rbvmomi2 3.0.0

data/lib/rbvmomi/sms.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2013-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
+require_relative '../rbvmomi'
+module RbVmomi
+
+# A connection to one vSphere SMS endpoint.
+# @see #serviceInstance
+class SMS < Connection
+  # Connect to a vSphere SMS endpoint
+  #
+  # @param [VIM] Connection to main vSphere API endpoint
+  # @param [Hash] opts The options hash.
+  # @option opts [String]  :host Host to connect to.
+  # @option opts [Numeric] :port (443) Port to connect to.
+  # @option opts [Boolean] :ssl (true) Whether to use SSL.
+  # @option opts [Boolean] :insecure (false) If true, ignore SSL certificate errors.
+  # @option opts [String]  :path (/sms/sdk) SDK endpoint path.
+  # @option opts [Boolean] :debug (false) If true, print SOAP traffic to stderr.
+  def self.connect vim, opts = {}
+    fail unless opts.is_a? Hash
+    opts[:host] = vim.host
+    opts[:ssl] = true unless opts.member? :ssl or opts[:"no-ssl"]
+    opts[:insecure] ||= true
+    opts[:port] ||= (opts[:ssl] ? 443 : 80)
+    opts[:path] ||= '/sms/sdk'
+    opts[:ns] ||= 'urn:sms'
+    rev_given = opts[:rev] != nil
+    opts[:rev] = '4.0' unless rev_given
+    opts[:debug] = (!ENV['RBVMOMI_DEBUG'].empty? rescue false) unless opts.member? :debug
+
+    new(opts).tap do |sms|
+      sms.vcSessionCookie = vim.cookie.split('"')[1]
+    end
+  end
+
+  def vcSessionCookie= cookie
+    @vcSessionCookie = cookie
+  end
+
+  def rev= x
+    super
+    @serviceContent = nil
+  end
+
+  # Return the ServiceInstance
+  #
+  # The ServiceInstance is the root of the vSphere inventory.
+  def serviceInstance
+    @serviceInstance ||= VIM::SmsServiceInstance self, 'ServiceInstance'
+  end
+
+  # @private
+  def pretty_print pp
+    pp.text "SMS(#{@opts[:host]})"
+  end
+
+  add_extension_dir File.join(File.dirname(__FILE__), "sms")
+  load_vmodl(ENV['VMODL'] || File.join(File.dirname(__FILE__), "../../vmodl.db"))
+end
+
+end
+

data/lib/rbvmomi/sso.rb

@@ -0,0 +1,313 @@
+require 'base64'
+require 'net/https'
+require 'nokogiri'
+require 'openssl'
+require 'securerandom'
+require 'time'
+
+module RbVmomi
+  # Provides access to vCenter Single Sign-On
+  class SSO
+    BST_PROFILE = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'.freeze
+    C14N_CLASS = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+    C14N_METHOD = 'http://www.w3.org/2001/10/xml-exc-c14n#'.freeze
+    DIGEST_METHOD = 'http://www.w3.org/2001/04/xmlenc#sha512'.freeze
+    ENCODING_METHOD = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'.freeze
+    SIGNATURE_METHOD = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'.freeze
+    STS_PATH = '/sts/STSService'.freeze
+    TOKEN_TYPE = 'urn:oasis:names:tc:SAML:2.0:assertion'.freeze
+    TOKEN_PROFILE = 'http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0'.freeze
+    NAMESPACES = {
+      :ds => 'http://www.w3.org/2000/09/xmldsig#',
+      :soap => 'http://schemas.xmlsoap.org/soap/envelope/',
+      :wsse => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd',
+      :wsse11 => 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd',
+      :wst => 'http://docs.oasis-open.org/ws-sx/ws-trust/200512',
+      :wsu => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+    }.freeze
+
+    attr_reader :assertion,
+                :assertion_id,
+                :certificate,
+                :host,
+                :user,
+                :password,
+                :path,
+                :port,
+                :private_key
+
+    # Creates an instance of an SSO object
+    #
+    # @param [Hash] opts the options to create the object with
+    # @option opts [String] :host the host to connect to
+    # @option opts [Fixnum] :port (443) the port to connect to
+    # @option opts [String] :path the path to call
+    # @option opts [String] :user the user to authenticate with
+    # @option opts [String] :password the password to authenticate with
+    # @option opts [String] :private_key the private key to use
+    # @option opts [String] :certificate the certificate to use
+    # @option opts [Boolean] :insecure (false) whether to connect insecurely
+    def initialize(opts = {})
+      @host     = opts[:host]
+      @insecure = opts.fetch(:insecure, false)
+      @password = opts[:password]
+      @path     = opts.fetch(:path, STS_PATH)
+      @port     = opts.fetch(:port, 443)
+      @user     = opts[:user]
+
+      load_x509(opts[:private_key], opts[:certificate])
+    end
+
+    def request_token
+      req = sso_call(hok_token_request)
+
+      unless req.is_a?(Net::HTTPSuccess)
+        resp = Nokogiri::XML(req.body)
+        resp.remove_namespaces!
+        raise(resp.at_xpath('//Envelope/Body/Fault/faultstring/text()'))
+      end
+
+      extract_assertion(req.body)
+    end
+
+    def sign_request(request)
+      raise('Need SAML2 assertion') unless @assertion
+      raise('No SAML2 assertion ID') unless @assertion_id
+
+      request_id = generate_id
+      timestamp_id = generate_id
+
+      request = request.is_a?(String) ? Nokogiri::XML(request) : request
+      builder = Nokogiri::XML::Builder.new do |xml|
+        xml[:soap].Header(Hash[NAMESPACES.map { |ns, uri| ["xmlns:#{ns}", uri] }]) do
+          xml[:wsse].Security do
+            wsu_timestamp(xml, timestamp_id)
+            ds_signature(xml, request_id, timestamp_id) do |x|
+              x[:wsse].SecurityTokenReference('wsse11:TokenType' => TOKEN_PROFILE) do
+                x[:wsse].KeyIdentifier(
+                  @assertion_id,
+                  'ValueType' => 'http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID'
+                )
+              end
+            end
+          end
+        end
+      end
+
+      # To avoid Nokogiri mangling the token, we replace it as a string
+      # later on. Figure out a way around this.
+      builder.doc.at_xpath('//soap:Header/wsse:Security/wsu:Timestamp').add_previous_sibling(Nokogiri::XML::Text.new('SAML_ASSERTION_PLACEHOLDER', builder.doc))
+
+      request.at_xpath('//soap:Envelope', NAMESPACES).tap do |e|
+        NAMESPACES.each do |ns, uri|
+          e.add_namespace(ns.to_s, uri)
+        end
+      end
+      request.xpath('//soap:Envelope/soap:Body').each do |body|
+        body.add_previous_sibling(builder.doc.root)
+        body.add_namespace('wsu', NAMESPACES[:wsu])
+        body['wsu:Id'] = request_id
+      end
+
+      signed = sign(request)
+      signed.gsub!('SAML_ASSERTION_PLACEHOLDER', @assertion.to_xml(:indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XML).strip)
+
+      signed
+    end
+
+    # We default to Issue, since that's all we currently need.
+    def sso_call(body)
+      sso_url = URI::HTTPS.build(:host => @host, :port => @port, :path => @path)
+      http = Net::HTTP.new(sso_url.host, sso_url.port)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @insecure
+
+      req = Net::HTTP::Post.new(sso_url.request_uri)
+      req.add_field('Accept', 'text/xml, multipart/related')
+      req.add_field('User-Agent', "VMware/RbVmomi #{RbVmomi::VERSION}")
+      req.add_field('SOAPAction', 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue')
+      req.content_type = 'text/xml; charset="UTF-8"'
+      req.body = body
+
+      http.request(req)
+    end
+
+    private
+
+    def hok_token_request
+      request_id = generate_id
+      security_token_id = generate_id
+      signature_id = generate_id
+      timestamp_id = generate_id
+
+      datum = Time.now.utc
+      created_at = datum.iso8601
+      token_expires_at = (datum + 1800).iso8601
+
+      builder = Nokogiri::XML::Builder.new do |xml|
+        xml[:soap].Envelope(Hash[NAMESPACES.map { |ns, uri| ["xmlns:#{ns}", uri] }]) do
+          xml[:soap].Header do
+            xml[:wsse].Security do
+              wsu_timestamp(xml, timestamp_id, datum)
+              wsse_username_token(xml)
+              wsse_binary_security_token(xml, security_token_id)
+              ds_signature(xml, request_id, timestamp_id, signature_id) do |x|
+                x[:wsse].SecurityTokenReference do
+                  x[:wsse].Reference(
+                    'URI' => "##{security_token_id}",
+                    'ValueType' => BST_PROFILE
+                  )
+                end
+              end
+            end
+          end
+          xml[:soap].Body('wsu:Id' => request_id) do
+            xml[:wst].RequestSecurityToken do
+              xml[:wst].TokenType(TOKEN_TYPE)
+              xml[:wst].RequestType('http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue')
+              xml[:wst].Lifetime do
+                xml[:wsu].Created(created_at)
+                xml[:wsu].Expires(token_expires_at)
+              end
+              xml[:wst].Renewing('Allow' => 'false', 'OK' => 'false')
+              xml[:wst].KeyType('http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey')
+              xml[:wst].SignatureAlgorithm(SIGNATURE_METHOD)
+              xml[:wst].Delegatable('false')
+            end
+            xml[:wst].UseKey('Sig' => signature_id)
+          end
+        end
+      end
+
+      sign(builder.doc)
+    end
+
+    def extract_assertion(sso_response)
+      sso_response = Nokogiri::XML(sso_response) if sso_response.is_a?(String)
+      namespaces = sso_response.collect_namespaces
+
+      # Doesn't matter that usually there's more than one NS with the same
+      # URI - either will work for XPath. We just don't want to hardcode
+      # xmlns:saml2.
+      token_ns = namespaces.find { |_, uri| uri == TOKEN_TYPE }.first.gsub(/^xmlns:/, '')
+
+      @assertion = sso_response.at_xpath("//#{token_ns}:Assertion", namespaces)
+      @assertion_id = @assertion.at_xpath("//#{token_ns}:Assertion/@ID", namespaces).value
+    end
+
+    def sign(doc)
+      signature_digest_references = doc.xpath('/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/@URI', doc.collect_namespaces).map { |a| a.value.sub(/^#/, '') }
+      signature_digest_references.each do |ref|
+        data = doc.at_xpath("//*[@wsu:Id='#{ref}']", doc.collect_namespaces)
+        digest = Base64.strict_encode64(Digest::SHA2.new(512).digest(data.canonicalize(C14N_CLASS)))
+        digest_tag = doc.at_xpath("/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference[@URI='##{ref}']/ds:DigestValue", doc.collect_namespaces)
+        digest_tag.add_child(Nokogiri::XML::Text.new(digest, doc))
+      end
+
+      signed_info = doc.at_xpath('/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo', doc.collect_namespaces)
+      signature = Base64.strict_encode64(@private_key.sign(OpenSSL::Digest::SHA512.new, signed_info.canonicalize(C14N_CLASS)))
+      signature_value_tag = doc.at_xpath('/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignatureValue', doc.collect_namespaces)
+      signature_value_tag.add_child(Nokogiri::XML::Text.new(signature, doc))
+
+      doc.to_xml(:indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XML).strip
+    end
+
+    def load_x509(private_key, certificate)
+      @private_key = private_key ? private_key : OpenSSL::PKey::RSA.new(2048)
+      if @private_key.is_a? String
+        @private_key = OpenSSL::PKey::RSA.new(@private_key)
+      end
+
+      @certificate = certificate
+      if @certificate && !private_key
+        raise(ArgumentError, "Can't generate private key from a certificate")
+      end
+
+      if @certificate.is_a? String
+        @certificate = OpenSSL::X509::Certificate.new(@certificate)
+      end
+      # If only a private key is specified, we will generate a certificate.
+      unless @certificate
+        timestamp = Time.now.utc
+        @certificate = OpenSSL::X509::Certificate.new
+        @certificate.not_before = timestamp
+        @certificate.not_after = timestamp + 3600 # 3600 is 1 hour
+        @certificate.subject = OpenSSL::X509::Name.new([
+                                                         %w[O VMware],
+                                                         %w[OU RbVmomi],
+                                                         %W[CN #{@user}]
+                                                       ])
+        @certificate.issuer = @certificate.subject
+        @certificate.serial = rand(2**160)
+        @certificate.public_key = @private_key.public_key
+        @certificate.sign(@private_key, OpenSSL::Digest::SHA512.new)
+      end
+
+      true
+    end
+
+    def ds_signature(xml, request_id, timestamp_id, id = nil)
+      signature_id = {}
+      signature_id['Id'] = id if id
+      xml[:ds].Signature(signature_id) do
+        ds_signed_info(xml, request_id, timestamp_id)
+        xml[:ds].SignatureValue
+        xml[:ds].KeyInfo do
+          yield xml
+        end
+      end
+    end
+
+    def ds_signed_info(xml, request_id, timestamp_id)
+      xml[:ds].SignedInfo do
+        xml[:ds].CanonicalizationMethod('Algorithm' => C14N_METHOD)
+        xml[:ds].SignatureMethod('Algorithm' => SIGNATURE_METHOD)
+        xml[:ds].Reference('URI' => "##{request_id}") do
+          xml[:ds].Transforms do
+            xml[:ds].Transform('Algorithm' => C14N_METHOD)
+          end
+          xml[:ds].DigestMethod('Algorithm' => DIGEST_METHOD)
+          xml[:ds].DigestValue
+        end
+        xml[:ds].Reference('URI' => "##{timestamp_id}") do
+          xml[:ds].Transforms do
+            xml[:ds].Transform('Algorithm' => C14N_METHOD)
+          end
+          xml[:ds].DigestMethod('Algorithm' => DIGEST_METHOD)
+          xml[:ds].DigestValue
+        end
+      end
+    end
+
+    def wsu_timestamp(xml, id, datum = nil)
+      datum ||= Time.now.utc
+      created_at = datum.iso8601
+      expires_at = (datum + 600).iso8601
+
+      xml[:wsu].Timestamp('wsu:Id' => id) do
+        xml[:wsu].Created(created_at)
+        xml[:wsu].Expires(expires_at)
+      end
+    end
+
+    def wsse_username_token(xml)
+      xml[:wsse].UsernameToken do
+        xml[:wsse].Username(@user)
+        xml[:wsse].Password(@password)
+      end
+    end
+
+    def wsse_binary_security_token(xml, id)
+      xml[:wsse].BinarySecurityToken(
+        Base64.strict_encode64(@certificate.to_der),
+        'EncodingType' => ENCODING_METHOD,
+        'ValueType' => BST_PROFILE,
+        'wsu:Id' => id
+      )
+    end
+
+    def generate_id
+      "_#{SecureRandom.uuid}"
+    end
+  end
+end

data/lib/rbvmomi/trivial_soap.rb

@@ -0,0 +1,122 @@
+# Copyright (c) 2011-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
+require 'rubygems'
+require 'builder'
+require 'nokogiri'
+require 'net/http'
+require 'pp'
+
+class RbVmomi::TrivialSoap
+  attr_accessor :debug, :cookie, :operation_id
+  attr_reader :http
+
+  def initialize opts
+    fail unless opts.is_a? Hash
+    @opts = opts
+    return unless @opts[:host] # for testcases
+    @debug = @opts[:debug]
+    @cookie = @opts[:cookie]
+    @sso = @opts[:sso]
+    @operation_id = @opts[:operation_id]
+    @lock = Mutex.new
+    @http = nil
+    restart_http
+  end
+
+  def host
+    @opts[:host]
+  end
+
+  def close
+    @http.finish rescue IOError
+  end
+
+  def restart_http
+    begin 
+      @http.finish if @http
+    rescue Exception => ex
+      puts "WARNING: Ignoring exception: #{ex.message}"
+      puts ex.backtrace.join("\n")
+    end
+    @http = Net::HTTP.new(@opts[:host], @opts[:port], @opts[:proxyHost], @opts[:proxyPort])
+    if @opts[:ssl]
+      require 'net/https'
+      @http.use_ssl = true
+      @http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @opts[:insecure]
+      @http.ca_file = @opts[:ca_file] if @opts[:ca_file]
+      @http.cert = OpenSSL::X509::Certificate.new(@opts[:cert]) if @opts[:cert]
+      @http.key = OpenSSL::PKey::RSA.new(@opts[:key]) if @opts[:key]
+    end
+    @http.set_debug_output(STDERR) if $DEBUG
+    @http.read_timeout = @opts[:read_timeout] || 1000000
+    @http.open_timeout = @opts[:open_timeout] || 60
+    def @http.on_connect
+      @socket.io.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+    end
+    @http.start
+  end
+
+  def soap_envelope
+    xsd = 'http://www.w3.org/2001/XMLSchema'
+    env = 'http://schemas.xmlsoap.org/soap/envelope/'
+    xsi = 'http://www.w3.org/2001/XMLSchema-instance'
+    xml = Builder::XmlMarkup.new :indent => 0
+    xml.tag!('env:Envelope', 'xmlns:xsd' => xsd, 'xmlns:env' => env, 'xmlns:xsi' => xsi) do
+      if @vcSessionCookie || @operation_id
+        xml.tag!('env:Header') do
+          xml.tag!('vcSessionCookie', @vcSessionCookie) if @vcSessionCookie
+          xml.tag!('operationID', @operation_id) if @operation_id
+        end
+      end
+
+      xml.tag!('env:Body') do
+        yield xml if block_given?
+      end
+    end
+    xml
+  end
+
+  def request action, body
+    headers = { 'content-type' => 'text/xml; charset=utf-8', 'SOAPAction' => action }
+    headers['cookie'] = @cookie if @cookie
+
+    if @debug
+      $stderr.puts "Request:"
+      $stderr.puts body
+      $stderr.puts
+    end
+
+    if @cookie.nil? && @sso
+      @sso.request_token unless @sso.assertion_id
+      body = @sso.sign_request(body)
+    end
+
+    start_time = Time.now
+    response = @lock.synchronize do
+      begin
+        @http.request_post(@opts[:path], body, headers)
+      rescue Exception
+        restart_http
+        raise
+      end
+    end
+    end_time = Time.now
+    
+    if response.is_a? Net::HTTPServiceUnavailable
+      raise "Got HTTP 503: Service unavailable"
+    end
+
+    self.cookie = response['set-cookie'] if response.key? 'set-cookie'
+
+    nk = Nokogiri(response.body)
+
+    if @debug
+      $stderr.puts "Response (in #{'%.3f' % (end_time - start_time)} s)"
+      $stderr.puts nk
+      $stderr.puts
+    end
+
+    [nk.xpath('//soapenv:Body/*').select(&:element?).first, response.body.size]
+  end
+end

data/lib/rbvmomi/type_loader.rb

@@ -0,0 +1,138 @@
+# Copyright (c) 2011-2017 VMware, Inc.  All Rights Reserved.
+# SPDX-License-Identifier: MIT
+
+require 'set'
+require 'monitor'
+
+module RbVmomi
+
+class TypeLoader
+  def initialize fn, extension_dirs, namespace
+    @extension_dirs = extension_dirs
+    @namespace = namespace
+    @lock = Monitor.new
+    @db = {}
+    @id2wsdl = {}
+    @loaded = {}
+    add_types Hash[BasicTypes::BUILTIN.map { |k| [k,nil] }]
+    vmodl_database = File.open(fn, 'r') { |io| Marshal.load io }
+    vmodl_database.reject! { |k,v| k =~ /^_/ }
+    add_types vmodl_database
+    preload
+  end
+
+  def preload
+    names = (@namespace.constants + Object.constants).map(&:to_s).uniq.
+                                                      select { |x| has? x }
+    names.each { |x| get(x) }
+  end
+
+  # Reload all extensions for loaded VMODL types
+  def reload_extensions
+    @extension_dirs.each do |path|
+      reload_extensions_dir path
+    end
+  end
+
+  # Reload all extensions for loaded VMODL types from the given directory
+  def reload_extensions_dir path
+    loaded = Set.new(typenames.select { |x| @namespace.const_defined? x })
+    Dir.open(path) do |dir|
+      dir.each do |file|
+        next unless file =~ /\.rb$/
+        next unless loaded.member? $`
+        file_path = File.join(dir, file)
+        load file_path
+      end
+    end
+  end
+
+  def has? name
+    fail unless name.is_a? String
+
+    @db.member?(name) or BasicTypes::BUILTIN.member?(name)
+  end
+
+  def get name
+    fail "name '#{name}' is #{name.class} expecting String" unless name.is_a? String
+
+    first_char = name[0].chr
+    if first_char.downcase == first_char
+      name = "%s%s" % [first_char.upcase, name[1..-1]]
+    end
+
+    return @loaded[name] if @loaded.member? name
+    @lock.synchronize do
+      return @loaded[name] if @loaded.member? name
+      klass = make_type(name)
+      @namespace.const_set name, klass
+      load_extension name
+      @loaded[name] = klass
+    end
+  end
+
+  def add_types types
+    @lock.synchronize do
+      @db.merge! types
+      @db = Hash[@db.map do |name, value|
+        if value
+          value['wsdl_name'] ||= name
+        end
+        first_char = name[0].chr
+        if first_char.downcase == first_char
+          name = "%s%s" % [first_char.upcase, name[1..-1]]
+        end
+        [name, value]
+      end]
+    end
+  end
+
+  def typenames
+    @db.keys
+  end
+
+  private
+
+  def load_extension name
+    @extension_dirs.map { |x| File.join(x, "#{name}.rb") }.
+                    select { |x| File.exist? x }.
+                    each { |x| load x }
+  end
+
+  def make_type name
+    name = name.to_s
+    return BasicTypes.const_get(name) if BasicTypes::BUILTIN.member? name
+    desc = @db[name] or fail "unknown VMODL type #{name}"
+    case desc['kind']
+    when 'data' then make_data_type name, desc
+    when 'managed' then make_managed_type name, desc
+    when 'enum' then make_enum_type name, desc
+    else fail desc.inspect
+    end
+  end
+
+  def make_data_type name, desc
+    superclass = get desc['wsdl_base']
+    Class.new(superclass).tap do |klass|
+      klass.init name, desc['props']
+      klass.wsdl_name = desc['wsdl_name']
+    end
+  end
+
+  def make_managed_type name, desc
+    superclass = get desc['wsdl_base']
+    Class.new(superclass).tap do |klass|
+      klass.init name, desc['props'], desc['methods']
+      klass.wsdl_name = desc['wsdl_name']
+    end
+  end
+
+  def make_enum_type name, desc
+    Class.new(BasicTypes::Enum).tap do |klass|
+      klass.init name, desc['values']
+      klass.wsdl_name = desc['wsdl_name']
+    end
+  end
+end
+
+end