SDK:
+
+```ruby
+require 'rbvmomi'
+
+vim = RbVmomi::VIM.connect(host: 'foo', user: 'bar', password: 'baz')
+root_folder = vim.serviceInstance.content.rootFolder
+dc = root_folder.childEntity.grep(RbVmomi::VIM::Datacenter).find { |x| x.name == 'mydatacenter' } || fail('datacenter not found')
+vm = dc.vmFolder.childEntity.grep(RbVmomi::VIM::VirtualMachine).find { |x| x.name == 'my_vm' } || fail('VM not found')
+task = vm.PowerOnVM_Task
+filter = vim.propertyCollector.CreateFilter(
+  spec: {
+    propSet: [{ type: 'Task', all: false, pathSet: ['info.state']}],
+    objectSet: [{ obj: task }]
+  },
+  partialUpdates: false
+)
+ver = ''
+loop do
+  result = vim.propertyCollector.WaitForUpdates(version: ver)
+  ver = result.version
+  break if ['success', 'error'].member?(task.info.state)
+end
+filter.DestroyPropertyFilter
+raise(task.info.error) if task.info.state == 'error'
+```
+
+As you can see, the extensions RbVmomi adds can dramatically decrease the code
+needed to perform simple tasks while still letting you use the full power of
+the API when necessary. RbVmomi extensions are often more efficient than a
+naive implementation; for example, the find_vm method on VIM::Datacenter used
+in the first example uses the SearchIndex for fast lookups.
+
+A few important points:
+
+*   All class, method, parameter, and property names match the official [documentation](http://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssdk.apiref.doc/right-pane.html).
+*   Properties are exposed as accessor methods.
+*   Data object types can usually be inferred from context, so you may use a hash instead.
+*   Enumeration values are simply strings.
+*   Example code is included in the examples/ directory.
+*   A set of helper methods for Optimist is included to speed up development of
+    command line apps. See the included examples for usage.
+*   If you don't have trusted SSL certificates installed on the host you're
+    connecting to, you'll get an `OpenSSL::SSL::SSLError` "certificate verify
+    failed". You can work around this by using the `:insecure` option to
+    `RbVmomi::VIM.connect`.
+*   This is a side project of a VMware employee and is entirely unsupported by
+    VMware.
+
+
+Built-in extensions are under `lib/rbvmomi/vim/`. You are encouraged to reopen
+VIM classes in your applications and add extensions of your own. If you write
+something generally useful please open a [pull request](https://github.com/vmware/rbvmomi/pulls) so it can be merged back in
+
+## Development
+
+Open an issue on the [issues page](https://github.com/vmware/rbvmomi/issues)
+or  fork the project on [GitHub](https://github.com/vmware/rbvmomi) and send a
+[pull request](https://github.com/vmware/rbvmomi/pulls).
+
+## Support
+
+You can chat on [Gitter](https://gitter.im/vmware/rbvmomi) or join the [VMware {code} Slack team](https://vmwarecode.slack.com/) and join the [#rbvmomi channel](https://vmwarecode.slack.com/messages/rbvmomi).

data/{bin → exe}/rbvmomish

@@ -2,14 +2,14 @@
 # TODO keepalive
 # TODO rc file
 # TODO proxy support?
-require 'trollop'
+require 'optimist'
 require 'readline'
 require 'rbvmomi'
-require 'rbvmomi/trollop'
+require 'rbvmomi/optimist'
 
 VIM = RbVmomi::VIM
 
-opts = Trollop.options do
+opts = Optimist.options do
   banner <<-EOS
 vSphere API console.
 
@@ -35,7 +35,7 @@ VIM connection options:
 Other options:
   EOS
 
-  $trollop = self
+  $optimist = self
 end
 
 begin
@@ -102,7 +102,7 @@ def si
 end
 
 def help
-  $trollop.educate
+  $optimist.educate
   :no_result
 end
 

data/lib/rbvmomi.rb

@@ -1,12 +1,16 @@
-# Copyright (c) 2010 VMware, Inc.  All Rights Reserved.
-module RbVmomi
+# Copyright (c) 2010-2019 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
 
-# @private
-# @deprecated Use +RbVmomi::VIM.connect+.
-def self.connect opts
-  VIM.connect opts
+# RbVmomi is a Ruby interface to the vSphere management interface
+module RbVmomi
+  # @private
+  # @deprecated Use +RbVmomi::VIM.connect+.
+  def self.connect(opts)
+    VIM.connect opts
+  end
 end
 
-end
 require 'rbvmomi/connection'
+require 'rbvmomi/sso'
+require 'rbvmomi/version'
 require 'rbvmomi/vim'

data/lib/rbvmomi/basic_types.rb

@@ -1,4 +1,6 @@
-# Copyright (c) 2010 VMware, Inc.  All Rights Reserved.
+# Copyright (c) 2011-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 require 'pp'
 require 'set'
 
@@ -158,6 +160,12 @@ class DataObject < ObjectWithProperties
     q.text ')'
   end
 
+  def to_json(*args)
+    h = self.props
+    m = h.merge({ JSON.create_id => self.class.name })
+    m.to_json(*args)
+  end
+
   init
 end
 

data/lib/rbvmomi/connection.rb

@@ -1,4 +1,6 @@
-# Copyright (c) 2010 VMware, Inc.  All Rights Reserved.
+# Copyright (c) 2011-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 require 'time'
 require 'date'
 require 'rbvmomi/trivial_soap'
@@ -21,7 +23,7 @@ class Connection < TrivialSoap
   attr_reader :profile_summary
   attr_accessor :profiling
   attr_reader :deserializer
-  
+
   def initialize opts
     @ns = opts[:ns] or fail "no namespace specified"
     @rev = opts[:rev] or fail "no revision specified"
@@ -30,7 +32,7 @@ class Connection < TrivialSoap
     @profiling = false
     super opts
   end
-  
+
   def reset_profiling
     @profile = {}
     @profile_summary = {:network_latency => 0, :request_emit => 0, :response_parse => 0, :num_calls => 0}
@@ -88,7 +90,7 @@ class Connection < TrivialSoap
 
     t3 = Time.now
     out = parse_response resp, desc['result']
-    
+
     if @profiling
       t4 = Time.now
       @profile[method] ||= []
@@ -96,8 +98,8 @@ class Connection < TrivialSoap
         :network_latency => (t3 - t2),
         :request_emit => t2 - t1,
         :response_parse => t4 - t3,
-        :params => params, 
-        :obj => this, 
+        :params => params,
+        :obj => this,
         :backtrace => caller,
         :request_size => body.length,
         :response_size => resp_size,
@@ -108,7 +110,7 @@ class Connection < TrivialSoap
       @profile_summary[:request_emit] += profile_info[:request_emit]
       @profile_summary[:num_calls] += 1
     end
-    
+
     out
   end
 
@@ -137,7 +139,7 @@ class Connection < TrivialSoap
     when BasicTypes::DataObject
       if expected and not expected >= o.class and not expected == BasicTypes::AnyType
         fail "expected #{expected.wsdl_name} for '#{name}', got #{o.class.wsdl_name} for field #{name.inspect}"
-      end 
+      end
       xml.tag! name, attrs.merge("xsi:type" => o.class.wsdl_name) do
         o.class.full_props_desc.each do |desc|
           if o.props.member? desc['name'].to_sym
@@ -221,7 +223,7 @@ class Connection < TrivialSoap
   def type name
     self.class.type name
   end
-  
+
   def instanceUuid
     nil
   end

data/lib/rbvmomi/deserialization.rb

@@ -1,4 +1,6 @@
-# Copyright (c) 2011 VMware, Inc.  All Rights Reserved.
+# Copyright (c) 2011-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 require 'time'
 
 module RbVmomi
@@ -99,7 +101,6 @@ class NewDeserializer
     obj = klass.new nil
     props = obj.props
     children = node.children.select(&:element?)
-    n = children.size
     i = 0
 
     klass.full_props_desc.each do |desc|
@@ -150,7 +151,7 @@ class NewDeserializer
       h[child.name] = child.content
     end
     [h['key'], h['value']]
-  end 
+  end
 end
 
 class OldDeserializer

data/lib/rbvmomi/fault.rb

@@ -1,4 +1,6 @@
-# Copyright (c) 2010 VMware, Inc.  All Rights Reserved.
+# Copyright (c) 2011-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 module RbVmomi
 
 class Fault < StandardError

data/lib/rbvmomi/{trollop.rb → optimist.rb}

@@ -1,17 +1,19 @@
-# Copyright (c) 2011 VMware, Inc.  All Rights Reserved.
-require 'trollop'
+# Copyright (c) 2010-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
 
-# Convenience methods for Trollop, Ruby's premier option parser.
-# @see http://trollop.rubyforge.org/
-# @see Trollop::Parser
-module Trollop
+require 'optimist'
 
-# Convenience methods for Trollop, Ruby's premier option parser.
+# Convenience methods for Optimist, Ruby's premier option parser.
+# @see http://optimist.rubyforge.org/
+# @see Optimist::Parser
+module Optimist
+
+# Convenience methods for Optimist, Ruby's premier option parser.
 #
 # See the examples directory for sample code.
 # Descriptions are of the form:
 #  <key>: <options> <environment variable> (<default>)
-# @see http://trollop.rubyforge.org/
+# @see http://optimist.rubyforge.org/
 class Parser
   # Options used by VIM.connect
   #

data/lib/rbvmomi/pbm.rb

@@ -1,4 +1,6 @@
-# Copyright (c) 2012 VMware, Inc.  All Rights Reserved.
+# Copyright (c) 2012-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 require 'rbvmomi'
 
 module RbVmomi

data/lib/rbvmomi/sms.rb

@@ -1,4 +1,6 @@
-# Copyright (c) 2013 VMware, Inc.  All Rights Reserved.
+# Copyright (c) 2013-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 require 'rbvmomi'
 module RbVmomi
 

data/lib/rbvmomi/sms/SmsStorageManager.rb

@@ -1,3 +1,6 @@
+# Copyright (c) 2013-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
 class RbVmomi::SMS::SmsStorageManager
 
   def RegisterProvider_Task2 providerSpec

data/lib/rbvmomi/sso.rb

@@ -0,0 +1,313 @@
+require 'base64'
+require 'net/https'
+require 'nokogiri'
+require 'openssl'
+require 'securerandom'
+require 'time'
+
+module RbVmomi
+  # Provides access to vCenter Single Sign-On
+  class SSO
+    BST_PROFILE = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'.freeze
+    C14N_CLASS = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+    C14N_METHOD = 'http://www.w3.org/2001/10/xml-exc-c14n#'.freeze
+    DIGEST_METHOD = 'http://www.w3.org/2001/04/xmlenc#sha512'.freeze
+    ENCODING_METHOD = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'.freeze
+    SIGNATURE_METHOD = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'.freeze
+    STS_PATH = '/sts/STSService'.freeze
+    TOKEN_TYPE = 'urn:oasis:names:tc:SAML:2.0:assertion'.freeze
+    TOKEN_PROFILE = 'http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0'.freeze
+    NAMESPACES = {
+      :ds => 'http://www.w3.org/2000/09/xmldsig#',
+      :soap => 'http://schemas.xmlsoap.org/soap/envelope/',
+      :wsse => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd',
+      :wsse11 => 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd',
+      :wst => 'http://docs.oasis-open.org/ws-sx/ws-trust/200512',
+      :wsu => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+    }.freeze
+
+    attr_reader :assertion,
+                :assertion_id,
+                :certificate,
+                :host,
+                :user,
+                :password,
+                :path,
+                :port,
+                :private_key
+
+    # Creates an instance of an SSO object
+    #
+    # @param [Hash] opts the options to create the object with
+    # @option opts [String] :host the host to connect to
+    # @option opts [Fixnum] :port (443) the port to connect to
+    # @option opts [String] :path the path to call
+    # @option opts [String] :user the user to authenticate with
+    # @option opts [String] :password the password to authenticate with
+    # @option opts [String] :private_key the private key to use
+    # @option opts [String] :certificate the certificate to use
+    # @option opts [Boolean] :insecure (false) whether to connect insecurely
+    def initialize(opts = {})
+      @host     = opts[:host]
+      @insecure = opts.fetch(:insecure, false)
+      @password = opts[:password]
+      @path     = opts.fetch(:path, STS_PATH)
+      @port     = opts.fetch(:port, 443)
+      @user     = opts[:user]
+
+      load_x509(opts[:private_key], opts[:certificate])
+    end
+
+    def request_token
+      req = sso_call(hok_token_request)
+
+      unless req.is_a?(Net::HTTPSuccess)
+        resp = Nokogiri::XML(req.body)
+        resp.remove_namespaces!
+        raise(resp.at_xpath('//Envelope/Body/Fault/faultstring/text()'))
+      end
+
+      extract_assertion(req.body)
+    end
+
+    def sign_request(request)
+      raise('Need SAML2 assertion') unless @assertion
+      raise('No SAML2 assertion ID') unless @assertion_id
+
+      request_id = generate_id
+      timestamp_id = generate_id
+
+      request = request.is_a?(String) ? Nokogiri::XML(request) : request
+      builder = Nokogiri::XML::Builder.new do |xml|
+        xml[:soap].Header(Hash[NAMESPACES.map { |ns, uri| ["xmlns:#{ns}", uri] }]) do
+          xml[:wsse].Security do
+            wsu_timestamp(xml, timestamp_id)
+            ds_signature(xml, request_id, timestamp_id) do |x|
+              x[:wsse].SecurityTokenReference('wsse11:TokenType' => TOKEN_PROFILE) do
+                x[:wsse].KeyIdentifier(
+                  @assertion_id,
+                  'ValueType' => 'http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID'
+                )
+              end
+            end
+          end
+        end
+      end
+
+      # To avoid Nokogiri mangling the token, we replace it as a string
+      # later on. Figure out a way around this.
+      builder.doc.at_xpath('//soap:Header/wsse:Security/wsu:Timestamp').add_previous_sibling(Nokogiri::XML::Text.new('SAML_ASSERTION_PLACEHOLDER', builder.doc))
+
+      request.at_xpath('//soap:Envelope', NAMESPACES).tap do |e|
+        NAMESPACES.each do |ns, uri|
+          e.add_namespace(ns.to_s, uri)
+        end
+      end
+      request.xpath('//soap:Envelope/soap:Body').each do |body|
+        body.add_previous_sibling(builder.doc.root)
+        body.add_namespace('wsu', NAMESPACES[:wsu])
+        body['wsu:Id'] = request_id
+      end
+
+      signed = sign(request)
+      signed.gsub!('SAML_ASSERTION_PLACEHOLDER', @assertion.to_xml(:indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XML).strip)
+
+      signed
+    end
+
+    # We default to Issue, since that's all we currently need.
+    def sso_call(body)
+      sso_url = URI::HTTPS.build(:host => @host, :port => @port, :path => @path)
+      http = Net::HTTP.new(sso_url.host, sso_url.port)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @insecure
+
+      req = Net::HTTP::Post.new(sso_url.request_uri)
+      req.add_field('Accept', 'text/xml, multipart/related')
+      req.add_field('User-Agent', "VMware/RbVmomi #{RbVmomi::VERSION}")
+      req.add_field('SOAPAction', 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue')
+      req.content_type = 'text/xml; charset="UTF-8"'
+      req.body = body
+
+      http.request(req)
+    end
+
+    private
+
+    def hok_token_request
+      request_id = generate_id
+      security_token_id = generate_id
+      signature_id = generate_id
+      timestamp_id = generate_id
+
+      datum = Time.now.utc
+      created_at = datum.iso8601
+      token_expires_at = (datum + 1800).iso8601
+
+      builder = Nokogiri::XML::Builder.new do |xml|
+        xml[:soap].Envelope(Hash[NAMESPACES.map { |ns, uri| ["xmlns:#{ns}", uri] }]) do
+          xml[:soap].Header do
+            xml[:wsse].Security do
+              wsu_timestamp(xml, timestamp_id, datum)
+              wsse_username_token(xml)
+              wsse_binary_security_token(xml, security_token_id)
+              ds_signature(xml, request_id, timestamp_id, signature_id) do |x|
+                x[:wsse].SecurityTokenReference do
+                  x[:wsse].Reference(
+                    'URI' => "##{security_token_id}",
+                    'ValueType' => BST_PROFILE
+                  )
+                end
+              end
+            end
+          end
+          xml[:soap].Body('wsu:Id' => request_id) do
+            xml[:wst].RequestSecurityToken do
+              xml[:wst].TokenType(TOKEN_TYPE)
+              xml[:wst].RequestType('http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue')
+              xml[:wst].Lifetime do
+                xml[:wsu].Created(created_at)
+                xml[:wsu].Expires(token_expires_at)
+              end
+              xml[:wst].Renewing('Allow' => 'false', 'OK' => 'false')
+              xml[:wst].KeyType('http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey')
+              xml[:wst].SignatureAlgorithm(SIGNATURE_METHOD)
+              xml[:wst].Delegatable('false')
+            end
+            xml[:wst].UseKey('Sig' => signature_id)
+          end
+        end
+      end
+
+      sign(builder.doc)
+    end
+
+    def extract_assertion(sso_response)
+      sso_response = Nokogiri::XML(sso_response) if sso_response.is_a?(String)
+      namespaces = sso_response.collect_namespaces
+
+      # Doesn't matter that usually there's more than one NS with the same
+      # URI - either will work for XPath. We just don't want to hardcode
+      # xmlns:saml2.
+      token_ns = namespaces.find { |_, uri| uri == TOKEN_TYPE }.first.gsub(/^xmlns:/, '')
+
+      @assertion = sso_response.at_xpath("//#{token_ns}:Assertion", namespaces)
+      @assertion_id = @assertion.at_xpath("//#{token_ns}:Assertion/@ID", namespaces).value
+    end
+
+    def sign(doc)
+      signature_digest_references = doc.xpath('/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/@URI', doc.collect_namespaces).map { |a| a.value.sub(/^#/, '') }
+      signature_digest_references.each do |ref|
+        data = doc.at_xpath("//*[@wsu:Id='#{ref}']", doc.collect_namespaces)
+        digest = Base64.strict_encode64(Digest::SHA2.new(512).digest(data.canonicalize(C14N_CLASS)))
+        digest_tag = doc.at_xpath("/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference[@URI='##{ref}']/ds:DigestValue", doc.collect_namespaces)
+        digest_tag.add_child(Nokogiri::XML::Text.new(digest, doc))
+      end
+
+      signed_info = doc.at_xpath('/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo', doc.collect_namespaces)
+      signature = Base64.strict_encode64(@private_key.sign(OpenSSL::Digest::SHA512.new, signed_info.canonicalize(C14N_CLASS)))
+      signature_value_tag = doc.at_xpath('/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignatureValue', doc.collect_namespaces)
+      signature_value_tag.add_child(Nokogiri::XML::Text.new(signature, doc))
+
+      doc.to_xml(:indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XML).strip
+    end
+
+    def load_x509(private_key, certificate)
+      @private_key = private_key ? private_key : OpenSSL::PKey::RSA.new(2048)
+      if @private_key.is_a? String
+        @private_key = OpenSSL::PKey::RSA.new(@private_key)
+      end
+
+      @certificate = certificate
+      if @certificate && !private_key
+        raise(ArgumentError, "Can't generate private key from a certificate")
+      end
+
+      if @certificate.is_a? String
+        @certificate = OpenSSL::X509::Certificate.new(@certificate)
+      end
+      # If only a private key is specified, we will generate a certificate.
+      unless @certificate
+        timestamp = Time.now.utc
+        @certificate = OpenSSL::X509::Certificate.new
+        @certificate.not_before = timestamp
+        @certificate.not_after = timestamp + 3600 # 3600 is 1 hour
+        @certificate.subject = OpenSSL::X509::Name.new([
+                                                         %w[O VMware],
+                                                         %w[OU RbVmomi],
+                                                         %W[CN #{@user}]
+                                                       ])
+        @certificate.issuer = @certificate.subject
+        @certificate.serial = rand(2**160)
+        @certificate.public_key = @private_key.public_key
+        @certificate.sign(@private_key, OpenSSL::Digest::SHA512.new)
+      end
+
+      true
+    end
+
+    def ds_signature(xml, request_id, timestamp_id, id = nil)
+      signature_id = {}
+      signature_id['Id'] = id if id
+      xml[:ds].Signature(signature_id) do
+        ds_signed_info(xml, request_id, timestamp_id)
+        xml[:ds].SignatureValue
+        xml[:ds].KeyInfo do
+          yield xml
+        end
+      end
+    end
+
+    def ds_signed_info(xml, request_id, timestamp_id)
+      xml[:ds].SignedInfo do
+        xml[:ds].CanonicalizationMethod('Algorithm' => C14N_METHOD)
+        xml[:ds].SignatureMethod('Algorithm' => SIGNATURE_METHOD)
+        xml[:ds].Reference('URI' => "##{request_id}") do
+          xml[:ds].Transforms do
+            xml[:ds].Transform('Algorithm' => C14N_METHOD)
+          end
+          xml[:ds].DigestMethod('Algorithm' => DIGEST_METHOD)
+          xml[:ds].DigestValue
+        end
+        xml[:ds].Reference('URI' => "##{timestamp_id}") do
+          xml[:ds].Transforms do
+            xml[:ds].Transform('Algorithm' => C14N_METHOD)
+          end
+          xml[:ds].DigestMethod('Algorithm' => DIGEST_METHOD)
+          xml[:ds].DigestValue
+        end
+      end
+    end
+
+    def wsu_timestamp(xml, id, datum = nil)
+      datum ||= Time.now.utc
+      created_at = datum.iso8601
+      expires_at = (datum + 600).iso8601
+
+      xml[:wsu].Timestamp('wsu:Id' => id) do
+        xml[:wsu].Created(created_at)
+        xml[:wsu].Expires(expires_at)
+      end
+    end
+
+    def wsse_username_token(xml)
+      xml[:wsse].UsernameToken do
+        xml[:wsse].Username(@user)
+        xml[:wsse].Password(@password)
+      end
+    end
+
+    def wsse_binary_security_token(xml, id)
+      xml[:wsse].BinarySecurityToken(
+        Base64.strict_encode64(@certificate.to_der),
+        'EncodingType' => ENCODING_METHOD,
+        'ValueType' => BST_PROFILE,
+        'wsu:Id' => id
+      )
+    end
+
+    def generate_id
+      "_#{SecureRandom.uuid}"
+    end
+  end
+end