PDA

View Full Version : Reversing a poorly written document to build a API.

BanMe_2
April 9th, 2015, 16:00
I work in product data management, and the keeping up with new product images and MSDS sheets and PDF is hard.. So 1worldsync developed DAM(Digital asset management) as a tool to be used to store images along with product data onto there Data Synchronization network. Which is used to communicate the product data from Supplier to Distributor/Retailer. They have a IM implementation which I have automated with A.D.A.M. using the naming convention on windows to my advantage( numbers before letters ). That is just a simple bot that uploads assets, the 2nd way to access this is though machine to machine communication using XML over a AS2 connection, I have also added my own automation layer in HTML and javascript to drag and drop assets and select the other parameters and generate the files in zipped format directly in the browser to be uploaded to my as2 folder for sending to 1worldsynd. The 3rd one is the one I am having some difficulty with. Now I have this document https://s3.amazonaws.com/enterprise-multitenant.3scale.net.3scale.net/1sync/2015/03/17/1WorldSync_DAM_API_Guide_v3-65afa258fe6058ee.pdf?AWSAccessKeyId=AKIAIRYLTWBQ37ZNGBZA&Expires=1428615127&Signature=MZrXvKsHC%2FnJDblY4uCzsTkuz%2Fc%3D and I am trying to distill the document down to a RESTful API client. Included in that document is samples of the multi-part/form-data upload to the server and sample response recieved back. If anyone could review that document and go over the technical details that are pertinent to the API and help me reverse the wording into code, I would greatly appreciate it. I have been looking at this and researching it the best I know how and have implemented it in its other forms.

Kind regards
blabberer
April 10th, 2015, 04:03
did you check the url it has and expiry date and it has expired hacking the input results in signature mismatch that is again given as input in the url

you should point people to wget -c --no-check-certificate https://developer.1worldsync.com/DAMAPIGUIDE

then people can atleast download the pdf

100%[++====================================>] 827,413 14.6K/s in 42s

2015-04-10 14:32:49 (18.2 KB/s) - `1WorldSync_DAM_API_Guide_v3-65afa258fe6058ee.
pdf@AWSAccessKeyId=AKIAIRYLTWBQ37ZNGBZA&Expires=1428659590&Signature=2IzbU5kYzKP
br0u0qGoHiBrZNGQ=' saved [827413/827413]


C:\Documents and Settings\Admin\Desktop>ren "1WorldSync_DAM_API_Guide_v3-65afa25
8fe6058ee.pdf@AWSAccessKeyId=AKIAIRYLTWBQ37ZNGBZA&Expires=1428659590&Signature=2
IzbU5kYzKPbr0u0qGoHiBrZNGQ=" someamzoinggshit.pdf


ok so it has 6 apis
add asset , update asset , delete asset , add metadata, update metadata , and delete metadata
it is recommended to follow an add asset with an add metadata and so on so update asset should be followed with update metadata

each add sends a request to server with some @$$II$ appended calculated with hmac (whatever that is) and in return the server sends back a success of failure $(^*(^$(&^ each success also returns an assetid (which is mandatorily required for update and delete )

and that is it it seems ?
BanMe_2
April 10th, 2015, 10:21
First off thank you for the response. Ya that's it, pretty simple. after to long trying to get my javascript implementation to work. come to find out it was due to lack of correct documentation. but w.e. I moved over to C# and got it put together relatively quickly. :}

Cheers to you good sir/lady.

*Updated*

Key defining attributes
Accept Encoding gzip,deflate
Content-type: multipart/form-data;boundary = "----=_Part_1_11825213.1413218030245"
End-boundary =”------=_Part_9_11825213.1413218030245—“
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: form-data;
HMACsha256
BanMe_2
April 14th, 2015, 23:58
truly invaluable info if your having issues with networking in .net

http://blogs.msdn.com/b/webapps/archive/2012/11/05/use-system-net-trace-and-ssl-alert-protocol-to-tshoot-ssl-connection-issue.aspx
BanMe_2
April 22nd, 2015, 19:26
story behind fix removed.

Here is addAsset my first ever for going from a document to client API, not really special, but its a accomplishment.
Code:


static Boolean addAsset(String InformationProvider,String SenderGLN)

        {

            String AppId = "";



            String ApiUrl = "https://digasset-api.preprod.1worldsync.com";



            WSHttpBinding HttpBinding = new WSHttpBinding(SecurityMode.Transport);



            HttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;



            System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;



            var Client = new RestSharp.RestClient(ApiUrl);



            var request = new RestSharp.RestRequest("V2/assets" + "?app_id={app_id}" + "&TIMESTAMP={TIMESTAMP}" + "&hash_code={hash_code}", RestSharp.Method.POST);



            request.AddHeader("Accept-Encoding", "gzip,deflate";



            request.AlwaysMultipartFormData = true;

            

            request.AddHeader("Content-Type", "multipart/form-data;charset=us-ascii";

            

            request.AddUrlSegment("app_id", AppId);

            

            String Date = DateTime.UtcNow.ToString("o";

            

            Date = Date.Substring(0, Date.IndexOf(".") + "Z";

            

            request.AddUrlSegment("TIMESTAMP", Date);

            

            request.AddParameter("ipGLN", InformationProvider);

            

            request.AddParameter("senderGLN", SenderGLN);

            

            OpenFileDialog dlg = new OpenFileDialog();

            

            if (dlg.ShowDialog() == DialogResult.OK)

            {

                request.AddParameter("fileName", dlg.SafeFileName);

            

                request.AddFile("file", dlg.FileName);

                

                //foreach (RestSharp.Parameter param in request.Parameters)

                //{

                //    Console.WriteLine(param.Name + " = " + param.Value);

                //}

                String QueryString = "/V2/assets" + "?app_id=" + AppId + "&TIMESTAMP=" + Date;

                String B64Hash = getHMAC(QueryString);

                request.AddUrlSegment("hash_code", B64Hash);

                RestSharp.IRestResponse<RootObject> response = Client.Execute<RootObject>(request);



                if (response.Data.status.Equals((int)200))

                {

                    if (File.Exists(System.IO.Directory.GetCurrentDirectory() + "\\Web-API.log")

                    {

                        File.AppendAllText(System.IO.Directory.GetCurrentDirectory() + "\\Web-API.log", response.Data.data.assetId + "," + response.Data.data.ipGLN + "," + response.Data.data.ipName + ", recipientGLN,GTIN," + dlg.SafeFileName + Environment.NewLine);

                    }

                    else

                    {

                        DAM_API_DATASET.AssetId = response.Data.data.assetId;

                        File.WriteAllText(System.IO.Directory.GetCurrentDirectory() + "\\Web-API.log", "AssetId,ipGLN,ipName,recipientGLN,GTIN,FileName" + Environment.NewLine, Encoding.UTF8);

                        File.WriteAllText(System.IO.Directory.GetCurrentDirectory() + "\\Web-API.log", response.Data.data.assetId + "," + response.Data.data.ipGLN + "," + response.Data.data.ipName + ", recipientGLN,GTIN,"+ dlg.SafeFileName + Environment.NewLine);

                        return true;

                    }

                }

                return false;

            }

            return false;

        }

    static String getHMAC(String QueryString)

    {

        String Secret = "";

        HMACSHA256 hmac = new HMACSHA256(Encoding.ASCII.GetBytes(Secret));

        byte[] hash = hmac.ComputeHash(Encoding.ASCII.GetBytes(QueryString));

        return System.Convert.ToBase64String(hash);          

    }


Being at or close to the bleeding edges and away from esoteric endeavors officially is not fun or easy, but it sure is satisfying being the only 1 to use it this way.