ryanleonard Valued Contributor.
Valued Contributor.
513 views

HP OO 10.70 REST API - CSRF Help

Jump to solution

Hi all,

I'm currently attempting to write a web server in python - the idea is to listen for commands from the Slack API and forward them off to an OO flow.

I have tested the OO Central API in the Postman tool and it's all working well, however when I attempt to do the same query within python I get a 401 error...

I have implemented the double CSRF GET recommendation from this page, however this does not fix my issue.

Here is what I have so far:

def call_oo(oo_input):
	with requests.Session() as session:

		get_url = 'https://localhost:8443/oo/rest/v2'
		#GET request #1 to get initial CSRF Token
		get=session.get(get_url, verify=False)
		get.auth = ("slack_bot", "passsword")
	
		#GET request #2 to get second CSRF Token
		get=session.get(get_url, verify=False)
		get.auth = ("slack_bot", "password")
	
		#Get CSRF Token
		CSRF=get.headers['X-CSRF-TOKEN']
		print(CSRF)
	
		post_url = 'https://localhost:8443/oo/rest/v2/executions'
		headers = {"Content-Type": "application/json", "X-CSRF-TOKEN": CSRF}
		#cookies = {"X-CSRF-TOKEN-OO": CSRF}
		payload = {"flowUuid":"d5b1e934-d1c2-492b-98ca-8752a1b0d60e","inputs":{"slack_post":oo_input}}
		print(headers)
		print(payload)
	
		post = session.post(post_url, data=payload, headers=headers, verify=False)
		print(post.text)

The result of this is:

HTTP Status 401 - Security feature is enabled in the system. Anonymous authentication is not allowed anymore - User should authenticate.

Am I missing something? I'm definitely correctly passing the CSRF token as a header.
This python request initiates a session so all cookies should be being passed automattically. I have tried to manually pass the cookies with no luck also.

Any help would be greatly appreciated!

Cheers,
Ryan

0 Likes
1 Solution

Accepted Solutions
ryanleonard Valued Contributor.
Valued Contributor.

Re: HP OO 10.70 REST API - CSRF Help

Jump to solution

Figured it out finally...

Authorisation of the GET wasn't even working in the first place + I was sending the body as a dict and not a string.

The following snippet works as intended.

def call_oo(oo_input):
	with requests.Session() as session:

		session.auth = ("slack_bot", "password")
	
		get_url = 'https://localhost:8443/oo/rest/v2/executions'
		#GET request #1 to get initial CSRF Token
		get=session.get(get_url, verify=False)
	
		#GET request #2 to get second CSRF Token
		get=session.get(get_url, verify=False)
	
		#Get CSRF Token
		CSRF=get.headers['X-CSRF-TOKEN']
		print(CSRF)
	
		oo_input = oo_input.decode('utf-8')
	
		post_url = 'https://localhost:8443/oo/rest/v2/executions'
		headers = {'Content-Type':'application/json','X-CSRF-TOKEN':CSRF}
		payload = "{\"flowUuid\":\"d5b1e934-d1c2-492b-98ca-8752a1b0d60e\",\"inputs\":{\"slack_post\":\"" + oo_input + "\"}}"
		print(headers)
		print(payload)
	
		post = session.post(post_url, data=payload, headers=headers, verify=False)
		print(post.text)
0 Likes
3 Replies
ryanleonard Valued Contributor.
Valued Contributor.

Re: HP OO 10.70 REST API - CSRF Help

Jump to solution

Figured it out finally...

Authorisation of the GET wasn't even working in the first place + I was sending the body as a dict and not a string.

The following snippet works as intended.

def call_oo(oo_input):
	with requests.Session() as session:

		session.auth = ("slack_bot", "password")
	
		get_url = 'https://localhost:8443/oo/rest/v2/executions'
		#GET request #1 to get initial CSRF Token
		get=session.get(get_url, verify=False)
	
		#GET request #2 to get second CSRF Token
		get=session.get(get_url, verify=False)
	
		#Get CSRF Token
		CSRF=get.headers['X-CSRF-TOKEN']
		print(CSRF)
	
		oo_input = oo_input.decode('utf-8')
	
		post_url = 'https://localhost:8443/oo/rest/v2/executions'
		headers = {'Content-Type':'application/json','X-CSRF-TOKEN':CSRF}
		payload = "{\"flowUuid\":\"d5b1e934-d1c2-492b-98ca-8752a1b0d60e\",\"inputs\":{\"slack_post\":\"" + oo_input + "\"}}"
		print(headers)
		print(payload)
	
		post = session.post(post_url, data=payload, headers=headers, verify=False)
		print(post.text)
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: HP OO 10.70 REST API - CSRF Help

Jump to solution

Super that you made it working! 

Just wondering, as there is an OO ChatOps solution that integrates with Slack as well, what is the functionality that is missing and you are adding?

https://marketplace.microfocus.com/itom/content/oo-chatops 

Thanks,

Lucian 

0 Likes
ryanleonard Valued Contributor.
Valued Contributor.

Re: HP OO 10.70 REST API - CSRF Help

Jump to solution

Hi there, I have set-up and played around with the chat-ops bot, however I'm looking to implement interactive buttons and slash commands with the bot to simplify running flows for our users.

I'm just using the python web server on the OO central server to forward the payload from Slack to OO and I'm handling the slack bot logic with OO.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.