Ok, I managed to put together an example, and it’s working as I expected…hopefully some of this may help? It may be as simple as how the parameters are used in the actionscript, but the Description tab HTML & javascript shouldn’t matter from an API post.
The Description tab of the fixlet appears as this:
The important bit (for the Console) is the textbox and the javascript, it creates a parameter named “secret”
<LABEL for=secret>Test Secret:</LABEL>
<INPUT id=secret type=password name=secret>
<script>
document.body.ontakeaction = function() {
var theSecret = document.getElementById( "secret" ).value;
if (theSecret==null || theSecret=="") {
alert("Hey, you forgot to enter a secure parameter! Please enter one on the Description tab before taking the action.");
}
else {
TakeSecureFixletAction( Relevance('id of current fixlet'), Relevance('id of current bes site'), "Action1", {}, { secret: theSecret } );
}
return false;
}
</script>
None of that script matters when using XML Import or REST API though. It’s just used by the thick console to create the XML that ends up being posted.
For my test, the Action Script is pretty simple, it just generates a file with the parameters:
//insecure parameter
action parameter query "username" with description "Please specify the name of an existing local user account"
//secure parameter:
// {parameter "secret" of action}
delete __createfile
createfile until EOF_MARKER
username: {parameter "username" of action as string}
secret: {parameter "secret" of action as string}
EOF_MARKER
When I take the action interactively with the thick console, I can see it creates the file I expected:
C:\BES\Client\__BESData\CustomSite_Test_Content>type __createfile
username: ClearTextValue
secret: my test secret
I have a dashboard I use to post generic XML. If I post the XML in this form it works:
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<SourcedFixletAction>
<SourceFixlet>
<Sitename>Test Content</Sitename>
<FixletID>14315</FixletID>
<Action>Action1</Action>
</SourceFixlet>
<Target>
<ComputerID>1080572761</ComputerID>
</Target>
<Parameter Name="username">Cleartext Username from XML Import</Parameter>
<SecureParameter Name="secret">My Test Secret Value from XML Import</SecureParameter>
</SourcedFixletAction>
</BES>
Reading back the content:
C:\BES\Client\__BESData\CustomSite_Test_Content>type __createfile
username: Cleartext Username from XML Import
secret: My Test Secret Value from XML Import
I built a very short Python script to POST it to api/actions:
import requests
# to suppress SSL "untrusted certificate" warnings
import warnings
operation = "POST"
certverify = False
url = "https://my-root-server:52311/api/actions"
username = "sorry-not-gonna-share-that"
password = "sorry-not-gonna-share-that"
# Suppress InsecureRequestWarning warnings from requests module
# These are generated when we do not have a trusted CA certificate on the BES Server
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# normally build XML with xml.ElementTree or lxml but...no time for that now...
myXML = """<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<SourcedFixletAction>
<SourceFixlet>
<Sitename>Test Content</Sitename>
<FixletID>14315</FixletID>
<Action>Action1</Action>
</SourceFixlet>
<Target>
<ComputerID>1080572761</ComputerID>
</Target>
<Parameter Name="username">Cleartext Username from API post</Parameter>
<SecureParameter Name="secret">My Test Secret Value from API post</SecureParameter>
</SourcedFixletAction>
</BES>
"""
# Note that on any of these Exception handlers, we could either raise our own error and quit the script, or handle the error
# and move on to the next query or next server or ...
try:
response = requests.request(
operation,
url,
data=myXML,
headers=None,
verify=certverify,
auth=(username, password),
params=None,
)
except Exception as e:
# This could be an exception such as "server unreachable"
print("Error encountered connecting to the API: " + str(e))
else:
if not response.ok:
# This could be an error such as "We connected to the server and got HTTP response, but the RESPONSE is "Access Denied" or "Page not Found")
print("HTTP " + str(response.status_code) + " " + response.reason)
else:
print("Action sent:")
print(response.text)
When I POST that, I get back the response I expect from Python…
Action sent:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
<Action Resource="https://my-root-server:52311/api/action/14319" LastModified="Wed, 04 Aug 2021 20:39:47 +0000">
<Name>Test Secure Parameter Fixlet</Name>
<ID>14319</ID>
</Action>
</BESAPI>
And on the endpoint it created the file I expected…
C:\BES\Client\__BESData\CustomSite_Test_Content>type __createfile
username: Cleartext Username from API post
secret: My Test Secret Value from API post
I went back and referenced a second parameter, “newsecret”, but only in the ActionScript - I didn’t add it to the Description form, Javascript, or anything. I was able to reference that parameter the same way, with an additional <SecureParameter> entry and just adding it to the __createfile with the others.