__REST API (OR REST-API)__ \\ __BUILDING THE URL__ \\ [[https://mydevice.mycompany.com/getstuff?queryName=errors&queryResults=yes]] \\ * Parameters * Terms * Endpoint: endpoint is the whole URL. Leftside is Domain name; Rightside is URI * A group of **resources** is called a **collection.** [[https://openclassrooms.com/en/courses/6121936-build-your-web-projects-with-rest-apis/6268226-use-rest-resources-and-collections|External Link]] * * method, headers, data(body) [[https://www.smashingmagazine.com/2018/01/understanding-using-rest-api/|External Link]] ---- FILTERS: * [[https://example.com/api/sp/alerts/?filter=/data/attributes/alert_class=dos%20AND%20/data/attributes/importance=2&page=10]] * Match booleans: ongoing.eq.true ; match with numbers : attributes/ip_version.eq.4 \\ * The URL above has **two parameters** separated by **&** * The second parameter has **two terms** separated by ' AND ' * If we are told to separate anything with Space, this is how is encoded in the URL : ''%20''. So, if we need something like ' AND ' we encode it as: ''%20AND%20'' * [[https://www.w3schools.com/tags/ref_urlencode.ASP|URL_encoding_reference]] __SECURITY__ [[https://restfulapi.net/security-essentials/|External_Link]] * CREDENTIALS: * Token bearer * Non-standard token (in the header itself): * Content-Type : Content-Type * X-Arbux-APIToken : xxxxxxx __Rest API resource ''internals''__ [[https://medium.com/@h4t0n/rest-api-uuid-v3-is-the-right-way-3ca0695610dc|LINK]] \\ * REST API should expose named UUID-V3 identifier. UUID should be generated from the resource logical key * BACKEND should use/store numeric (ID) primary keys for its logics ---- * [[https://restfulapi.net/security-essentials/|Security_Principles]] * Sample domains: * [[http://ip.jsontest.com]] * [[https://www.w3schools.com/python/demopage.js]] ---- **CURL** \\ **TODO: curl most common flags** [[https://gist.github.com/eneko/dc2d8edd9a4b25c5b0725dd123f98b10|External Link]] * -H (header) * -X (request verb to use. Example -X PUT) \\ **CRAFTED REQUESTS**\\ The USER-AGENT makes a request in which they connect to the DOMAIN (whatever the region is). The actual HTTP-REQUEST is then the line: GET /multizone/channels-json.fcgi?url=mobileapp%3Ade.telekom.t_online_de HTTP/1.1 So normally hostname and request comes in DIFFERENT PACKETS. The DOMAIN is not traveling in any packet, that's resolved into an IP. The entire URL, e.g.: "protocol:/hostname/path" isn't sent as a single line in HTTP. Instead you get: METHOD path HTTP/Version Host: hostname E.g.http://xyz.com/hello/world GET /hello/world HTTP/1.1 Host: xyz.com **CURL AND SOCKS** \\ Also see curl examples in [[https://softbackbone.duckdns.org/doku.php?id=network_stuff:linux|External Link]] \\ curl --socks5 127.0.0.1:1080 -X GET --header 'Accept: application/json' --header 'X-CSRFToken: XXXXYYYY' 'http://netbox.uswest-cluster.aws.mycompany1.co.uk:8080/api/dcim/devices/' ---- **REQUESTS MODULE**\\ **requests.get == requests.request("GET",**\\ REQUEST TO DICT AND MANIPULATION (**working example!**): import requests import json import urllib2 url = "http://observium.dc.mycompany1.co.uk/api/v0/devices/" response = requests.get(url, auth=('api2', 't.........')) json_data = json.loads(response.text) for key, value in json_data.iteritems() : print key, value \\ #!/usr/bin/env python [...] resources = data["resources"] end_result = [] for res_elements in resources: if res_elements["type"] == "oci_core_network_security_group_security_rule": # Creates list with NSG ids for all NSG-rules end_result.append(res_elements["instances"][0]["attributes"]["network_security_group_id"]) # How many different NSGs we have (ocids) nsgs = sorted(set(end_result)) # For loop goes through all NSGs and count occurrences (1 NSG will appear per rule) for item in nsgs: print ("NSG: " + item[-5:] + " ; Number-of-rules: " + str(end_result.count(item))) if __name__ == "__main__": main() ---- **JUNOS REST API**:\\ * This link for resources: [[https://forums.juniper.net/t5/Junos/REST-API-for-EX-series/td-p/318479|External Link]] set system services rest http port 3000 set system services rest enable-explorer set system services rest control allowed-sources [10.5.128.12 10.8.8.3] set system services rest control connection-limit 100 set system services rest http addresses 10.5.128.8 set system services rest traceoptions flag all Curl call: curl -u "root:password" http://10.5.128.8:3000/rpc/get-interface-information # we can easily use the browse based rest-api navigator To see the rcp call from a plain junos command (example): show bgp summary | display xml rpc ---- **__ASA REST API__**\\\ [[http://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html#56532]] ---- **__CPI 3 API NOTES__**\\ REST API 101 [[http://developer.cisco.com/site/devnet/learn/coding-101-tutorial/#how-does-this-work?]]\\ - API account in PI needs to be created and assigned to new Virtual Domain with the correct permissions!\\ - Initiate postman. Clear cache and cookies. - Interceptor ON - In chrome: [[https://crpashcpi01.corporate.local/webacs/pages/common/login.jsp]] + Login as api user - Now you can issue the api URL in postman ---- \\ **__THE HTTP HEADER__** * [[https://en.wikipedia.org/wiki/List_of_HTTP_header_fields|List_of_HTTP_headers]] * [[https://www.websparrow.org/misc/how-to-view-http-headers-in-mozilla-firefox]] GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1 Host: code.tutsplus.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120 Pragma: no-cache Cache-Control: no-cache METHOD \\ * GET - used when retrieving data * POST - used when creating something new * PUT - used when updating data * DELETE - used to delete data HOST: Is a way of multiplexing. An HTTP request is sent to a specific IP address. But since most servers are capable of hosting multiple websites under the same IP, they must know which domain name the browser is looking for. URL\\ The URL for the endpoint you want to call Example: http://APIC-EMController}/api/v0/host \\ AUTHENTICATION [[https://blog.restcase.com/4-most-used-rest-api-authentication-methods/|External Link]] \\ * You need to know the authentication type to use. Basic HTTP, and OAuth are common types. * Authentication credentials \\ CUSTOM HEADER: * Does the API require you to send any HTTP Headers? * Example: Content-Type: application/json \\ REQUEST BODY\\ JSON or XML containing data that is needed to complete request can be sent in the body of the request \\ CONNECTION:\\ Only values are ''keep-alive'' or ''close'' ---- JSON NOTES:\\ * key : value pairs * OBJECT: whatever in Curly Braces * ARRAY: whatever in squared brackets. Sometimes the array comprises the whole code **top level object** If we want the Top Level Object to be in curly brackets, it requires to have a key (beccause all in curly brackets needs to be key value!). console.log(myObj.People[1].Lastname); # in js code and in json with top level code as curly, will access the second curly brackets inside the tlc and then to the value associated to the 'LastName' in that curly block. see DevNet(43) video for more info. ---- **__POSTMAN TUTO__**\\ INSTALL POSTMAN: [[https://learning.postman.com/docs/getting-started/installation-and-updates/#installing-postman-on-linux|External Link]]\\ ~Download it in Downloads folder sudo tar -xvzf ~/Downloads/Postman-linux-x64-7.33.1.tar.gz -C /opt sudo ln -s /opt/Postman/Postman /usr/bin/postman * PASSWORD MANAGEMENT: For authentication, providing credentials are static, we do: Basic Auth > Update Request > [Check headers to see authorization token is generated] > Test > Save it * Other popular authentication methods: 'token bearer' ; token created manually in the header (header tab: key : 'Authentication' value :' Token ee8jgfjhfkhvhjvjh1' * CODE GENERATED: Note verify=False for the ssl verification & removed: cache-control and postman-token {{:scripting:postman1.png?600|}} * Accept header: Note that this is misleading. It goes in the request (GET) and specifies **the media types which are acceptable for the response**.