Passing secure parameter to fixlet through Api

atshenoy 2020-02-14 12:42:09 UTC #1

i am trying to pass secure value to a fixlet parameter by adding this in the body of post in rest api

fixlet is like

action parameter query “value” with description "value"
run powershell -ExecutionPolicy Bypass “C:\Test\try.ps1” -h {parameter “value”}

and i am passing the value in following manner

value to be passed

but not getting the desired output. can anyone help me here.

atshenoy 2020-02-14 12:45:08 UTC #2

<SecureParameter Name="value">Value to be passed</SecureParameter>

this is how the value is passed

JasonWalker 2020-02-14 14:49:10 UTC #3

Thanks, I understand that. But there is something wrong in the XML, likely another tag that is misplaced or out of order. If you can post your full XML we can try to help, otherwise you may need to refer again to the examples and the XML schema listed at developer.bigfix.com to see where your issue lies.

Additionally there are a number of tools that can validate an XML document against an XSD schema, so you might try validating your XMl with such a tool.

atshenoy 2020-02-15 05:41:48 UTC #4

       <BES>
       <SourcedFixletAction>
       <SourceFixlet>
       <Sitename>siteName is passed</Sitename>
       <FixletID>FixletID is passed</FixletID>
       <Action>Action1</Action>
       </SourceFixlet>
       <Target>
       <ComputerName>computerName is passed</ComputerName>
       </Target>
        <SecureParameter Name="value">Value to be passed</SecureParameter>
      </SourcedFixletAction>
       </BES>

This is the xml body to post.

JasonWalker 2020-02-15 13:53:49 UTC #5

Thanks. On the face of it, I don’t see anything wrong with the XML structure or the element order.

I wonder whether your SecureParameter value has any special characters that need to be escaped in XML, such as <, >, or & ? Could you try sending the action with a very simple value for the parameter?

atshenoy 2020-02-16 06:49:32 UTC #6

   <BES>
   <SourcedFixletAction>
   <SourceFixlet>
   <Sitename>siteName is passed</Sitename>
   <FixletID>FixletID is passed</FixletID>
   <Action>Action1</Action>
   </SourceFixlet>
   <Target>
   <ComputerName>computerName is passed</ComputerName>
   </Target>
    <SecureParameter Name="value">$ecureV@lu3</SecureParameter>
  </SourcedFixletAction>
   </BES>

Since the body is not getting executed the action is not getting created

if
<Parameter Name="value">$ecureV@lu3</Parameter>
passed like this the action gets created but the value is visible in Action which gets created when the fixlet gets executed.

JasonWalker 2020-02-16 15:19:02 UTC #7

Comparing with an example from a previous past at Securely creating fixlets to update OS user passwords , the only differences I see are that you are not declaring the top-level XML doc type, and not referencing the xml namespace attributes on the <BES> tag.

While I would expect that to behave the same between Parameter and SecureParameter, it may be worth trying to add those.

I’ll try to fire up my server later today to try it on my lab.

Also as a test, see whether you can target by ComputerID instead of name.

JasonWalker 2020-02-16 19:57:15 UTC #8

Well, I started up my instance…I haven’t gotten as far as trying it via the API, but when I send it through a Dashboard with ImportXMLToSite() it’s not working either.

If I use <Parameter> tags it works, but switching to <SecureParameter> does not (my action gives me a pop-up message query for the parameter value).

I did finally get a test case to work - by avoiding ‘action parameter query’ in the ActionScript.
Here’s the XML I imported

<?xml version="1.0" encoding="UTF-8"?> 
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd"> 
<SourcedFixletAction> 
<SourceFixlet> 
<Sitename>My-Test-Site</Sitename> 
<FixletID>2333</FixletID> 
<Action>Action1</Action> 
</SourceFixlet> 
<Target> 
 <ComputerName>my-computer-name</ComputerName>
   </Target> 
<SecureParameter Name="command">echo Try 2 &gt; c:\test.out</SecureParameter>  
</SourcedFixletAction> 
</BES>

And here’s the source to the action -

//action parameter query "command" with description "Enter the command to run"
waithidden cmd.exe /c "{parameter "command"}"

This works when I commented out the ‘action parameter query’ but fails when I leave that in - the Console just pops-up a dialog asking for the value. @atshenoy , check if your actions use ‘action parameter query’ in them, and see if you can remove that query for a test.

@jgstew @alanm are we missing something here? Is this a known interaction between the REST / Dashboard APi and Action Parameter Query?

Secure Parameter substitution fail when running with REST API

atshenoy 2020-02-17 05:22:52 UTC #9

Tried adding XML doc type and and not referencing the xml namespace attributes on the <BES> tag, but did not work.

atshenoy 2020-02-17 05:25:43 UTC #10

Tried commenting out the action parameter query also still it was not able to successfully execute the fixlet.

JasonWalker 2020-02-17 13:30:57 UTC #11

Are you getting an error during the REST POST, or is the action just not doing what you expect it to do? Is the action being created at all?

atshenoy 2020-02-18 05:00:05 UTC #12

I am getting the error during the REST POST. The fixlet is not getting triggered and the action is also not getting created.