How to use API to share a resource to a group?

variable · May 31, 2024, 9:58am

I am trying to import some existing logins to passbolt see partial code below, I am getting “The secrets of all the users having access to the resource are required.”

...
            secrets = passbolt.get(f'/secrets/resource/{resource.id}.json')['body']
            # secrets = map(lambda s: s['body'])
            if login.access_level:
                group = get_group(f'level {login.access_level.level}')
                share_payload = {
                    'permissions': [
                        {'is_new': True, "aro": "Group", 'aro_foreign_key': group['id'], "aco": "Resource", "aco_foreign_key": resource.id, 'type': resource_type_id}
                    ],
                    "secrets": [secrets]
                }
                print(222222222222, share_payload)
                try:
                    resp = passbolt.post(
                        f"/share/simulate/resource/{resource.id}.json", share_payload, return_response_object=True
                    )
                    print(33333333, resp.content)
                    passbolt.put(f"/share/resource/{resource.id}.json", share_payload, return_response_object=True)
                except Exception as ex:
                    print(ex.response.content)
                    raise

the simulate request returned successful but failed on the next PUT

What am I doing wrong here?

remy · May 31, 2024, 10:29am

According the the error message, and what I’m understanding from your snippet, your are not sending the secrets for all the users that are part of the group you are trying to share the resource with. When you add a group permission you must encrypt the secret for all the members of that group.

The function should do something like this:

Get secret for yourself (you’re doing that already)
Decrypt secret (you can use for example python-gnupg - A Python wrapper for GnuPG)
Get list of users that are member of the group
(You can call users.json?filter[has-groups])
Parse the OpenPGP keys for these users and encrypt multiple secrets for all group members using these keys
Post the new permission with the secrets (you’re doing that already)

variable · June 3, 2024, 7:56pm

Hi, when you say “secret” do you mean the whole secret json object or just the password?

Cheers

variable · June 3, 2024, 10:42pm

Nevermind, I got it worked out, thanks.