问题描述
心爱的 RabbitMQ 管理插件 有一个 HTTP API 通过纯 HTTP 请求管理 RabbitMQ.
The beloved RabbitMQ Management Plugin has a HTTP API to manage the RabbitMQ through plain HTTP requests.
我们需要以编程方式创建用户,而 HTTP API 是我们选择的方式.文档很少,但 API 非常简单直观.
We need to create users programatically, and the HTTP API was the chosen way to go. The documentation is scarce, but the API it's pretty simple and intuitive.
考虑到安全性,我们不想以纯文本形式传递用户密码,API 提供了一个字段来发送密码哈希值.从那里引用:
Concerned about the security, we don't want to pass the user password in plain text, and the API offers a field to send the password hash instead. Quote from there:
[ 获取 |放 |删除]/api/users/名称
[ GET | PUT | DELETE ] /api/users/name
个人用户.要放置用户,您将需要一个外观像这样:
An individual user. To PUT a user, you will need a body looking something like this:
{"password":"secret","tags":"administrator"}
或:
{"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}
标签键是强制性的.password 或 password_hash 必须设置.
The tags key is mandatory. Either password or password_hash must be set.
到目前为止,一切顺利,问题是:如何正确生成password_hash?
So far, so good, the problem is: how to correctly generate the password_hash?
RabbitMQ的配置文件中配置了密码哈希算法,我们的配置为默认SHA256.
The password hashing algorithm is configured in RabbitMQ's configuration file, and our is configured as the default SHA256.
我正在使用 C#,以及以下代码来生成哈希:
I'm using C#, and the following code to generate the hash:
var cr = new SHA256Managed();
var simplestPassword = "1";
var bytes = cr.ComputeHash(Encoding.UTF8.GetBytes(simplestPassword));
var sb = new StringBuilder();
foreach (var b in bytes) sb.Append(b.ToString("x2"));
var hash = sb.ToString();
这不起作用.在一些用于 SHA256 加密的在线工具中进行测试,代码正在生成预期的输出.但是,如果我们进入管理页面并手动将用户密码设置为1",那么它就像一个魅力.
This doesn't work. Testing in some online tools for SHA256 encryption, the code is generating the expected output. However, if we go to the management page and set the user password manually to "1" then it works like a charm.
这个答案引导我导出配置并查看 RabbitMQ 生成的哈希值,我意识到几件事:
This answer led me to export the configurations and take a look at the hashes RabbitMQ are generating, and I realized a few things:
- 1"的哈希示例:y4xPTRVfzXg68sz9ALqeQzAram3CwnGo53xS752cDV5+Utzh"
- 所有用户的哈希都有固定长度
- 哈希值每次都会改变(即使密码相同).我知道 PB2K 也对密码执行此操作,但不知道此加密属性的名称.
- 如果我通过了
password_hash,RabbitMQ 会直接存储它
- hash example of "1": "y4xPTRVfzXg68sz9ALqeQzARam3CwnGo53xS752cDV5+Utzh"
- all the user's hashes have fixed length
- the hashes change every time (even if the password is the same). I know PB2K also do this to passwords, but don't know the name of this cryptographic property.
- if I pass the
password_hashthe RabbitMQ stores it without changes
我也接受其他编程语言的建议,而不仅仅是 C#.
I'm accepting suggestions in another programming languages as well, not just C#.
推荐答案
来自:http://rabbitmq.1065348.n5.nabble.com/Password-Hashing-td276.html
但是,如果您想实现它,该算法非常简单你自己.这是一个有效的例子:
However, the algorithm is quite simple if you want to implement it yourself. Here's a worked example:
生成一个随机的 32 位盐:
Generate a random 32 bit salt:
CA D5 08 9B
CA D5 08 9B
将其与密码的 UTF-8 表示形式连接(在此案例西蒙"):
Concatenate that with the UTF-8 representation of the password (in this case "simon"):
CA D5 08 9B 73 69 6D 6F 6E
CA D5 08 9B 73 69 6D 6F 6E
取MD5哈希:
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
再次连接盐:
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
并转成base64编码:
And convert to base64 encoding:
ytUIm8s3AnKsXQjptplKFytfVxI=
ytUIm8s3AnKsXQjptplKFytfVxI=
你应该能够修改你的代码来遵循这个过程
you should be able to modify your code to follow this process
这篇关于如何为 RabbitMQ 管理 HTTP API 生成密码哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!