Re: Powershell API Login Not Returning UID

davidjblackburn · ‎2021-07-21

I've done at least a dozen API implementation in Powershell. The instructions are standard.

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/login~v1.5%20

When I run the login, the uid does not get returned.

$header = @{"content-Type"="application/json"}
$body =
"
{
""user"":""me"",
""password"":""mypassword""
}
"

$uri = "https://mymanager.here.com/web_api/login"
$result = Invoke-WebRequest -uri $uri -headers $header -Body $body -method post

$result.RawContent

HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=EmulateIE8
X-Forwarded-Host-Port: 443
Transfer-Encoding: chunked
Content-Type: application/json
Date: Wed, 21 Jul 2021 23:30:11 GMT
Server: CPWS

{
"sid" : "TwYUh3EiZAbjK6D1gDB-3461a7HzYmDUVY0cT06susw",
"url" : "https://mymanager.here.com:443/web_api/v1.5",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1626910193164,
"iso-8601" : "2021-07-21T16:29-0700"
},
"read-only" : true,
"api-server-version" : "1.5"
}

PhoneBoy · ‎2021-07-21

Sounds like a bug worthy of a TAC case, which I'm guessing was fixed at some point since R81.10 appears to return the uid.
Also tagging @Omer_Kleinstern.

Note that what's really important at least as far as calling the API is the sid.

davidjblackburn · ‎2021-07-22

Thanks PhoneBoy! We haven't run across each other since 1998. I hope you've been doing ok!

PhoneBoy · ‎2021-07-22

Still at it 20+ years later. 🙂

Bob_Zimmerman · ‎2021-07-22

You're in read-only mode. Note the "read-only" : true at the bottom. Read-only sessions don't get a UUID, just a SID.

davidjblackburn · ‎2021-07-22

Well, rats. I suspected as much.
I'm an infosec guy and don't want much more access to the manager. But, I do like checking stuff often, like the threat protection.
Is there a document that lists the minimum access for the API functions?

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/show-threat-protection~v1.5%20

PhoneBoy · ‎2021-07-22

There is only one permission specific to the API: namely you can use it or not.
All other permissions are granted using the standard permission profile for your user.
I presume that particular API call is allowed based on whether your profile gives you access to Threat Prevention > Permissions > Protections or not.

PhoneBoy · ‎2021-07-22

That kinda makes sense, but it does point to an issue with the API documentation.
We should probably note that a UID won't be returned for a read-only session.

Bob_Zimmerman · ‎2021-07-22

I mean, the only thing the UUID does is give you the ability to publish or discard the session. Can’t publish or discard a read-only session.

Bob_Zimmerman · ‎2024-01-27

While building an R81.20 MDS in my lab, I noticed read-only sessions get a UUID now:

➜  ~ curl -k https://standaloneR8110/web_api/login --header "Content-Type: application/json" -d '{"user":"admin","password":"1qaz!QAZ","read-only":true}'
{
  "sid" : "Xqq38zvtE1plx4ni6Ut5y22KXPLQYQoanE8_sP1m-w8",
  "url" : "https://standaloneR8110:443/web_api",
  "session-timeout" : 600,
  "last-login-was-at" : {...},
  "read-only" : true,
  "api-server-version" : "1.8.1",
  "user-name" : "admin",
  "user-uid" : "f15f2c0c-ca41-4d4f-ab1c-9c853e767005"
}

➜  ~ curl -k https://mdsR8120/web_api/login --header "Content-Type: application/json" -d '{"user":"admin","password":"1qaz!QAZ","read-only":true}'
{
  "uid" : "00e564c5-a40c-41e7-9f07-cb2e2da33cc9",
  "sid" : "SfhKiZMZE8rwZ5KeIuysfqiqzliqMo7F5D3g1OUlVyI",
  "url" : "https://mdsR8120:443/web_api",
  "session-timeout" : 600,
  "read-only" : true,
  "api-server-version" : "1.9",
  "user-name" : "admin",
  "user-uid" : "80617f9d-db66-4c0b-815d-4799d12eb3fd"
}

R81.20 SmartCenters also return a UUID. The missing "last-login-was-at" in the MDS output is because this was a new VM and I hadn't logged in before.

Are you a member of CheckMates?

Powershell API Login Not Returning UID