REST API (OR REST-API)
BUILDING THE URL
https://mydevice.mycompany.com/getstuff?queryName=errors&queryResults=yes

• Parameters
  • Terms
• Endpoint: endpoint is the whole URL. Leftside is Domain name; Rightside is URI
• A group of resources is called a collection. External Link
• method, headers, data(body) External Link

FILTERS:

• https://example.com/api/sp/alerts/?filter=/data/attributes/alert_class=dos%20AND%20/data/attributes/importance=2&page=10
• Match booleans: ongoing.eq.true ; match with numbers : attributes/ip_version.eq.4

• The URL above has two parameters separated by &
  • The second parameter has two terms separated by ' AND '

• If we are told to separate anything with Space, this is how is encoded in the URL : %20. So, if we need something like ' AND ' we encode it as: %20AND%20
  • URL_encoding_reference

SECURITY External_Link

• CREDENTIALS:
  • Token bearer
  • Non-standard token (in the header itself):
  • Content-Type : Content-Type
  • X-Arbux-APIToken : xxxxxxx

Rest API resource internals LINK

• REST API should expose named UUID-V3 identifier. UUID should be generated from the resource logical key
• BACKEND should use/store numeric (ID) primary keys for its logics

• Security_Principles
• Sample domains:
  • http://ip.jsontest.com
  • https://www.w3schools.com/python/demopage.js

CURL
TODO: curl most common flags External Link

• -H (header)
• -X (request verb to use. Example -X PUT)

CRAFTED REQUESTS
The USER-AGENT makes a request in which they connect to the DOMAIN (whatever the region is). The actual HTTP-REQUEST is then the line:

GET /multizone/channels-json.fcgi?url=mobileapp%3Ade.telekom.t_online_de HTTP/1.1

So normally hostname and request comes in DIFFERENT PACKETS. The DOMAIN is not traveling in any packet, that's resolved into an IP.

The entire URL, e.g.: “protocol:/hostname/path” isn't sent as a single line in HTTP. Instead you get:

METHOD path HTTP/Version
Host: hostname

E.g.http://xyz.com/hello/world
GET /hello/world HTTP/1.1

Host: xyz.com

CURL AND SOCKS
Also see curl examples in External Link

curl --socks5 127.0.0.1:1080 -X GET --header 'Accept: application/json' --header 'X-CSRFToken: XXXXYYYY' 'http://netbox.uswest-cluster.aws.mycompany1.co.uk:8080/api/dcim/devices/'

REQUESTS MODULE
requests.get == requests.request(“GET”,

REQUEST TO DICT AND MANIPULATION (working example!):

import requests
import json
import urllib2
url = "http://observium.dc.mycompany1.co.uk/api/v0/devices/"
response = requests.get(url, auth=('api2', 't.........'))
json_data = json.loads(response.text)
for key, value in json_data.iteritems() :
    print key, value
    

#!/usr/bin/env python
[...]
    resources = data["resources"]
      end_result = []
    for res_elements in resources:
        if res_elements["type"] == "oci_core_network_security_group_security_rule":
            # Creates list with NSG ids for all NSG-rules
            end_result.append(res_elements["instances"][0]["attributes"]["network_security_group_id"])
    # How many different NSGs we have (ocids)
    nsgs = sorted(set(end_result))
    # For loop goes through all NSGs and count occurrences (1 NSG will appear per rule)
    for item in nsgs:
        print ("NSG: " + item[-5:] + " ; Number-of-rules: " + str(end_result.count(item)))
if __name__ == "__main__":
    main()

JUNOS REST API:

• This link for resources: External Link

set system services rest http port 3000
set system services rest enable-explorer
set system services rest control allowed-sources [10.5.128.12 10.8.8.3]
set system services rest control connection-limit 100
set system services rest http addresses 10.5.128.8
set system services rest traceoptions flag all

Curl call:

curl -u "root:password" http://10.5.128.8:3000/rpc/get-interface-information # we can easily use the browse based rest-api navigator

To see the rcp call from a plain junos command (example):

show bgp summary | display xml rpc

ASA REST API\
http://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html#56532

CPI 3 API NOTES
REST API 101 http://developer.cisco.com/site/devnet/learn/coding-101-tutorial/#how-does-this-work?

1. API account in PI needs to be created and assigned to new Virtual Domain with the correct permissions!
   
2. Initiate postman. Clear cache and cookies.
3. Interceptor ON
4. In chrome: https://crpashcpi01.corporate.local/webacs/pages/common/login.jsp + Login as api user
5. Now you can issue the api URL in postman

THE HTTP HEADER

• List_of_HTTP_headers
• https://www.websparrow.org/misc/how-to-view-http-headers-in-mozilla-firefox

GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Host: code.tutsplus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120
Pragma: no-cache
Cache-Control: no-cache

METHOD

• GET - used when retrieving data
• POST - used when creating something new
• PUT - used when updating data
• DELETE - used to delete data

HOST: Is a way of multiplexing. An HTTP request is sent to a specific IP address. But since most servers are capable of hosting multiple websites under the same IP, they must know which domain name the browser is looking for.

URL
The URL for the endpoint you want to call Example: http://APIC-EMController}/api/v0/host

AUTHENTICATION External Link

• You need to know the authentication type to use. Basic HTTP, and OAuth are common types.
• Authentication credentials

CUSTOM HEADER:

• Does the API require you to send any HTTP Headers?
• Example: Content-Type: application/json

REQUEST BODY
JSON or XML containing data that is needed to complete request can be sent in the body of the request
CONNECTION:
Only values are keep-alive or close

JSON NOTES:

• key : value pairs
• OBJECT: whatever in Curly Braces
• ARRAY: whatever in squared brackets. Sometimes the array comprises the whole code top level object

If we want the Top Level Object to be in curly brackets, it requires to have a key (beccause all in curly brackets needs to be key value!).

console.log(myObj.People[1].Lastname); # in js code and in json with top level code as curly, will access the second curly brackets inside the tlc and then to the value associated to the 'LastName' in that curly block. see DevNet(43) video for more info.

—- POSTMAN TUTO
INSTALL POSTMAN: External Link

~Download it in Downloads folder
sudo tar -xvzf ~/Downloads/Postman-linux-x64-7.33.1.tar.gz -C /opt
sudo ln -s /opt/Postman/Postman /usr/bin/postman

• PASSWORD MANAGEMENT: For authentication, providing credentials are static, we do: Basic Auth > Update Request > [Check headers to see authorization token is generated] > Test > Save it
  • Other popular authentication methods: 'token bearer' ; token created manually in the header (header tab: key : 'Authentication' value :' Token ee8jgfjhfkhvhjvjh1'
• CODE GENERATED: Note verify=False for the ssl verification & removed: cache-control and postman-token

• Accept header: Note that this is misleading. It goes in the request (GET) and specifies the media types which are acceptable for the response.