References - Postman Configuration for API v2
Overview
This document provides instructions on configuring Postman for use with the ThreatConnect REST API v2. Typically, when planning an https://threatconnect-techpartners.atlassian.net/wiki/spaces/DP/pages/121077761, it is desirable to be able to quickly test REST calls. This document intends to provide a simple configuration to address the requirements of the API to allow this testing. This document was tested with Postman 7.21.1 and assumes that you have basic familiarity with configuring Postman.
Postman Configuration
Perform the configurations on your Collection in order to test the ThreatConnect API.
Environment Variables
The following environment variables must be defined in either your Collection:
Variable | Current Value |
|---|---|
tc_access_id | Access ID for the API user you intend to use |
tc_secret_key | Secret Key for the API user you intend to use |
tc_auth_key |
|
tc_timestamp |
|
In the table above, fields with a blank value are intentional and should be specified this way in the Postman configuration as well.
When entering these values in the Postman configuration screens, be certain that you do not include any line returns for these values.
Pre-request Script
In order to authenticate with the ThreatConnect API, you must use a Pre-request Script that generates the appropriate HMAC signature required for calls. Here’s an example of a script that could be used for this purpose:
var moment = require("moment");
var requestURI = new RegExp('(?<=https://.*)(/.*)','g').exec(pm.request.url)[0];
var requestMethod = pm.request.method;
var requestTimeStamp = moment(new Date().toUTCString()).valueOf() / 1000;
var signatureRawData = requestURI + ":" + requestMethod + ":" + requestTimeStamp;
var signatureBytes = CryptoJS.HmacSHA256(signatureRawData,pm.collectionVariables.get("tc_secret_key"));
var signatureBase64 = CryptoJS.enc.Base64.stringify(signatureBytes);
var accessid=pm.collectionVariables.get("tc_access_id")
var authKey = "TC " + accessid + ":" + signatureBase64;
pm.collectionVariables.set("tc_auth_key",authKey);
pm.collectionVariables.set("tc_timestamp",requestTimeStamp);The script above will output the following environment variables: tc_auth_key and tc_timestamp that should be used in the header of your Request. This script can be placed on an individual Request or can be specified in a Collection for convenience.
You should not configure any settings in the Authorization tab of the Collection or Request when you use this Pre-request Script.
Request Configuration
Within each individual request, define the following headers that will use the output of the script in the previous section:
Key | Value |
|---|---|
Authorization | {{tc_auth_key}} |
Timestamp | {{tc_timestamp}} |
Specify the appropriate method for your call and, if necessary, add a JSON payload to the Body of your Request as required by the individual call. See the REST API Documentation for the specific requirements of an individual call.