Gaining WebSudo access while using rest/api/2

Rick Frey September 17, 2014

I'm using a groovy script together with the rest/api/2 to try and delete a user from a group. The call to DELETE rest/api/2/group/user return status 401 with the message "This resource requires WebSudo.". Since I didn't see anyway to use the rest/api/2 to gain WebSudo I tried creating a POST request to websudoauthenticate, with the session id and atlassian token in the cookie tag of the header taken from the authentication call I made previously.

I get a 302 Found response, but still can do the delete. 

Is this the right way to go about gaining WebSudo rights in a script?

Here are my calls:

basic authorization:

def resp = get(headers: ['Authorization': "Basic ${authString}"],
        path: "${rest_api_prefix}myself")
resp.getHeaders('Set-Cookie').each {
    String cookie = it.value.split(';')[0]
    cookies.add(cookie)
    println (cookie.toString())
    def parts =  cookie.split("=")
    parts.each{println(it)}
    if (parts[0] == "atlassian.xsrf.token") {
        atlassian_session_cookie = parts[1]
        println "found atlassian session cookie $atlassian_session_cookie"
    }
}
assert resp.status == 200

trying to get WebSudo

def cookie_string = cookies.join(";")
def resp = post(
        path : 'secure/admin/WebSudoAuthenticate.jspa',
        headers: ['Cookie': cookie_string,
                  'X-Atlassian-Token' : 'no-check'],
    requestContentType : URLENC,
    query : [webSudoPassword: config.rest_api_client.password,
             webSudoDestination: 'rest/api/2/group/user',
             webSudoIsPost: false,
             atl_token: atlassian_session_cookie]
)
assert resp.status == 302 // is this the status I should get?

trying to delete the user from the group

def issuesResponse = delete(
        path: '${rest_api_prefix}group/user',
        headers: ['Cookie': cookie_string],
        query: [groupname : aGroupname, username : aUsername ]
)

1 answer

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

4 votes
Rick Frey October 1, 2014

I got this working with the following calls. I changed the above call to get WebSudo, removing unnecessary query parameters.

def cookie_string = cookies.join(";")
def resp
log.debug "Authorizing user with WebSudo: <${config.rest_api_client.username}"
resp = myRESTClient.post(
     path : 'jira/secure/admin/WebSudoAuthenticate.jspa',
     headers: ['Cookie': cookie_string],
                requestContentType : URLENC,
                query : [webSudoPassword: config.rest_api_client.password.toString()]
)
assert resp.status == 302

And added the atlassian token to the delete request.

def resp = myRESTClient.delete(
        path: "${rest_api_prefix}group/user",
        headers: ['Cookie': cookie_string],
        query : [username: aUsername,
                 groupname: aGroupname,
                 atl_token: atlassian_session_cookie
        ]
)

This worked for me!

Sergey Epishkin March 9, 2015

Works like a charm! Thanks a lot!

TAGS
AUG Leaders

Atlassian Community Events