I'm using a groovy script together with the rest/api/2 to try and delete a user from a group. The call to DELETE rest/api/2/group/user return status 401 with the message "This resource requires WebSudo.". Since I didn't see anyway to use the rest/api/2 to gain WebSudo I tried creating a POST request to websudoauthenticate, with the session id and atlassian token in the cookie tag of the header taken from the authentication call I made previously.
I get a 302 Found response, but still can do the delete.
Is this the right way to go about gaining WebSudo rights in a script?
Here are my calls:
basic authorization:
def resp = get(headers: ['Authorization': "Basic ${authString}"], path: "${rest_api_prefix}myself") resp.getHeaders('Set-Cookie').each { String cookie = it.value.split(';')[0] cookies.add(cookie) println (cookie.toString()) def parts = cookie.split("=") parts.each{println(it)} if (parts[0] == "atlassian.xsrf.token") { atlassian_session_cookie = parts[1] println "found atlassian session cookie $atlassian_session_cookie" } } assert resp.status == 200
trying to get WebSudo
def cookie_string = cookies.join(";") def resp = post( path : 'secure/admin/WebSudoAuthenticate.jspa', headers: ['Cookie': cookie_string, 'X-Atlassian-Token' : 'no-check'], requestContentType : URLENC, query : [webSudoPassword: config.rest_api_client.password, webSudoDestination: 'rest/api/2/group/user', webSudoIsPost: false, atl_token: atlassian_session_cookie] ) assert resp.status == 302 // is this the status I should get?
trying to delete the user from the group
def issuesResponse = delete( path: '${rest_api_prefix}group/user', headers: ['Cookie': cookie_string], query: [groupname : aGroupname, username : aUsername ] )
Community moderators have prevented the ability to post new answers.
I got this working with the following calls. I changed the above call to get WebSudo, removing unnecessary query parameters.
def cookie_string = cookies.join(";") def resp log.debug "Authorizing user with WebSudo: <${config.rest_api_client.username}" resp = myRESTClient.post( path : 'jira/secure/admin/WebSudoAuthenticate.jspa', headers: ['Cookie': cookie_string], requestContentType : URLENC, query : [webSudoPassword: config.rest_api_client.password.toString()] ) assert resp.status == 302
And added the atlassian token to the delete request.
def resp = myRESTClient.delete( path: "${rest_api_prefix}group/user", headers: ['Cookie': cookie_string], query : [username: aUsername, groupname: aGroupname, atl_token: atlassian_session_cookie ] )
This worked for me!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.