Secure Parameter substitution fail when running with REST API

heagsta 2023-02-24 18:36:05 UTC #1

Hey all, weird scenario here. I have a secure parameter that works just fine when I run the fixlet as master operator from the console in my DEV environment. However, when the fixlet is used to create an action via rest api, the secure parameter is not recognized. The user running the rest API call is also a master operator, so it does not appear to be a permissions issue. Error at the bottom. Any help would be greatly appreciated, thank you.

Is there something in the rest API call that needs to allow dynamic content??

I am simply mapping a drive with the secure parameter pass with a user that has access to a NAS share.

Command failed (Substitution failed while writing file) createfile until end

JasonWalker 2023-02-24 18:56:04 UTC #2

I think we’d need some details about what the XML you’re posting looks like…

JasonWalker 2023-02-24 18:59:50 UTC #3

An example of the XML needed to use a Secure Parameter via REST is at Passing secure parameter to fixlet through Api

heagsta 2023-02-24 22:10:16 UTC #4

the XML generated looks like the below. Since the fixlet already has the secure parameter baked into it, I thought just launching the existing fixlet against a target would be fine via the rest api. It works when I run it from the console.

<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">    

<Action Resource="https://SERVER.domain.com:52311/api/action/1115" LastModified="Thu, 23 
Feb 2023 18:42:37 +0000">
        <Name>AMS Automation Test</Name>        
	<ID>1115</ID>    
</Action></BESAPI>

JasonWalker 2023-02-25 00:30:12 UTC #5

This looks like it might be a value that would be returned when your perform a REST GET on an existing action, but isn’t the right kind of document to POST a new action.

You’d need either the full definition of an Action (like the example I posted - that has Relevance, ActionScript, Target, Parameters and SecureParameters) or a SourcedFixletAction (that has a SourceID, SourceSite, ActionID, Target, and Parameters)

JasonWalker 2023-02-25 00:31:53 UTC #6

There’s an example at https://developer.bigfix.com/rest-api/examples/create-action.html that should help

heagsta 2023-02-27 16:03:32 UTC #7

Thanks for the info. So in theory, I should be able to create an action from a pre-existing fixlet that has a baked in secure parameter, right? Assuming it has all of the necessary sourcedfixlet info, site, id, etc. Thank you

JasonWalker 2023-02-27 16:09:58 UTC #8

Yes, that’s correct, you need to send the parameter values in <SecureParameter> nodes.

The same limitations apply as in the console - an action with Secure Parameters cannot be targeted dynamically, for instance. I think I recall a discussion on edge cases that sending these through API requires targeting by ComputerID as well, it may not be possible to target by ComputerName, but I’m not finding that discussion at the moment