Steve Posted February 25, 2020 Posted February 25, 2020 I was testing some API scripting I have been doing and have always been using the System Wide API Key. I tested the GET /api/hosts and this works Although the documentation states: "In order to search for Hosts, you must specify the Hosts API Key" I tried POST /api/hosts to add a host and get the error Invoke-Restmethod : [{"errors":[{"message":"No Authorization"},{"phrase":"An error has occurred trying to validate the Hosts API Key. Please check if the Hosts API Key on the Systems Setting screen has been specified, and is correct."}]}] I tried DELETE /api/hosts/hostname Initially it responded with Invoke-Restmethod : [{"errors":[{"message":"Not Found"},{"phrase":"HostName 'fred' Not Found in the Database."}]}] When corrected to a a valid hostname name it then gave me Invoke-Restmethod : [{"errors":[{"message":"No Authorization"},{"phrase":"An error has occurred trying to validate the Hosts API Key. Please check if the Hosts API Key on the Systems Setting screen has been specified, and is correct."}]}] but the HOST record has now been deleted!!!!! It is concerning that 1) I can search for hosts without the Hosts Key 2) I can check for the existence of a host, without a Hosts API Key, using the DELETE function (I can even supply a complete garbage key) 3) The Host record gets deleted, even though the error says I didn't have permission to do so 4) The System Wide API is not valid as a keys for Hosts functionality
support Posted February 25, 2020 Posted February 25, 2020 Hi Steve, We've just tested this in two different environments, and every time we use the System Wide API Key, the API returns "An error has occurred trying to validate the Hosts API Key", with no further processing. To troubleshoot this further, can you tell us: 1. What Build of Passwordstate are you using? 2. Are you specifying the API Key in the header request, or the URL? It shouldn't matter which, but we tested in the header request and just want to double check 3. Are you using any Load Balancers or Proxy Servers which might be caching something here 4. Are you using PowerShell ISE, as we've seen many issues with ISE caching previous results, which is why we now use PowerShell Studio for all development If you are using PowerShell ISE, try restarting ISE after every call to see if that makes any difference with the caching. Thanks Click Studios
Steve Posted February 25, 2020 Author Posted February 25, 2020 Build: 8850 API Key is in the header But I have found an issue in my code, that now presents some other issues In the Powershell below I have the API Key in the $PasswordstateAPIKey variable, but pass an un-initialized $apiKey in the Invoke-RestMethod -header thus the APIKey is in the header is empty So when I correct this typo, I get the following responses Get hosts - No Authorisation Delete hosts - No Authorisation POST hosts - No Authorisation So it seems passing an uninitialized $apiKey allows:- the Get Hosts to function to work with no errors allows the Delete to do a host lookup and return not found allows the delete to give an error, but still deletes host Powershell (with error) function Invoke-EnvCredStore { <# .SYNOPSIS Call CredStore Rest API .DESCRIPTION Invoke a Credentials Store API Call .PARAMETER Operation Describe parameter -operation. .PARAMETER Method Describe parameter -Method. .PARAMETER jsonData Describe parameter -jsonData. .EXAMPLE $result = Invoke-EnvCredStore -Operation 'securitygroup' -Method POST -jsonData $jsonData .NOTES Place additional notes here. #> [cmdletbinding()] param ( [Parameter(Mandatory=$true,HelpMessage='Add help message for user')] [string]$Operation, [Parameter(Mandatory=$true,HelpMessage='Add help message for user')] [string]$Method = "GET", [Parameter(Mandatory=$false,HelpMessage='Add help message for user')] [string]$jsonData = $null ) $PasswordstateURL = 'https://passwordstate/api/' $PasswordstateAPIKey = 'systemwideapikey' Write-Verbose -Message 'Call Credentials Store: $Method $Operation...' if ($Method -eq "GET" -or $jsonData -eq $null) { $result = Invoke-Restmethod -Method $Method -Uri $PasswordstateURL$Operation -ContentType "application/json" -Header @{ "APIKey" = "$apiKey" } } else { $result = Invoke-Restmethod -Method $Method -Uri $PasswordstateURL$Operation -ContentType "application/json" -Body $jsonData -Header @{ "APIKey" = "$apiKey" } } return $result } Invoke-EnvCredStore -Method "DELETE" -Operation "hosts/dummy" # returns NOt Found in the Database Invoke-EnvCredStore -Method "GET" -Operation "Hosts" # returns list of hosts Invoke-EnvCredStore -Method "DELETE" -Operation "hosts/dummy" Invoke-EnvCredStore -Method "GET" -Operation "hosts" #JSON data for the object $jsonData = ' { "HostName":"dummy", "HostType":"Windows", "OperatingSystem":"Windows Server 2012", "DatabaseServerType":"", "SQLInstanceName":"", "DatabasePortNumber":"", "RemoteConnectionType":"RDP", "RemoteConnectionPortNumber":"3389", "RemoteConnectionParameters":"", "Tag":"MyServer", "Title":"", "SiteID":"0", "InternalIP":"192.168.1.57", "ExternalIP":"", "MACAddress":"28-C2-DD-E2-52-0E", "SessionRecording":"False", "VirtualMachine":"True", "VirtualMachineType":"VMware", "Notes":"" } ' Invoke-EnvCredStore -Method "POST" -Operation "hosts" -jsonData $jsonData returns permission denied
support Posted February 25, 2020 Posted February 25, 2020 Hi Steve, We've just tested this new scenario, where the API Key Variable is not initialised, and we get the same message about the API Key not being valid. Below is a simple test I was performing: $SearchUri = 'https://passwordstate.domain.com/hosts/?DatabaseServerType=SQL Server,MySQL' $result = Invoke-Restmethod -Method GET -Uri $SearchUri -Header @{ "APIKey" = "$MyAPIKey" } Write-Output $result Can you please confirm: 1. Are you using any Load Balancers or Proxy Servers which might be caching something here 2. Are you using PowerShell ISE, as we've seen many issues with ISE caching previous results, which is why we now use PowerShell Studio for all development Regards Click Studios
Steve Posted February 25, 2020 Author Posted February 25, 2020 Hi 1. We have no Load Balancer nor Proxy between client and server service. 2. I had used both the ISE and Powershell commandline and both produce identical results I ran your script above, using our URI (including adding the /api before /hosts and it returns a list of servers. If I assign $MyAPIKey either $null or '' I get the same result, but any other value ('abc') produces the No Authorization error
Steve Posted February 26, 2020 Author Posted February 26, 2020 HI again, I tested all other "Search" capabilities and found that the addressbook also works without Authorization It returned (since its empty) Invoke-Restmethod : [{"errors":[{"message":"Not Found"},{"phrase":"You search for Address Book records return zero results."}]}]
support Posted February 26, 2020 Posted February 26, 2020 Hi Steve, We've done further testing, and believe what you are seeing is still caching in ISE. Please see video below showing how we can replicate that in ISE, but not PowerShell Studio. Can you please restart ISE between each call to the API, and if you see the same issue, then can you also please provide an equivalant video like ours? Thanks very much. API.mp4
Steve Posted February 26, 2020 Author Posted February 26, 2020 Hi Support, I don't have video screen capture, but i ran the script in ISE, Windows Powershell and the Package Manager Console in Visual Studio 2019 (which is also powershell) all new sessions so shouldn't be any caching. As can be from the screen capture all three from brand new sessions all produce the same result. I also used the "Advanced REST Client" plugin in Chrome, which is shown in ScreenDump2 and 3. I did 3 first (empty APIKey), then 2, then 3 again I'd be interested to know what caching you believe is occuring.
support Posted February 26, 2020 Posted February 26, 2020 Hi Steve, We demonstrated the caching in the video I.e. change the api key to null, and it still returned results, until we restarted ISE. This is a known issue in ISE, and other editors like Visual Studio code, so please try PowerShell Studio, and let us know if that helps? Regards Click Studios
Steve Posted February 26, 2020 Author Posted February 26, 2020 Hi Support, I downloaded and installed SAPIEN Powershell Studio 2020 I run the script via "Run", "Run in Console", etc etc etc. I get exactly the same issues as every other environment I have tested. If I set $MyAPIKey = $null then the search always works without an error, regardless of whether its first call, third call or any other call. If i set it to an otherwise invalid valid (non blank), then I get the error. Powershell version Name Value ---- ----- PSVersion 5.1.17134.858 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17134.858 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
support Posted February 26, 2020 Posted February 26, 2020 Hi Steve, We've found another editor which doesn't do caching, Passwordstate:) If you go to Administration -> Powershell Scripts -> Validation Scripts, and then add in a new 'blank' script and save it. Now click on the new script to open it up, and paste your code in there, and save it once again. Next use the actions menu of that new script to "Test Script Manually" and upon first execution with the API key set correctly, you will get results as expected. Then clear the results. If you then change the APIKey variable to be $null and rerun the script without shutting the Window down at all, you will get an appropriate error. Can you try this and confirm if you see the same behavior? We've seen Powershell caching variable data previously, and the only way was to close the session and reopen it. Not even clear-variable removed the value from memory. I have also read on forums that it's not ISE or the Powershell console that is the issue, but it's the engine which caches the variable data. Only a tool like Powershell Studio or Passwordstate 100% clear that data each time you run the script. I'm sure there's other tools out there but these are two that we know of, and it's the main reason why we stopped developing in ISE. If you could let us know the results of your tests it would be much appreciated, we don't want other user thinking there is an issue with our API. Regards, Support.
support Posted February 26, 2020 Posted February 26, 2020 Hi Steve, Can you email at our support address, and we'll organise a remote session if that's ok. Regards, Support
Steve Posted February 26, 2020 Author Posted February 26, 2020 Hi Support, I have found the reason why a $null APIKey works for hosts queries, and addressbook queries and probably ActiveDirectory Security Groups as well. If you look at the attached image you can see the reason. I do not have an API key set, and thus a null or empty string key makes the blank key in system settings. I was hoping to only have to have a single "SystemWide" APIKey for all queries, but it seems I must use different keys for different API sets. I would suggest that a blank APIKey should mean that API calls should not be possible.
support Posted February 26, 2020 Posted February 26, 2020 Hi Steve, Thanks for finding this, and we did not consider blanking the Hosts API Key during our testing. When adding a host, we have a check for a blank key, but we need to add the same check for GET and DELETE. We'll do that for the next release, and also double check all other method calls as well. Thanks for your patience whilst we tried to figure this out. Regards Click Studios
support Posted February 27, 2020 Posted February 27, 2020 Hi Steve, Just letting you know we've released build 8884, which fixes the issue identified above, and please follow one of the recommended upgrade methods outlined in the following document - https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions.pdf Thanks again for working with us in resolving this issue - we appreciate it. Regards Click Studios
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now