Creating a User Access Token Request Function

A SecureCloud API request that successfully obtains a user access token is able to bypass the User Access Token Filter, the third and final authentication filter.

To successfully receive a user access token, you will need to use the following SecureCloud account credentials:

SecureCloud account name

This is your account name used to log on the Key Management Server web console.
SecureCloud account password

This is your password used to log on the Key Management Server web console.
SecureCloud account ID

This 32-character (plus 4 hyphens) string is shown on the User Management screen of the Key Management Server web console.

The following task shows how to use the public certificate and your SecureCloud account credentials to request a user access token, add the user access token to a variable, and format the user access token into XML.

Note

Each of these programming tasks assumes that you are you are using a new programming code file. The examples shown are using Python programming language. Other programming languages, such as C++ or Java, are capable of performing the same requests.

Procedure

Define this entire part of the API request as a function.
In the example, this function is the Get User Access Token function. The function is defined as get_user_token().
```
def get_user_token():
```
Create variables for each part of SecureCloud account credentials.
These variables are as follows:
- SecureCloud account name
  
  In the example, this variable is securecloud_login_name.
- SecureCloud account password
  
  In the example, this variable is securecloud_login_password.
- SecureCloud account ID
  
  In the example, this variable is securecloud_account_id.
```
securecloud_account_id = "1FB18C52-2D93-4983-9784-7915163759A7"
securecloud_login_name = "test_user"
securecloud_login_password = "12345678"
```
Create the API URL variable using the UserBasicAuthentication() API and the variable for your SecureCloud account name.
```
api_url = "https://ms.securecloud.com/broker/API.SVC/v3.5/userBasicAuth/" + securecloud_login_name + "?tenant="
```
Copy your digest authentication process and paste it into this part of the API request.

The digest authentication process parts can be placed at varying locations in the request code, as long as the programming language does not encounter sequencing problems. Declare the API URL variable before calling API URL requests.

See Creating a Digest Authentication Process.
Call your public certificate request function.

See Creating a Public Certificate Request Function.
```
pub_cert = get_server_certificate()
```

Extract the public key of the public certificate using TomCrypt.

from tomcrypt import rsa
key = rsa.Key(pub_cert)
pub = key.public

Encrypt your SecureCloud account password using the public key of the public certificate.

password = bytes(securecloud_login_password)
encrypted_password = pub.encrypt(password, None, "sha256", "oaep")
encrypted_password = base64.b64encode(encrypted_password)

Create the body of the user access token request in XML format using your SecureCloud account ID and the encrypted version of your SecureCloud account password.
```
req_xml = """<?xml version="1.0" encoding="utf-8"?>
      <authentication data="%s" accountId="%s" />""" %
      (encrypted_password, securecloud_account_id)
```

Add the XML request body to the API request found in your digest authentication process.

Important

This adds one line of text to the existing code of the digest authentication process. Do not create duplicate code.

If necessary, move the API request section of the digest authentication process to after your variable declaration for the XML user access token request body.

See Creating a Digest Authentication Process.

req = urllib2.Request(api_url)
req.add_header('Content-Type', 'application/xml; charset=utf-8')
req.add_header('BrokerName', digest_broker_account)
req.add_data(req_xml)

Create the API request.

try:
      sc_get_req = opener.open(req)
      res = sc_get_req.read()

Note

For the sake of this example, this section is just the beginning of the Python compound statement try. If using Python, continue this try statement until the end of the function.

Format the user access token into XML.
In this example, the variable res contains the unformatted user access token.
```
xmldata = xml.dom.minidom.parseString(res)
```
Extract the user access token.
In this example, the variable session_token is the intended variable to contain the extracted user access token.
```
auth_result = xmldata.getElementsByTagName("authenticationResult")[0]
session_token = auth_result.attributes["token"].value.strip()

return session_token
```

Perform error checking.

except urllib2.HTTPError, e:
      logging.error(e)
except urllib2.URLError, e:
      logging.error(e)
except Exception, e:
      logging.error(e)

Sample Code

# Define this part of the API request as a function.
def get_user_token():

      # Create variables for each part of the broker account information.                       
      digest_broker_account = "test_digest_account"                       
      digest_password = "QTpYVL0QKI"                       
      digest_realm = "securecloud@trend.com"

      # Create variables for each part of SecureCloud account credentials.
      securecloud_account_id = "1FB18C52-2D93-4983-9784-7915163759A7"
      securecloud_login_name = "test_user"
      securecloud_login_password = "12345678"

      # Call your public certificate request function.
      pub_cert = get_server_certificate()

      # Extract the public key of the public certificate using TomCrypt.
      from tomcrypt import rsa
      key = rsa.Key(pub_cert)
      pub = key.public

      # Encrypt your SecureCloud account password using the public key of the public certificate.
      password = bytes(securecloud_login_password)
      encrypted_password = pub.encrypt(password, None, "sha256", "oaep")
      encrypted_password = base64.b64encode(encrypted_password)
      
      # Create the body of the user access token request in XML format.
      req_xml = """<?xml version="1.0" encoding="utf-8"?>
            <authentication data="%s" accountId="%s" />""" %
            (encrypted_password, securecloud_account_id)

      # Create the API URL variable using the UserBasicAuthentication() API.
      api_url = "https://ms.securecloud.com/broker/API.SVC/v3.5/userBasicAuth/" + securecloud_login_name + "?tenant="
      
      # Add broker account information and the API URL to the password manager in the same function.                      
      pwd_mgr = urllib2.HTTPPasswordMgr()                       
      pwd_mgr.add_password(digest_realm, api_url, digest_broker_account, digest_password)
      
      # Add the broker account information and the API URL to the API request handler.                       
      opener = urllib2.build_opener()
      opener.add_handler(urllib2.HTTPDigestAuthHandler(pwd_mgr))

      # Request the API using the API URL.
      req = urllib2.Request(api_url)
      req.add_header('Content-Type', 'application/xml; charset=utf-8') # Set the request data type to XML format
      req.add_header('BrokerName', digest_broker_account) # Include the broker account information in the header
      req.add_data(req_xml) # Add the XML user access token request body
      
      # Create the API request.
      try:                                               
            sc_get_req = opener.open(req)                                              
            res = sc_get_req.read()
      
            # Format the user access token into XML.
            xmldata = xml.dom.minidom.parseString(res)

            # Extract the user access token.
            auth_result = xmldata.getElementsByTagName("authenticationResult")[0]
            session_token = auth_result.attributes["token"].value.strip()

            return session_token

      # Perform error checking.
      except urllib2.HTTPError, e:
            logging.error(e)
      except urllib2.URLError, e:
            logging.error(e)
      except Exception, e:
            logging.error(e)

$('#title').html($('meta[name=description]').attr('content'));