At A Glance Main Projects Tutorials Resume

Contact


Email: palen1c at gmail.com




Drupal AMFPHP Views.get Example With key Authentication and Parameters

Thur, 27 Oct 2011 21:57:56 EST

I first started exploring using Drupal as a content management system for Flash based kiosks over a year ago. Over the last year I have gotten a lot more used to Drupal and especially how to manipulate views. AMFPHP is only supported in Drupal 6, so that is what this example is based on. If you look around for examples of doing Drupal services key authentication with AMFPHP they are few and far between. Even fewer have examples of passing parameters to the views.get service call. This is a pure actionscript 3 example using the Netconnection class. This is assuming you have your desired views setup to accept URL based parameters.

Key authentication in AMFPHP with Drupal requires what is known as a HMAC in cryptographic language. A HMAC is a hash that includes some additional data. The default choice of many for a HMAC would be the as3corelib. The crypto in there requires Flex, so I use the awesome as3Crypto library instead. The parameters for views.get are not required to be included in the HMAC. The original example without the parameters was modified from the example at: Electricpineapple.

Getting initial key authentication going:

First here is an Actionscript 3 class that I use with as3Crypto for preforming the cryptographic steps:



import com.hurlant.crypto.hash.HMAC;
import com.hurlant.crypto.hash.SHA256;
import com.hurlant.crypto.Crypto;
import com.hurlant.crypto.hash.IHash;
import com.hurlant.util.Hex;
import flash.utils.ByteArray;

public class AmfPHPCryptoTools {

public static function hashKey(serviceMethod:String, apiDomain:String, apiKey:String):Array{
var captureTime:String = (Math.round((new Date().getTime())/1000)).toString();
var captureRandom:String = randomString(10);
var hashString:String = captureTime + ";";
hashString += apiDomain + ";";
hashString += captureRandom +";";
hashString += serviceMethod;

// ----------- AS3Crypto SHA256 HMAC
var hmac:HMAC = Crypto.getHMAC("sha256");
// Convert the string key to hex byteArray key for the hmac
var kdata:ByteArray = Hex.toArray( Hex.fromString(apiKey) );
var data:ByteArray = Hex.toArray(Hex.fromString(hashString));

// Data is output in hex so we need to get it back to text
var HmackedTextResult:String = Hex.fromArray( hmac.compute(kdata, data) );

return new Array( HmackedTextResult , apiDomain, captureTime, captureRandom);
}

private static function randomString(Stringlength:Number):String{
var allowedChar:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
var allowedArray:Array = allowedChar.split("");
var randomChars:String = "";
for (var i:Number = 0; i < Stringlength; i++){
  randomChars += allowedArray[Math.floor(Math.random() * allowedArray.length)];
}
return randomChars;
}

}


OK so with that class in place, I can show you how to use it including the views.get parameters. You will first need to have an active session ID that is returned from Drupal when you preform a system.connect call. Lets say I have a view named "awesome_view" that accepts one or more parameters of node IDs and my domain is localhost, and key is d7ad6d8356a2e822c11d9301623e0549. I'm going to pass in 28 and 33 as "28+33" for parameters of the view:


AuthArr = AmfPHPCryptoTools.hashKey( "views.get", "localhost", "d7ad6d8356a2e822c11d9301623e0549");


// A responder to handle the callback from the netconnection and drupal
var myResponder:Responder(handleDrupalResult, handleDrupalError);

// netConn is an active netconnection connected to the drupal AMFPHP URL.
netConn.call( "views.get", myResponder, AuthArr[0], AuthArr[1], AuthArr[2], AuthArr[3], Session ID Returned From Drupal system.connect method, "awesome_view","default",new Array("28+33") );

private function handleDrupalResult(_ResultObj:Object):void {
// YAY Result object
}

private function handleDrupalError(e:Error):void {
// Super, now what?
}


The parameters are contained in an array in a single string delimited by the + character. The "default" is the name of the view you want associated with the call.

Charles Palen has been involved in the technology sector for several years. His formal education focused on Enterprise Database Administration. He currently works as the principal software architect and manager at Transcending Digital where he can be hired for your next contract project. Charles is a full stack developer who has been on the front lines of small business and enterprise for over 10 years. Charles current expertise covers the areas of .NET, Java, PHP, Node.js, Javascript, HTML, and CSS. Charles created Technogumbo in 2008 as a way to share lessons learned while making original products.

Comments

Charles
Charles
January 30, 2012 3:34 pm

I haven't confirmed this at all, but after realizing how this works and comparing it to the recent news about the WPS security flaw in many wireless routers isn't Drupal 6 key authentication susceptible to the same issues WPS has?

I know they keys are a lot longer and can be revoked, but wont they be relatively static for the life of a deployed solution?

I know a lot of the basis for WPS has to do with brute forcing 4 digits which means 9x9x9x9 possibilities to brute force. Brute forcing the keys used with drupal would take a lot lot longer.

Anyway Security Now #337 WPS A Troubled Protocol goes into the vuln in detail.

Comments are currently disabled.

Post Message

Techno Gumbo RSS Feed

Related Links


Wikipedia article on HMAC

AS3 Corelib

as3Crypto

Electric Pineapple Article on Drupal and AMFPHP