commit 5b8bbff595ef4eb7bb08390d7379640be2dd435e
author Rickard von Essen <rickard.von.essen@gmail.com> Tue Feb 16 07:48:20 2016 +0100
committer Rickard von Essen <rickard.von.essen@gmail.com> Tue Feb 16 08:47:12 2016 +0100
tree 46a76daec956224d9e56b0a0a8eb95ba940ffa8d
parent 6769c3b3e54a5cf1b0bdb10ea5b25f5cff0a3134

Add Nova get-password support

Add support to get a encrypted administrative password for a server
through a GET on: /v2.1/{tenant_id}/servers/{server_id}/os-server-password
optionally decrypting the password if a private key is supplied.

The same operation with OpenStack CLI is done with:
  nova get-password <server_id> [private_key.pem]

openstack/compute/v2/servers/results.go

diff --git a/openstack/compute/v2/servers/results.go b/openstack/compute/v2/servers/results.go
index f278709..406f689 100644
--- a/openstack/compute/v2/servers/results.go
+++ b/openstack/compute/v2/servers/results.go
@@ -1,10 +1,12 @@
 package servers
 
 import (
-	"reflect"
+	"crypto/rsa"
+	"encoding/base64"
 	"fmt"
-	"path"
 	"net/url"
+	"path"
+	"reflect"
 
 	"github.com/mitchellh/mapstructure"
 	"github.com/rackspace/gophercloud"
@@ -82,6 +84,47 @@
 	gophercloud.Result
 }
 
+// GetPasswordResult represent the result of a get os-server-password operation.
+type GetPasswordResult struct {
+	gophercloud.Result
+}
+
+// ExtractPassword gets the encrypted password.
+// If privateKey != nil the password is decrypted with the private key.
+// If privateKey == nil the encrypted password is returned and can be decrypted with:
+//   echo '<pwd>' | base64 -D | openssl rsautl -decrypt -inkey <private_key>
+func (r GetPasswordResult) ExtractPassword(privateKey *rsa.PrivateKey) (string, error) {
+
+	if r.Err != nil {
+		return "", r.Err
+	}
+
+	var response struct {
+		Password string `mapstructure:"password"`
+	}
+
+	err := mapstructure.Decode(r.Body, &response)
+	if err == nil && privateKey != nil && response.Password != "" {
+		return decryptPassword(response.Password, privateKey)
+	}
+	return response.Password, err
+}
+
+func decryptPassword(encryptedPassword string, privateKey *rsa.PrivateKey) (string, error) {
+	b64EncryptedPassword := make([]byte, base64.StdEncoding.DecodedLen(len(encryptedPassword)))
+
+	n, err := base64.StdEncoding.Decode(b64EncryptedPassword, []byte(encryptedPassword))
+	if err != nil {
+		return "", fmt.Errorf("Failed to base64 decode encrypted password: %s", err)
+	}
+	password, err := rsa.DecryptPKCS1v15(nil, privateKey, b64EncryptedPassword[0:n])
+	if err != nil {
+		return "", fmt.Errorf("Failed to decrypt password: %s", err)
+	}
+
+	return string(password), nil
+}
+
 // ExtractImageID gets the ID of the newly created server image from the header
 func (res CreateImageResult) ExtractImageID() (string, error) {
 	if res.Err != nil {