New to API

alexkog · ‎2021-07-25

Hi guys

i am new to API world and i am trying ti automate some basic staff.

i am trying to work with the python script provided here https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.5%20 and just cant figure it out.

the firest error i got is :

Error(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

i am manged to pass it by adding verify=False to the r = requests.post func.

next error is:

simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0).

what am i doing wrong and what is the best way to debug it ?

tnx

Bob_Zimmerman · ‎2021-07-25

I'm not terribly familiar with Python, so I'm not sure what could be wrong there. Is there any particular language you are comfortable with? There's probably somebody on the forum who could write a similar script in that language to help get you started. Here's basically the same script in PowerShell, which I know a bit better:

$username = "my_username"
$password = "secret"
$managementServer = "192.168.65.2"
$chkpSID = ""

function Invoke-cpapiCall {
	param (
		[string]$apiPoint,
		[Hashtable]$callBody = @{}
	)
	
	$callResult = Invoke-WebRequest `
	-Uri "https://${managementServer}/web_api/${apiPoint}" `
	-ContentType "application/json"`
	-Method POST `
	-Headers @{"x-chkp-sid"=$chkpSID} `
	-Body $($callBody | ConvertTo-Json -Compress) `
	-SkipCertificateCheck `
	| ConvertFrom-Json -AsHashtable
	
	if ($apiPoint -eq "logout") {
		$chkpSID = ""
	}
	return $callResult
}

$loginBody = @{user=$username;password=$password}
$loginResult = Invoke-cpapiCall -apiPoint "login" -callBody $loginBody
$chkpSID = $loginResult["sid"]
Write-Host "Session ID: ${chkpSID}"

$newHostBody = @{name="new host name";"ip-address"="192.168.1.1"}
$newHostResult = Invoke-cpapiCall -apiPoint "add-host" -callBody $newHostBody
Write-Host "add-host result:`n$($newHostResult | ConvertTo-Json)`n"

$publishResult = Invoke-cpapiCall -apiPoint "publish"
Write-Host "publish result:`n$($publishResult | ConvertTo-Json)`n"

$logoutResult = Invoke-cpapiCall -apiPoint "logout"
Write-Host "logout result:`n$($logoutResult | ConvertTo-Json)"

This one keeps the request bodies as PowerShell hash tables by default. I like PowerShell because it comes with things like Invoke-WebRequest and Convert(To|From)-Json without needing to import any external libraries.

alexkog · ‎2021-07-25

Hi and tnx for reply

powershell is not an option since i am running the script from ubuntu server.

tnx

aheilmaier · ‎2021-07-26

I have not used the api outside mgmt_cli of the mgmt console. So I can not answer your original question.

If you want to give powershell a Try, powershell Core is available for linux. There are *.deb packages available from microsoft.

Bob_Zimmerman · ‎2021-07-26

Yep! I'm actually running PowerShell on my Mac where I do all my other development work. 😉

That earlier code is kind of gross. Global variables and all that. I only spent ~20 minutes writing and testing it, though. Here's a version with somewhat better encapsulation:

class CheckPointApiConnection {
	[String]$ManagementServer
	hidden [String]$CheckPointApiSid = ""
	
	CheckPointApiConnection(
		[String]$mgmtServer,
		[String]$User,
		[String]$Pass,
		[Boolean]$readOnly
	) {
		$this.ManagementServer = $mgmtServer
		$loginBody = @{user=$User;password=$Pass;"read-only"=$readOnly}
		$loginResult = $this.ApiCall("login", $loginBody, $false)
		$this.CheckPointApiSid = $loginResult["sid"]
	}
	
	[Hashtable] ApiCall(
		[String]$ApiPoint
	) {
		return $this.ApiCall($ApiPoint, @{}, $false)
	}
	
	[Hashtable] ApiCall(
		[String]$ApiPoint,
		[Hashtable]$Body
	) {
		return $this.ApiCall($ApiPoint, $Body, $false)
	}
	
	[Hashtable] ApiCall(
		[String]$ApiPoint,
		[Boolean]$PrintResult
	) {
		return $this.ApiCall($ApiPoint, @{}, $PrintResult)
	}
	
	[Hashtable] ApiCall(
		[String]$ApiPoint,
		[Hashtable]$Body,
		[Boolean]$PrintResult
	) {
		$CallResult = Invoke-WebRequest `
		-Uri "https://$($this.ManagementServer)/web_api/${ApiPoint}" `
		-ContentType "application/json"`
		-Method POST `
		-Headers @{"x-chkp-sid"=$($this.CheckPointApiSid)} `
		-Body $($Body | ConvertTo-Json -Compress) `
		-SkipCertificateCheck
		
		if ($apiPoint -eq "logout") {
			$this.CheckPointApiSid = ""
		}
		if ($PrintResult) {
			Write-Host "${ApiPoint} result:`n${CallResult}`n"
		}
		return ($CallResult | ConvertFrom-Json -AsHashtable)
	}
}

$apiConnection = [CheckPointApiConnection]::new("192.168.65.2", "my_username", "secret", $false)

$newHostBody = @{name="new host name";"ip-address"="192.168.1.1"}
$newHostResult = $apiConnection.ApiCall("add-host", $newHostBody, $true)

$publishResult = $apiConnection.ApiCall("publish", $true)

$logoutResult = $apiConnection.ApiCall("logout", $true)

I'm not as familiar with methods in PowerShell objects as I am with functions. It feels like all those signatures for ApiCall could probably be consolidated down with optional arguments, or default values. I'm not sure if I can add argument names to method calls. That would cost a little verbosity, but greatly improve clarity at the call site.

This also doesn't have any error handling or disposal handling. For example, if you remove the object for the API connection, it should call logout to cleanly close the session on the management side.

Are you a member of CheckMates?

New to API