Jump to content

Host API issues (Resolved)


Steve
 Share

Recommended Posts

I was testing some API scripting I have been doing and have always been using the System Wide API Key.

 

I tested the GET /api/hosts and this works

Although the documentation states: "In order to search for Hosts, you must specify the Hosts API Key"

 

I tried POST /api/hosts to add a host and get the error

Invoke-Restmethod : [{"errors":[{"message":"No Authorization"},{"phrase":"An error has occurred trying to validate the Hosts API Key. Please check if the Hosts 
API Key on the Systems Setting screen has been specified, and is correct."}]}]

 

I tried DELETE /api/hosts/hostname

Initially it responded with

Invoke-Restmethod : [{"errors":[{"message":"Not Found"},{"phrase":"HostName 'fred' Not Found in the Database."}]}]

 

When corrected to a a valid hostname name it then gave me

Invoke-Restmethod : [{"errors":[{"message":"No Authorization"},{"phrase":"An error has occurred trying to validate the Hosts API Key. Please check if the Hosts 
API Key on the Systems Setting screen has been specified, and is correct."}]}]

 

but the HOST record has now been deleted!!!!!

 

It is concerning that

1) I can search for hosts without the Hosts Key

2) I can check for the existence of a host, without a Hosts API Key, using the DELETE function (I can even supply a complete garbage key)

3) The Host record gets deleted, even though the error says I didn't have permission to do so

4) The System Wide API is not valid as a keys for Hosts functionality

 

 

Link to comment
Share on other sites

Hi Steve,

 

We've just tested this in two different environments, and every time we use the System Wide API Key, the API returns "An error has occurred trying to validate the Hosts API Key", with no further processing.

To troubleshoot this further, can you tell us:

 

1. What Build of Passwordstate are you using?

2. Are you specifying the API Key in the header request, or the URL? It shouldn't matter which, but we tested in the header request and just want to double check

3. Are you using any Load Balancers or Proxy Servers which might be caching something here

4. Are you using PowerShell ISE, as we've seen many issues with ISE caching previous results, which is why we now use PowerShell Studio for all development

 

If you are using PowerShell ISE, try restarting ISE after every call to see if that makes any difference with the caching.

 

Thanks

Click Studios

Link to comment
Share on other sites

Build: 8850

API Key is in the header

But I have found an issue in my code, that now presents some other issues

 

In the Powershell below I have the API Key in the $PasswordstateAPIKey variable, but pass an un-initialized $apiKey in the Invoke-RestMethod -header

thus the APIKey is in the header is empty

 

So when I correct this typo, I get the following responses

Get hosts - No Authorisation

Delete hosts - No Authorisation

POST hosts - No Authorisation

 

So it seems passing an uninitialized $apiKey allows:-

the Get Hosts to function to work with no errors

allows the Delete to do a host lookup and return not found

allows the delete to give an error, but still deletes host

 

Powershell (with error)

 

function Invoke-EnvCredStore
{
  <#
    .SYNOPSIS
    Call CredStore Rest API

    .DESCRIPTION
        Invoke a Credentials Store API Call

    .PARAMETER Operation
    Describe parameter -operation.

    .PARAMETER Method
    Describe parameter -Method.

    .PARAMETER jsonData
    Describe parameter -jsonData.

    .EXAMPLE
    $result = Invoke-EnvCredStore -Operation 'securitygroup' -Method POST -jsonData $jsonData
    
    .NOTES
    Place additional notes here.
  #>


  [cmdletbinding()]
  param (
  
    [Parameter(Mandatory=$true,HelpMessage='Add help message for user')]
    [string]$Operation,

    [Parameter(Mandatory=$true,HelpMessage='Add help message for user')]
    [string]$Method = "GET",

    [Parameter(Mandatory=$false,HelpMessage='Add help message for user')]
    [string]$jsonData = $null
  )
  
  $PasswordstateURL = 'https://passwordstate/api/'
  $PasswordstateAPIKey = 'systemwideapikey'
  
  Write-Verbose -Message 'Call Credentials Store: $Method $Operation...'
  if ($Method -eq "GET" -or $jsonData -eq $null) {
    $result = Invoke-Restmethod -Method $Method -Uri $PasswordstateURL$Operation -ContentType "application/json" -Header @{ "APIKey" = "$apiKey" }
  }
  else {
    $result = Invoke-Restmethod -Method $Method -Uri $PasswordstateURL$Operation -ContentType "application/json" -Body $jsonData -Header @{ "APIKey" = "$apiKey" }
  }
  return $result
}

 

Invoke-EnvCredStore -Method "DELETE" -Operation "hosts/dummy"

# returns NOt Found in the Database

Invoke-EnvCredStore -Method "GET" -Operation "Hosts"

# returns list of hosts

Invoke-EnvCredStore -Method "DELETE" -Operation "hosts/dummy"

Invoke-EnvCredStore -Method "GET" -Operation "hosts"

 #JSON data for the object
$jsonData = '
{
"HostName":"dummy",
"HostType":"Windows",
"OperatingSystem":"Windows Server 2012",
"DatabaseServerType":"",
"SQLInstanceName":"",
"DatabasePortNumber":"",
"RemoteConnectionType":"RDP",
"RemoteConnectionPortNumber":"3389",    
"RemoteConnectionParameters":"",
"Tag":"MyServer",
    "Title":"",
    "SiteID":"0",
    "InternalIP":"192.168.1.57",
    "ExternalIP":"",
    "MACAddress":"28-C2-DD-E2-52-0E",
    "SessionRecording":"False",
    "VirtualMachine":"True",
    "VirtualMachineType":"VMware",
    "Notes":""
}
'
Invoke-EnvCredStore -Method "POST" -Operation "hosts" -jsonData $jsonData
returns permission denied

 

 

Link to comment
Share on other sites

Hi Steve,

 

We've just tested this new scenario, where the API Key Variable is not initialised, and we get the same message about the API Key not being valid. Below is a simple test I was performing:

 

$SearchUri = 'https://passwordstate.domain.com/hosts/?DatabaseServerType=SQL Server,MySQL'
$result = Invoke-Restmethod -Method GET -Uri $SearchUri -Header @{ "APIKey" = "$MyAPIKey" }
Write-Output $result

Can you please confirm:

 

1. Are you using any Load Balancers or Proxy Servers which might be caching something here

2. Are you using PowerShell ISE, as we've seen many issues with ISE caching previous results, which is why we now use PowerShell Studio for all development

 

Regards

Click Studios

Link to comment
Share on other sites

Hi

 

1. We have no Load Balancer nor Proxy between client and server service.

2. I had used both the ISE and Powershell commandline and both produce identical results

 

I ran your script above, using our URI (including adding the /api before /hosts and it returns a list of servers.

 

If I assign $MyAPIKey either $null or '' I get the same result, but any other value ('abc') produces the No Authorization error

 

Link to comment
Share on other sites

HI again,

 

I tested all other "Search" capabilities and found that the addressbook also works without Authorization

 

It returned (since its empty)

Invoke-Restmethod : [{"errors":[{"message":"Not Found"},{"phrase":"You search for Address Book records return zero
results."}]}]

Link to comment
Share on other sites

Hi Steve,

 

We've done further testing, and believe what you are seeing is still caching in ISE. Please see video below showing how we can replicate that in ISE, but not PowerShell Studio.

 

Can you please restart ISE between each call to the API, and if you see the same issue, then can you also please provide an equivalant video like ours?

 

Thanks very much.

 

Link to comment
Share on other sites

Hi Support,

 

I don't have video screen capture, but i ran the script in ISE, Windows Powershell and the Package Manager Console in Visual Studio 2019 (which is also powershell) all new sessions so shouldn't be any caching.

As can be from the screen capture all three from brand new sessions all produce the same result.

 

I also used the "Advanced REST Client" plugin in Chrome, which is shown in ScreenDump2 and 3.  I did 3 first (empty APIKey), then 2, then 3 again

 

 

I'd be interested to know what caching you believe is occuring.

ScreenDump.jpg

ScreenDump2.jpg

ScreenDump3.jpg

Link to comment
Share on other sites

Hi Steve,

 

We demonstrated the caching in the video I.e. change the api key to null, and it still returned results, until we restarted ISE.

 

This is a known issue in ISE, and other editors like Visual Studio code, so please try PowerShell Studio, and let us know if that helps?

 

Regards

Click Studios

Link to comment
Share on other sites

Hi Support,

 

I downloaded and installed SAPIEN Powershell Studio 2020

 

I run the script via "Run", "Run in Console", etc etc etc.

 

I get exactly the same issues as every other environment I have tested.

 

If I set $MyAPIKey = $null then the search always works without an error, regardless of whether its first call, third call or any other call.

If i set it to an otherwise invalid valid (non blank), then I get the error.

 

Powershell version

Name                           Value                     
----                           -----                     
PSVersion                      5.1.17134.858             
PSEdition                      Desktop                   
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}   
BuildVersion                   10.0.17134.858            
CLRVersion                     4.0.30319.42000           
WSManStackVersion              3.0                       
PSRemotingProtocolVersion      2.3                       
SerializationVersion           1.1.0.1                   

 

 

Link to comment
Share on other sites

Hi Steve,

 

We've found another editor which doesn't do caching, Passwordstate:)  If you go to Administration -> Powershell Scripts -> Validation Scripts, and then add in a new 'blank' script and save it.  Now click on the new script to open it up, and paste your code in there, and save it once again.

 

Next use the actions menu of that new script to "Test Script Manually" and upon first execution with the API key set correctly, you will get results as expected.  Then clear the results. If you then change the APIKey variable to be $null and rerun the script without shutting the Window down at all, you will get an appropriate error.

 

Can you try this and confirm if you see the same behavior?

 

We've seen Powershell caching variable data previously, and the only way was to close the session and reopen it.  Not even clear-variable removed the value from memory.  I have also read on forums that it's not ISE or the Powershell console that is the issue, but it's the engine which caches the variable data.   Only a tool like Powershell Studio or Passwordstate 100% clear that data each time you run the script.  I'm sure there's other tools out there but these are two that we know of, and it's the main reason why we stopped developing in ISE.

 

If you could let us know the results of your tests it would be much appreciated, we don't want other user thinking there is an issue with our API.

 

Regards,

Support.

 

 

Link to comment
Share on other sites

Hi Support,

 

I have found the reason why a $null APIKey works for hosts queries, and addressbook queries and probably ActiveDirectory Security Groups as well.

 

If you look at the attached image you can see the reason.

 

I do not have an API key set, and thus a null or empty string key makes the blank key in system settings.

 

I was hoping to only have to have a single "SystemWide" APIKey for all queries, but it seems I must use different keys for different API sets.

 

I would suggest that a blank APIKey should mean that API calls should not be possible.

ScreenDump3.jpg

Link to comment
Share on other sites

Hi Steve,

 

Thanks for finding this, and we did not consider blanking the Hosts API Key during our testing. When adding a host, we have a check for a blank key, but we need to add the same check for GET and DELETE.

We'll do that for the next release, and also double check all other method calls as well.

Thanks for your patience whilst we tried to figure this out.

Regards

Click Studios

Link to comment
Share on other sites

Hi Steve,

 

Just letting you know we've released build 8884, which fixes the issue identified above, and please follow one of the recommended upgrade methods outlined in the following document - https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions.pdf

Thanks again for working with us in resolving this issue - we appreciate it.

Regards

Click Studios

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...